3. Legend and EULA
On one of Moscow's pos-terminals was found sample of malware of some functioning botnet network...
Warning: Run this file only under virtual machine. And it's not a joke.
18. Bot / Components
Crypt (Spritz)
CMD
Social network
C&C
Datetime
C&C Transport
C
C
TGA
Social
Transport
Hashtag
Key
Key
Key
H
C&C addr Tweet
Timer
Init
Loader
Init
Init
Init
19. C&C / Components
Crypt (Spritz)
Request
Key
CMDC
Key
Response
H
Datetime
TGA
C&C Transport
C
Key
C&C Transport
21. Bot / Commands
• CMD_MAKE_TOKEN
• CMD_GET_CMD
• CMD_MAKE_NOP
• CMD_MAKE_NETWORK_DISCONNECT
• CMD_GET_CONTRIBUTORS
• CMD_GET_MSGBOX // Show messagebox
• CMD_GET_PLIST // Get list of processes
• CMD_GET_CNAME // Get name of computer
• CMD_MAKE_LOAD // Load shellcode
• CMD_MAKE_INJ // Inject shellcode to process
23. Bot / Protection
Crypt (Spritz)
CMD
Social network
C&C
Datetime
C&C Transport
C
C
TGA
Social
Transport
Hashtag
Key
Key
Key
H
C&C addr
Tweet
Timer
Init
Init
Init
Init
Loader
24. Bot / Protection
Crypt (Spritz)
CMD
Social network
C&C
Datetime
C&C Transport
C
C
TGA
Social
Transport
Hashtag
Key
Key
Key
H
C&C addr Tweet
Loader
Timer
Custom Python (py)
Cython (pyx)
InitPyx
InitPyx
InitPyx
InitPyxpy2exe bootloader
39. Cython (Pure C)
cdef long function(long a,
long b):
c = a + b – 0x0A
return c ^ 0x70
long __pyx_f_4temp_function(long va, long vb){
long vl1, vl2;
__Pyx_RefNannySetupContext("function", 0);
vl1 = ((va, vb) – 0x0A);
vl2 = (vl1 ^ 0x70);
__Pyx_RefNannyFinishContext();
return vl2;
}
49. Hints (for 4 days)
• Use ntp2d.mcc.ac.uk (UTC+4)
• Dropbox
• PYX
• DGA
• Do not touch C&C !!1
• Good bot-knocking with stable sessions depends from the correct implementation of the protocol
• The flag is NOT in key, .flag, flag.txt, etc.
• Job restrictions, 2 processes only
• Flag format: ZN0x04_{<SHA-256>}
• …