Homework Assignment 5
NOTE: only open this virus within your Kali Linux node!!!
Virus: VirusShare_fff0e0474486855131a4c2248d61ee67.gz
This assignment works with a live virus taken from the VirusShare.com that we have been reviewing in
class. Please identify and answer the following questions:
1) On what line is the entry point?
The entry point for the main function starts at 000081d0. The first line for the main function
references 0000d448.
2) What does the function SendHTTP do within this code?
It first defines a number of variables, the first being a time variable called tVar1, ints iVar2, local_20,
local_lc, local_l8, pid Var3, size n, and undefined variables uStach545 and local_l4. It first uses the
current time as a seed, setting tVar1 to the current time, then sets local_l8 to the time + a
parameter that’s passed into the function (so just a random integer). It then sets local_l4 and
local_lc to 0. It then prints "%s %s HTTP/1.1\r\nHost: %s\r\nUser-Agent: %s\r\nConnection:
close\r\n\r\n" into a stack variable and creates a child from the parent process Var3. It then
connects to a socket using two different parameters passed into the function, and if the socket is
active, it reads and writes into the local_20 variable, which has "%s %s HTTP/1.1\r\nHost:
%s\r\nUser-Agent: %s\r\nConnection: close\r\n\r\n" in it. I’m assuming the purpose of the function
is to connect to an outside host.
3) What is the original language that the program is written in and how can you tell?
I think that the original language of the program was written in C, the decompiler in Ghidra
outputted code in C which is how I’m telling, but it could be different.
4) What do the functions within the open do?
It passes a pointer called __file to the function and and int called oflag, it then defines an integer
pointer called piVar1 and creates a system interrupt. I found what the next function does, it returns
(int *)&errno;, but I couldn’t figure out what the address for errno was. It assigned the function
__GI___errno_location (the function that returned the previous line I said, the one I couldn’t figure
out) to the variable piVar1, and then points the pointer to –(int) of the file parameter. It then sets
the file parameter equal to an address (0xffffffff), and returns the file parameter.
5) What does the _call_via_r[1-9] do?
I couldn’t exactly figure this one out either, all the functions [1-9] are void functions which define
(*(code *) UNRECOVERED_JUMPTABLE, but I have no clue what the unrecovered_jumptable is.
Essay
Please explain in detail what this program does?
After a while of analyzing the code, I’ve realized that the main payload of the code is to connect to
URL’s/IPs. It executes a backdoor routine in which it kills processes, gets PIDs of specific processes, sends
random bytes, sends strings mocking the victim, checks for Huawei devices somehow, and ultimately
performs a DDOS attack using LDAP and SSDP. It also tries to bruteforce through admin and password
using predefined credentials.
How can this kind of program be detected?
Windows defender already has the hash value of the virus recognized, so downloading it accidentally off
a website isn’t going to infect your machine as windows will immediately quarantine it. Besides that,
you’d have to realize that packets are being sent in and out of the host machine that shouldn’t be being
sent, especially to the URLs that the code is trying to send them to. Any anti-malware program should be
capable of dealing with this virus though. The files needed could be under /tmp/keksec.x86 or
tmp/bins/keksec.mips.
How can this program go un-detected?
It kills processes and could very easily potentially hide by using old certifications or by using other
process names. A common tactic is to use one of Windows Service Routine’s names and disguise the
virus process under the official Microsoft name, which would virtually be undetectable.
Bonus:
What is the end URL where data is sent?
This is what I found online (not in the code):
http://{BLOCKED}.{BLOCKED}.133.119/bins/keksec.x86
{BLOCKED}.{BLOCKED}.147.211