A forum for reverse engineering, OS internals and malware analysis 

Linux/Bangsyn

Forum for analysis and discussion about malware.

Linux/Bangsyn

 #24108  by unixfreaxjp
 Thu Oct 09, 2014 8:43 am
A light-weight SYN DoS tool, made in China was found, it called itself "Bangsyn".
Without command line arguement it will display the "help", this is why I call it Linux/Bangsyn
Code: Select all
mov     rax, [rbp+var_70]
mov     rdx, [rax]
mov     eax, offset format ;<=== "syntax: ./bangsyn ip port time \n"
mov     rsi, rdx
mov     rdi, rax        ; format
mov     eax, 0
call    _printf
mov     edi, 0          ; status
call    _exit
The source code also implied the same name:
Code: Select all
0x0027B1     bangsyn.c
This GLIBC_2.2.5 built (On Redhat GCC compiler) x64 binary was found in a custom panel together with the Linux/BillGates samples:
Image
(thx to @benkow for the panel hint) As you can see the size is small.

It is fed by args for domain or IP which is translated by itself and call the DoS SYN function upon conditions are okay:
Code: Select all
//// Prep the host to nuke..

0x0400FBD push    rbp
0x0400FBE mov     rbp, rsp
0x0400FC1 sub     rsp, 20h
0x0400FC5 mov     [rbp+name], rdi // host
0x0400FC9 mov     rax, [rbp+name]
0x0400FCD mov     rdi, rax        // cp
0x0400FD0 call    _inet_addr // struct in_addr inet_makeaddr(int net, int host);
0x0400FD5 mov     cs:i_4841, eax
0x0400FDB mov     eax, cs:i_4841
0x0400FE1 cmp     eax, 0FFFFF
(...)
0x0400FE6 mov     rax, [rbp+name]
0x0400FEA mov     rdi, rax        // name
0x0400FED call    _gethostbynam // the domain lookup using OS layer

//// Confirming the target, time & packet sent

0x0400B57 mov     edi, offset s // ref: "\nsantong syn: " (in chinese)
0x0400B5C call    _puts
0x0400B61 mov     rax, [rbp+var_70]
0x0400B65 add     rax, 8
0x0400B69 mov     rdx, [rax]
0x0400B6C mov     eax, offset aIpS //<==="IP: %s\n"
0x0400B71 mov     rsi, rdx
0x0400B74 mov     rdi, rax        // format buffer
0x0400B77 mov     eax, 0
0x0400B7C call    _printf
0x0400B81 movzx   edx, [rbp+var_28]
0x0400B85 mov     eax, offset aPortU // <=== "Port: %u\n"
0x0400B8A mov     esi, edx
0x0400B8C mov     rdi, rax        // format buffer
0x0400B8F mov     eax, 0
0x0400B94 call    _printf
0x0400B99 mov     eax, offset aSecondsD // <=="Seconds: %d\n\n"
0x0400B9E mov     edx, [rbp+var_24]
0x0400BA1 mov     esi, edx
0x0400BA3 mov     rdi, rax        // format buffer
0x0400BA6 mov     eax, 0
0x0400BAB call    _printf
(...)
0x0400CBC call    dosynpacket // <===The SYN DOS is called here..
(...)
0x0400D0F mov     eax, offset aPacketsSentD // "\nPackets Sent: %d \n"
The function to SYN flood is "dosynpacket()" is self-explanatory.

The virus total detection is, well, is a new malware anyway, is..zero
Image
https://www.virustotal.com/en/file/70be ... 412840932/

Easy detection and ID is using below strings:
Code: Select all
0x001178     syntax: ./bangsyn ip port time 
0x00119A     santong syn: 
0x0011A8     IP: %s
0x0011B0     Port: %u
0x0011BA     Seconds: %d
0x0011C8     %d.%d.%d.%d
0x0011D5     Packets Sent: %d 
0x0011E8     socket
0x0011EF     cant find %s!
0x0027B1     bangsyn.c
Attachments
7z/infected
(3.58 KiB) Downloaded 73 times
 Return to “Malware”