İPUCU

Trojan ve Virüsler Trojan ve Virüsler Hakkında Bilgiler.

Seçenekler

Conficker virüs kodları

11-10-2012 16:36
#1
TWOPAC - ait Kullanıcı Resmi (Avatar)
Üye
Üyelik tarihi:
10/2012
Nereden:
GeLeCeN Mi
Mesajlar:
263
Teşekkür (Etti):
2
Teşekkür (Aldı):
94
Konular:
207
Ticaret:
(0) %
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

typedef union {
int16_t s16[8];
uint16_t u16[8];
int32_t s32[4];
} result_t;

typedef union {
int64_t s64;
int32_t s32[2];
uint32_t u32[2];
int16_t s16[4];
} var_t;

uint32_t portBlacklist[64] =
{
0xffffffff, 0xffffffff, 0xf0f6bfbb, 0xbb5a5ff3,
0xf3977011, 0xeb67bfbf, 0x5f9bfac8, 0x34d88091,
0x1e2282df, 0x573402c4, 0xc0000084, 0x03000209,
0x01600002, 0x00005000, 0x801000c0, 0x00500040,
0x000000a1, 0x01000000, 0x01000000, 0x00022a20,
0x00000080, 0x04000000, 0x40020000, 0x88000000,
0x00000180, 0x00081000, 0x08801900, 0x00800b81,
0x00000280, 0x080002c0, 0x00a80000, 0x00008000,
0x00100040, 0x00100000, 0x00000000, 0x00000000,
0x10000008, 0x00000000, 0x00000000, 0x00000004,
0x00000002, 0x00000000, 0x00040000, 0x00000000,
0x00000000, 0x00000000, 0x00410000, 0x82000000,
0x00000000, 0x00000000, 0x00000001, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000008, 0x80000000
};

#define IS_PORT_BLACKLISTED(x) (1 **** ((x **** 5) & 0x1F)) & portBlacklist[x **** 10]

/* NB: the portgen() function below is endian-dependent, and reverse-engineered
for a little-endian (e.g. x86, VAX, Alpha, etc.) machine. Changes will be
required for the array offsets in the unions to run on a big-endian (e.g. most
SPARC, Power(PC), MIPS, etc.) machine. Other than the endian issue, this
implementaiton should be portable. */

int portgen(int ip, result_t *res, int week)
{
var_t v;
int64_t KONST = 0x15A4E35;
int i;

memset(res, 0, sizeof(result_t));
v.s32[0] = ~ip;

/* Generate fixed ports */
do {
do {
v.s64 = KONST * v.u32[0] + 1;
res->s16[0] ^= v.s16[2];

for (i=1; i < 10; i++) {
v.s64 = KONST * v.u32[0] + 1;
res->s16[(i%2)*2] ^= v.s32[1] **** i;
}

} while (IS_PORT_BLACKLISTED(res->s32[0]));

} while (IS_PORT_BLACKLISTED(res->s32[1]) || res->s32[0] == res->s32[1]);

v.s32[0] = week ^ v.s64;


/* Generate week-dependent ports */
do {
do {
v.s64 = KONST * v.u32[0] + 1;
res->s16[4] ^= v.s16[2];

for (i=1; i < 10; i++) {
v.s64 = KONST * v.u32[0] + 1;
res->s16[(i%2)*2 + 4] ^= v.s32[1] **** i;
}

} while (IS_PORT_BLACKLISTED(res->s32[2]));

} while (IS_PORT_BLACKLISTED(res->s32[3]) || res->s32[2] == res->s32[3] ||
res->s32[0] == res->s32[2] || res->s32[1] == res->s32[2] ||
res->s32[0] == res->s32[3] || res->s32[1] == res->s32[3]);

return v.s64;
}

int main(int argc, char** argv) {
int a1,a3;
result_t res;
int i, rc;

if (argc != 3) {
printf("usage: conficker_ports <ip addr> <epoch week>\n");
exit(0);
}

a1 = inet_addr(argv[1]);
a3 = atoi(argv[2]);

rc=portgen(a1, &res, a3);
printf("ports are TCP (fixed), UDP (fixed), TCP (week-dependent), UDP
(week-dependent)\n");

for (i=0;i<8;i++) {
if (res.u16[i])
printf("%d\t", res.u16[i]);
}
printf("\n");
return 0;
}#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

typedef union {
int16_t s16[8];
uint16_t u16[8];
int32_t s32[4];
} result_t;

typedef union {
int64_t s64;
int32_t s32[2];
uint32_t u32[2];
int16_t s16[4];
} var_t;

uint32_t portBlacklist[64] =
{
0xffffffff, 0xffffffff, 0xf0f6bfbb, 0xbb5a5ff3,
0xf3977011, 0xeb67bfbf, 0x5f9bfac8, 0x34d88091,
0x1e2282df, 0x573402c4, 0xc0000084, 0x03000209,
0x01600002, 0x00005000, 0x801000c0, 0x00500040,
0x000000a1, 0x01000000, 0x01000000, 0x00022a20,
0x00000080, 0x04000000, 0x40020000, 0x88000000,
0x00000180, 0x00081000, 0x08801900, 0x00800b81,
0x00000280, 0x080002c0, 0x00a80000, 0x00008000,
0x00100040, 0x00100000, 0x00000000, 0x00000000,
0x10000008, 0x00000000, 0x00000000, 0x00000004,
0x00000002, 0x00000000, 0x00040000, 0x00000000,
0x00000000, 0x00000000, 0x00410000, 0x82000000,
0x00000000, 0x00000000, 0x00000001, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000008, 0x80000000
};

#define IS_PORT_BLACKLISTED(x) (1 **** ((x **** 5) & 0x1F)) & portBlacklist[x **** 10]

/* NB: the portgen() function below is endian-dependent, and reverse-engineered
for a little-endian (e.g. x86, VAX, Alpha, etc.) machine. Changes will be
required for the array offsets in the unions to run on a big-endian (e.g. most
SPARC, Power(PC), MIPS, etc.) machine. Other than the endian issue, this
implementaiton should be portable. */

int portgen(int ip, result_t *res, int week)
{
var_t v;
int64_t KONST = 0x15A4E35;
int i;

memset(res, 0, sizeof(result_t));
v.s32[0] = ~ip;

/* Generate fixed ports */
do {
do {
v.s64 = KONST * v.u32[0] + 1;
res->s16[0] ^= v.s16[2];

for (i=1; i < 10; i++) {
v.s64 = KONST * v.u32[0] + 1;
res->s16[(i%2)*2] ^= v.s32[1] **** i;
}

} while (IS_PORT_BLACKLISTED(res->s32[0]));

} while (IS_PORT_BLACKLISTED(res->s32[1]) || res->s32[0] == res->s32[1]);

v.s32[0] = week ^ v.s64;


/* Generate week-dependent ports */
do {
do {
v.s64 = KONST * v.u32[0] + 1;
res->s16[4] ^= v.s16[2];

for (i=1; i < 10; i++) {
v.s64 = KONST * v.u32[0] + 1;
res->s16[(i%2)*2 + 4] ^= v.s32[1] **** i;
}

} while (IS_PORT_BLACKLISTED(res->s32[2]));

} while (IS_PORT_BLACKLISTED(res->s32[3]) || res->s32[2] == res->s32[3] ||
res->s32[0] == res->s32[2] || res->s32[1] == res->s32[2] ||
res->s32[0] == res->s32[3] || res->s32[1] == res->s32[3]);

return v.s64;
}

int main(int argc, char** argv) {
int a1,a3;
result_t res;
int i, rc;

if (argc != 3) {
printf("usage: conficker_ports <ip addr> <epoch week>\n");
exit(0);
}

a1 = inet_addr(argv[1]);
a3 = atoi(argv[2]);

rc=portgen(a1, &res, a3);
printf("ports are TCP (fixed), UDP (fixed), TCP (week-dependent), UDP
(week-dependent)\n");

for (i=0;i<8;i++) {
if (res.u16[i])
printf("%d\t", res.u16[i]);
}
printf("\n");
return 0;
}

Conficker_C_P2P_Scanner [-t ms waittime][-v (verbose)] <low-address> <high-address>

low|high-address - specifies the start and end address ranges to be scanned

ex: % Conficker_C_P2P_Scanner 192.168.7.0 192.168.99.255
will scan all addresses in subnets 192.168.[7-99]

v

ddffd++ddtypedef union {
int16_t s16[8];
uint16_t u16[8];
int32_t s32[4];
} result_t;

typedef union {
int64_t s64;
int32_t s32[2];
uint32_t u32[2];
int16_t s16[4];
} var_t;

uint32_t portBlacklist[64] =
{
0xffffffff, 0xffffffff, 0xf0f6bfbb, 0xbb5a5ff3,
0xf3977011, 0xeb67bfbf, 0x5f9bfac8, 0x34d88091,
0x1e2282df, 0x573402c4, 0xc0000084, 0x03000209,
0x01600002, 0x00005000, 0x801000c0, 0x00500040,
0x000000a1, 0x01000000, 0x01000000, 0x00022a20,
0x00000080, 0x04000000, 0x40020000, 0x88000000,
0x00000180, 0x00081000, 0x08801900, 0x00800b81,
0x00000280, 0x080002c0, 0x00a80000, 0x00008000,
0x00100040, 0x00100000, 0x00000000, 0x00000000,
0x10000008, 0x00000000, 0x00000000, 0x00000004,
0x00000002, 0x00000000, 0x00040000, 0x00000000,
0x00000000, 0x00000000, 0x00410000, 0x82000000,
0x00000000, 0x00000000, 0x00000001, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000008, 0x80000000
};

#define IS_PORT_BLACKLISTED(x) (1 **** ((x **** 5) & 0x1F)) & portBlacklist[x **** 10]

/* NB: the portgen() function below is endian-dependent, and reverse-engineered
for a little-endian (e.g. x86, VAX, Alpha, etc.) machine. Changes will be
required for the array offsets in the unions to run on a big-endian (e.g. most
SPARC, Power(PC), MIPS, etc.) machine. Other than the endian issue, this
implementaiton should be portable. */

int portgen(int ip, result_t *res, int week)
{
var_t v;
int64_t KONST = 0x15A4E35;
int i;

memset(res, 0, sizeof(result_t));
v.s32[0] = ~ip;

/* Generate fixed ports */
do {
do {
v.s64 = KONST * v.u32[0] + 1;
res->s16[0] ^= v.s16[2];

for (i=1; i < 10; i++) {
v.s64 = KONST * v.u32[0] + 1;
res->s16[(i%2)*2] ^= v.s32[1] **** i;
}

} while (IS_PORT_BLACKLISTED(res->s32[0]));

} while (IS_PORT_BLACKLISTED(res->s32[1]) || res->s32[0] == res->s32[1]);

v.s32[0] = week ^ v.s64;


/* Generate week-dependent ports */
do {
do {
v.s64 = KONST * v.u32[0] + 1;
res->s16[4] ^= v.s16[2];

for (i=1; i < 10; i++) {
v.s64 = KONST * v.u32[0] + 1;
res->s16[(i%2)*2 + 4] ^= v.s32[1] **** i;
}

} while (IS_PORT_BLACKLISTED(res->s32[2]));

} while (IS_PORT_BLACKLISTED(res->s32[3]) || res->s32[2] == res->s32[3] ||
res->s32[0] == res->s32[2] || res->s32[1] == res->s32[2] ||
res->s32[0] == res->s32[3] || res->s32[1] == res->s32[3]);

return v.s64;
}

int main(int argc, char** argv) {
int a1,a3;
result_t res;
int i, rc;

if (argc != 3) {
printf("usage: conficker_ports <ip addr> <epoch week>\n");
exit(0);
}

a1 = inet_addr(argv[1]);
a3 = atoi(argv[2]);

rc=portgen(a1, &res, a3);
printf("ports are TCP (fixed), UDP (fixed), TCP (week-dependent), UDP
(week-dependent)\n");

for (i=0;i<8;i++) {
if (res.u16[i])
printf("%d\t", res.u16[i]);
}
printf("\n");
return 0;
}
Amaterus Teşekkür etti.

05-05-2017 21:16
#2
CYANİD - ait Kullanıcı Resmi (Avatar)
Üye
Üyelik tarihi:
01/2015
Nereden:
Nereye
Yaş:
19
Mesajlar:
981
Teşekkür (Etti):
427
Teşekkür (Aldı):
137
Konular:
65
Ticaret:
(0) %
bunu nerden buldugunu sorabilirmiyim
Kullanıcı İmzası
Soru ve Sorunlarınız için
Telegram: +1 (916) 573-5505
05-05-2017 21:30
#3
ChappieZ50 - ait Kullanıcı Resmi (Avatar)
Üye
Üyelik tarihi:
03/2017
Mesajlar:
166
Teşekkür (Etti):
39
Teşekkür (Aldı):
5
Konular:
18
Ticaret:
(0) %
Hocam CODE içine ekleyebilirmisiniz ?
Kullanıcı İmzası
Ahmak olmasaydı insan Bütün savaşlar dostça kazanılırdı

Bookmarks


« Önceki Konu | Sonraki Konu »
Seçenekler

Yetkileriniz
Sizin Yeni Konu Acma Yetkiniz var yok
You may not post replies
Sizin eklenti yükleme yetkiniz yok
You may not edit your posts

BB code is Açık
Smileler Açık
[IMG] Kodları Açık
HTML-Kodları Kapalı
Trackbacks are Kapalı
Pingbacks are Kapalı
Refbacks are Kapalı