Imel: anwenqq2690502116@gmail.com

Gane tinder da kisa

Nufin Intanet na Abubuwa, sabon bambance-bambancen na "Gaffit" Trojan ya bayyana

Nufin Intanet na Abubuwa, sabon bambance-bambancen na "Gaffit" Trojan ya bayyana. Kwanan nan, Lab Tsaro na Huorong ya gano wani lamari na kutsawa ƙwayoyin cuta, wanda aka tabbatar da zama sabon bambance-bambancen kwayar cutar Gafgyt Trojan bayan bincike da bincike.

Nufin Intanet na Abubuwa, sabon bambance-bambancen na "Gaffit" Trojan ya bayyana

Kwanan nan, Lab Tsaro na Huorong ya gano wani lamari na kutsawa ƙwayoyin cuta, wanda aka tabbatar da zama sabon bambance-bambancen kwayar cutar Gafgyt Trojan bayan bincike da bincike.

Gafgyt shiri ne na botnet na IoT bisa ka'idar IRC, wanda yafi cutar da tushen Linux na'urorin IoT don kaddamar da rarraba musun hare-haren sabis (DDoS). Ita ce mafi girman dangin botnet na IoT ban da dangin Mirai.

Bayan an fitar da lambar tushe kuma an loda shi zuwa GitHub in 2015, bambance-bambance daban-daban da kuma amfani sun bayyana daya bayan daya, haifar da babbar barazanar tsaro ga masu amfani. A halin yanzu, Kayayyakin tsaro na Huorong na iya tsangwama da kashe ƙwayoyin cuta da aka ambata a sama. Ana buƙatar masu amfani da kamfanoni su sabunta bayanan ƙwayoyin cuta a cikin lokaci don tsaro.

Tinder detection and killing - Aiming at the Internet of Things, a new variant of the "Gafgyt" Trojan appears

1. Samfurin bincike
Kwayar cutar ta fara canza tsarin nata suna zuwa "/usr / sbin / dropbear" ko "sshd" don boye kanta:

process rename
aiwatar da sake suna

Tsakanin su, an sami rufaffen kirtani, kuma rarrabuwar algorithm shine byte XOR na 0xDEDEFFBA. Lokacin amfani, Wadanda aka yi amfani da su ne kawai ake yanke su daban-daban, amma kawai 4 ana ambaton gaske:

Encrypted string and decryption algorithm
Rufaffen kirtani da decryption algorithm

 

Magana ta farko shine kawai don fitar da madaidaicin kirtani zuwa allon, kuma nassoshi biyu na tsakiya sune ayyuka akan tsarin sa ido don gujewa rasa iko saboda sake kunna na'urar:

decrypt and quote

decrypt da quote

 

Sauran ayyukan ana yin su ne a cikin madauki, gami da farawa haɗin C2 (94.156.161.21:671), aika nau'in na'urar dandamali, karɓar umarnin dawowa da aiwatar da aikin ƙirar da ya dace. Kuma idan aka kwatanta da lambar tushe ta Gafgy, tsari da sarrafa umarnin ba su canza sosai ba, kuma tsarin umarnin yana nan "!*Umurni [Siga]"

loop operation code

madauki aiki code

 

A cikin aikinCmd, jimlar 14 Ana amsa umarni kuma ana ƙaddamar da harin DDOS daidai, ciki har da: "HTTP", "Farashin CUDP", "UDP", "STD", "JSC", "TCP", "SYN" , "ACK", "CXMAS", "XMAS", "CVSE", "KOMAI", "CNC", "NIGGA"

command screenshot - IoT security
umarnin screenshot - Tsaro na IoT

 

Tsakanin su, CUDP, UDP, JSC, da TCP modules duk na iya aika bazuwar kirtani zuwa ƙayyadadden IP da tashar jiragen ruwa, kuma zai iya sake gina fakitin TCP da UDP ta hanyar ginin IP na kai don ɓoye adireshin IP na tushen.

 

message structure
tsarin saƙo

 

Ana hasashen prefix C shine gajeriyar al'ada. Ɗaukar CUDP da UDP a matsayin misali, a cikin asalin sigar Gafgyt, sigogin da ke cikin umarnin da aka bayar sun haɗa da: ip, tashar jiragen ruwa, lokaci, Spoofed, fakiti, pollinterval da sauran kimar filin da tuta don gina fakitin UDP. A cikin wannan samfurin, duk da haka, Sakamakon da aka lura ya nuna cewa shine aikace-aikacen waɗannan sigogi zuwa matakan ƙuntatawa daban-daban, wanda zai iya haɓaka sassaucin takamaiman nau'ikan harin DDOS.

Kwatanta CUDP da UDP

Ayyukan wasu kayayyaki sun haɗa da ƙara yawan adadin kirtani-Agent User, waɗanda ake amfani da su don ƙaddamar da umarnin HTTP don harin CC:

CC harin

Haɗe don hare-hare akan sabobin Injin Source na Valve: ("Injin tushen" Tambayoyi wani bangare ne na sadarwar yau da kullun tsakanin abokan ciniki da sabobin wasa ta amfani da ka'idar software na Valve)

Hare-hare kan masana'antar caca

Ciki har da umarnin CNC waɗanda zasu iya canza haɗin IP:

canza adireshin IP

Ya haɗa da hare-haren SYN da ACK:

SYN da ACK harin

Ciki har da UDP STD hare-haren ambaliya:

STD harin

Ciki har da harin XMAS: (wato, harin bishiyar Kirsimeti, ta saita duk tutocin TCP zuwa 1, don haka cinye ƙarin albarkatun sarrafa martani na tsarin da aka yi niyya)

harin XMAS

Tsarin NIGGA yayi daidai da umarnin KILLATTK a sigar asali, wanda ke dakatar da hare-haren DoSS ta hanyar kashe duk matakan yara sai dai babban tsari

Farashin NIGGA

Kwatanta bincike
Tsarin aikinCmd wanda ke adana babban dabaru a lambar tushe ya haɗa da PING, GETLOCALIP, SCANNER, EMAIL, JUNK, UDP, TCP, RIKE, KILLATTK, da LOLNOGTFO modules. Sauƙaƙe nau'ikan UDP da TCP kawai suna rayuwa tare a cikin bambance-bambancen amfani da aka kama wannan lokacin.. .

Kuma a cikin aiki na samun IP na gida, sigar asali ta sami IP na gida ta hanyar /proc/net/hanyar kuma ya dawo da ita ta tsarin GETLOCALIP. Ana lura da aiki iri ɗaya a cikin wannan bambance-bambancen, amma babu tsarin GETOCALIP kuma ba a lura da nassoshi ba.

Samu IP na gida

Yana da kyau a lura cewa babu ainihin sigar ƙirar SCANNER da aka yi amfani da ita don fashewar SSH (tashar jiragen ruwa 22) a cikin irin wannan samfurin, kuma babu wasu bambance-bambancen da ke tattare da yawa "aikace-aikace/na'ura" rashin lahani don yaduwa ta hanyar Payload. Ana iya ganin cewa maharin ya raba tsarin yadawa zuwa shirye-shirye masu zaman kansu, da kuma bayan samun nasarar shiga gidan wanda aka azabtar, zai sauke samfurin sadarwa don mataki na gaba ta hanyar aiwatar da lambar shell, wato, samfurin bincike.

Yi misalin shellcode

Ɗaukar samfuran da aka samo daga tushe ɗaya a matsayin misali, maharin ya cire bayanan da aka cire don yawancin samfuran, sai kadan, kamar: x86.

Raba soyayyar ku

Abubuwan da suka shafi

Bar Amsa

Ba za a buga adireshin imel ɗin ku ba. Ana yiwa filayen da ake buƙata alama *