Nufin Intanet na Abubuwa, sabon bambance-bambancen na "Gaffit" Trojan ya bayyana
Kwanan nan, Lab Tsaro na Huorong ya gano wani lamari na kutsawa ƙwayoyin cuta, wanda aka tabbatar da zama sabon bambance-bambancen kwayar cutar Gafgyt Trojan bayan bincike da bincike.
Gafgyt shiri ne na botnet na IoT bisa ka'idar IRC, wanda yafi cutar da tushen Linux na'urorin IoT don kaddamar da rarraba musun hare-haren sabis (DDoS). Ita ce mafi girman dangin botnet na IoT ban da dangin Mirai.
Bayan an fitar da lambar tushe kuma an loda shi zuwa GitHub in 2015, bambance-bambance daban-daban da kuma amfani sun bayyana daya bayan daya, haifar da babbar barazanar tsaro ga masu amfani. A halin yanzu, Kayayyakin tsaro na Huorong na iya tsangwama da kashe ƙwayoyin cuta da aka ambata a sama. Ana buƙatar masu amfani da kamfanoni su sabunta bayanan ƙwayoyin cuta a cikin lokaci don tsaro.
1. Samfurin bincike
Kwayar cutar ta fara canza tsarin nata suna zuwa "/usr / sbin / dropbear" ko "sshd" don boye kanta:
aiwatar da sake suna
Tsakanin su, an sami rufaffen kirtani, kuma rarrabuwar algorithm shine byte XOR na 0xDEDEFFBA. Lokacin amfani, Wadanda aka yi amfani da su ne kawai ake yanke su daban-daban, amma kawai 4 ana ambaton gaske:
Rufaffen kirtani da decryption algorithm
Magana ta farko shine kawai don fitar da madaidaicin kirtani zuwa allon, kuma nassoshi biyu na tsakiya sune ayyuka akan tsarin sa ido don gujewa rasa iko saboda sake kunna na'urar:
decrypt da quote
Sauran ayyukan ana yin su ne a cikin madauki, gami da farawa haɗin C2 (94.156.161.21:671), aika nau'in na'urar dandamali, karɓar umarnin dawowa da aiwatar da aikin ƙirar da ya dace. Kuma idan aka kwatanta da lambar tushe ta Gafgy, tsari da sarrafa umarnin ba su canza sosai ba, kuma tsarin umarnin yana nan "!*Umurni [Siga]"
madauki aiki code
A cikin aikinCmd, jimlar 14 Ana amsa umarni kuma ana ƙaddamar da harin DDOS daidai, ciki har da: "HTTP", "Farashin CUDP", "UDP", "STD", "JSC", "TCP", "SYN" , "ACK", "CXMAS", "XMAS", "CVSE", "KOMAI", "CNC", "NIGGA"
umarnin screenshot - Tsaro na IoT
Tsakanin su, CUDP, UDP, JSC, da TCP modules duk na iya aika bazuwar kirtani zuwa ƙayyadadden IP da tashar jiragen ruwa, kuma zai iya sake gina fakitin TCP da UDP ta hanyar ginin IP na kai don ɓoye adireshin IP na tushen.
tsarin saƙo
Ana hasashen prefix C shine gajeriyar al'ada. Ɗaukar CUDP da UDP a matsayin misali, a cikin asalin sigar Gafgyt, sigogin da ke cikin umarnin da aka bayar sun haɗa da: ip, tashar jiragen ruwa, lokaci, Spoofed, fakiti, pollinterval da sauran kimar filin da tuta don gina fakitin UDP. A cikin wannan samfurin, duk da haka, Sakamakon da aka lura ya nuna cewa shine aikace-aikacen waɗannan sigogi zuwa matakan ƙuntatawa daban-daban, wanda zai iya haɓaka sassaucin takamaiman nau'ikan harin DDOS.
Kwatanta CUDP da UDP
Ayyukan wasu kayayyaki sun haɗa da ƙara yawan adadin kirtani-Agent User, waɗanda ake amfani da su don ƙaddamar da umarnin HTTP don harin CC:
CC harin
Haɗe don hare-hare akan sabobin Injin Source na Valve: ("Injin tushen" Tambayoyi wani bangare ne na sadarwar yau da kullun tsakanin abokan ciniki da sabobin wasa ta amfani da ka'idar software na Valve)
Hare-hare kan masana'antar caca
Ciki har da umarnin CNC waɗanda zasu iya canza haɗin IP:
canza adireshin IP
Ya haɗa da hare-haren SYN da ACK:
SYN da ACK harin
Ciki har da UDP STD hare-haren ambaliya:
STD harin
Ciki har da harin XMAS: (wato, harin bishiyar Kirsimeti, ta saita duk tutocin TCP zuwa 1, don haka cinye ƙarin albarkatun sarrafa martani na tsarin da aka yi niyya)
harin XMAS
Tsarin NIGGA yayi daidai da umarnin KILLATTK a sigar asali, wanda ke dakatar da hare-haren DoSS ta hanyar kashe duk matakan yara sai dai babban tsari
Farashin NIGGA
Kwatanta bincike
Tsarin aikinCmd wanda ke adana babban dabaru a lambar tushe ya haɗa da PING, GETLOCALIP, SCANNER, EMAIL, JUNK, UDP, TCP, RIKE, KILLATTK, da LOLNOGTFO modules. Sauƙaƙe nau'ikan UDP da TCP kawai suna rayuwa tare a cikin bambance-bambancen amfani da aka kama wannan lokacin.. .
Kuma a cikin aiki na samun IP na gida, sigar asali ta sami IP na gida ta hanyar /proc/net/hanyar kuma ya dawo da ita ta tsarin GETLOCALIP. Ana lura da aiki iri ɗaya a cikin wannan bambance-bambancen, amma babu tsarin GETOCALIP kuma ba a lura da nassoshi ba.
Samu IP na gida
Yana da kyau a lura cewa babu ainihin sigar ƙirar SCANNER da aka yi amfani da ita don fashewar SSH (tashar jiragen ruwa 22) a cikin irin wannan samfurin, kuma babu wasu bambance-bambancen da ke tattare da yawa "aikace-aikace/na'ura" rashin lahani don yaduwa ta hanyar Payload. Ana iya ganin cewa maharin ya raba tsarin yadawa zuwa shirye-shirye masu zaman kansu, da kuma bayan samun nasarar shiga gidan wanda aka azabtar, zai sauke samfurin sadarwa don mataki na gaba ta hanyar aiwatar da lambar shell, wato, samfurin bincike.
Yi misalin shellcode
Ɗaukar samfuran da aka samo daga tushe ɗaya a matsayin misali, maharin ya cire bayanan da aka cire don yawancin samfuran, sai kadan, kamar: x86.