Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to the news list

Details on the threat Trojan.DnsAmp.1

August 14, 2014

Russian anti-virus company Doctor Web is providing the public with a detailed description of Trojan.DnsAmp.1.

Trojan.DnsAmp.1 has been designed by Chinese virus makers to attacks. The Trojan is a Windows version of the ported Linux.DnsAmp program which was described by Doctor Web in a related review in May 2014. The Trojan incorporates a dropper that places a malicious file on the hard drive of the infected computer, as well as several files, one of which bears the Trojan's main payload. Trojan.DnsAmp.1 can carry out several types of DDoS attacks, including Syn Flood, UDP Flood, Ping Flood, and HTTP Get Flood, as well as download and run other malicious programs on an infected PC.

Dropper

Reads 0x90 bytes from the end of the file and decrypts them using an RC4 algorithm with the key {F918FE01-164A-4e62-9954-EDC8C3964C1B}. The decoded data is organised as follows:

struct DROP_INFO
{
    char szFirstDrop[0x40]; // Name of the first file
    DWORD dwFirstDropData; // Offset to the first file
    DWORD dwFirstDropSize; // Size of the first file
    char szSecondDrop[0x40]; // Name of the second file
    DWORD dwSecondDropData; // Offset to the second file
    DWORD dwSecondDropSize; // Size of the second file
}

File data is located at offsets dwSecondDropData - dwFirstDropData" and Filesize + 0x90 – dwSecondDropData. After that the dropper uses an RC4 algorithm with the key {E5A42E7E-8130-4f46-BECC-7E43235496A6} to decrypt the first file and employs another key {ADAB6D32-3994-40e2-8C18-2F226306408C} for the second file. The files are saved in the folder %TEMP% and launched.

One of the files is Trojan.DnsAmp.1

Installation

The malware is installed in the system as an automatically launched service with the name Windows Test My Test Server 1.0.; the Trojan's executable is copied into the folder %System32% as vmware-vmx.exe. Once launched, it checks the current date. If the date is earlier than 02.21.2013, the Trojan remains idle.

Malicious payload

It connects to two command and control servers and sends them the information collected about the system. If the infected computer is running Windows 7 or Windows NT, the data sent will be organised according to the template PC_INFO_WIN7. For other versions of Windows, the data will be arranged according to the template PC_INFO.

struct PC_INFO
{
    DWORD signature; //"UU\t"
    char szOSVersion[16]; OS Version
    DWORD dwSpuSpeed; // CPU speed in MHz
    BYTE dummy[492]; // Zeros
}
 
struct PC_INFO_WIN7
{
    DWORD signature;      //"UU\t"
    char szOSVersion[16]; OS Version
    BYTE dummy[48];       // Zeros
    DWORD dwSpuSpeed;     //CPU speed in MHz
    BYTE dummy1[444];     //Zeros
}

SzOSVersion can take one of the following strings as a value:

Windows NT         
Windows 7          
Windows Server 2008
Windows Vista                  
Windows Server 2003
Windows XP         
Windows Server 2000

Information about the number of bytes transferred via the network interfaces is sent to the server via a separate thread. The data sent via this thread is structured as follows:

struct PC_INFO_NETWORK_DATA
{
    DWORD signature; // "??\b"
    DWORD dwPacketsCount; //Bytes transferred
    BYTE dummy[508]; //Zeros
}

It can download and run other malicious applications. After sending the data, the Trojan waits for commands from the command and control server. Received packets have the following structure:

struct CMD_PACKET
{
    DWORD Cmd; //command
    BYTE Parameter[512]; //Command parameter

There are three commands:

CmdCommandComment
0x88Start a DDoS attack
0x9AStop a DDoS attackReset DDoS attack status
0x77798 Download and launch the file

When commanded to start a DDoS attack, the Trojan checks the current attack status: if an attack is already in progress, the command is ignored.

The DDoS start command parameter is structured as follows:

struct DDOS_PARAMS
{
    char szHost; //C-string containing a target IP address for the attack
    DWORD dummy[95]; //Zeros
    WORD wPort; // the target host's port, onto which the attack will be mounted
    WORD dummy2; //Zeros
    DWORD dwDuration; //DDoS attack duration in seconds
    DWORD dwThreadsCount; //Number of threads involved in the DDoS attack
    DWORD dwType; // DDoS attack type
    DWORD dwFlag; //Additional parameter that can take different values depending on the attack type
}

Supported types of attacks

CmdAttack type
0x01Syn Flood
0x02Syn Flood
0x03UDP Flood
0x04Ping Flood
0x05HTTP Get Flood

When porting the Linux Trojan to Windows, its authors discarded DNS Amplification attacks in favour of HTTP Get Flood.

File Downloads

To download files, the Trojan loads urlmon.dll code into the memory and acquires the URLDownloadToFileA function address. The download link is at the zero offset to CMD_PACKET Parameter.

A file is downloaded into the directory %TEMP%. The file name is generated as follows:

DWORD GetRnd(DWORD modulus)
{
  DWORD dwTicks;
  dwTicks = GetTickCount();
  return ticks * (rand() + 3) % modulus;
}
...
dwRnd0 = GetRnd(26u) + 97;
dwRnd1 = GetRnd(26u) + 97;
dwRnd2 = GetRnd(26u) + 97;
dwRnd3 = GetRnd(26u) + 97;
dwRnd4 = GetRnd(26u) + 97;
wsprintfA(wszFileName, "%c%c%c%c%c.exe", dwRnd4, dwRnd3, dwRnd2, dwRnd1, dwRnd0);
strcat(szTmpDir, szFileName);

News post about this threat

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments