Aiming ntawm Internet ntawm Yam, ib tug tshiab variant ntawm "Gafgyt" Trojan tshwm

Aiming ntawm Internet ntawm Yam, ib tug tshiab variant ntawm lub "Gaffyt" Trojan tshwm

Aiming ntawm Internet ntawm Yam, ib tug tshiab variant ntawm lub "Gaffyt" Trojan tshwm. Tsis ntev los no, Huorong Security Lab nrhiav pom tus kab mob nkag mus, uas tau lees paub tias yog qhov hloov pauv tshiab ntawm tus kab mob Gafgyt Trojan tom qab tshawb nrhiav thiab tshuaj xyuas.

Aiming ntawm Internet ntawm Yam, ib tug tshiab variant ntawm lub "Gaffyt" Trojan tshwm

Tsis ntev los no, Huorong Security Lab nrhiav pom tus kab mob nkag mus, uas tau lees paub tias yog qhov hloov pauv tshiab ntawm tus kab mob Gafgyt Trojan tom qab tshawb nrhiav thiab tshuaj xyuas.

Gafgyt yog IoT botnet program raws li IRC raws tu qauv, uas feem ntau kis rau Linux-based Cov khoom siv IoT txhawm rau tso tawm qhov tsis lees paub ntawm kev pabcuam tawm tsam (DDoS). Nws yog tsev neeg IoT botnet loj tshaj plaws uas tsis yog tsev neeg Mirai.

Tom qab nws qhov chaws tau xau thiab xa mus rau GitHub hauv 2015, ntau yam variants thiab exploits tshwm sim ib tom qab, ua rau muaj kev nyab xeeb ntau dua rau cov neeg siv. Tam sim no, Huorong kev ruaj ntseg cov khoom tuaj yeem cuam tshuam thiab tua cov kab mob hais saum toj no. Cov neeg siv lag luam raug thov kom hloov kho tus kab mob database hauv lub sijhawm tiv thaiv.

1. Sample tsom xam
Tus kab mob thawj zaug renames nws tus kheej cov txheej txheem rau "/usr/sbin/dropbear" los yog "sshd ua" mus nkaum nws tus kheej:

txheej txheem hloov npe

Ntawm lawv, pom txoj hlua encrypted, thiab decryption algorithm yog byte XOR ntawm 0xDEDEFFBA. Thaum siv, tsuas yog cov siv tau yog decrypted ib tus zuj zus, tab sis xwb 4 yog siv tiag tiag:

Encrypted hlua thiab decryption algorithm

Thawj qhov kev siv tsuas yog tso tawm cov hlua txuas mus rau qhov screen, thiab qhov nruab nrab ob cov ntaub ntawv yog kev ua haujlwm ntawm cov txheej txheem saib xyuas kom tsis txhob poob kev tswj hwm vim tias lub cuab yeej rov pib dua:

decrypt thiab quote

Cov hauj lwm ntxiv yog ua nyob rau hauv ib lub voj voog, suav nrog pib qhov kev sib txuas C2 (94.156.161.21:671), xa lub platform ntaus ntawv hom, tau txais cov lus txib rov qab thiab ua tiav cov haujlwm sib txuas. Thiab piv nrog lub hauv paus code leaked los ntawm Gafgy, hom ntawv thiab kev ua haujlwm ntawm cov lus txib tsis tau hloov ntau, thiab hom ntawv hais kom ua yog tseem "!*Hais kom ua [Parameter]"

voj kev ua haujlwm code

Hauv kev ua haujlwmCmd, tag nrho ntawm 14 cov lus txib tau teb rau thiab coj DDOS tawm tsam tau pib, suav nrog: "HTTP", "CUDP extension", "UDP", "STD", "JSC", "TCP", "SYN" , "ACK", "CXMAS", "XMAS", "CVSE", "TXHUA YAM", "CNC", "NIGGA"

lus txib screenshot - IoT kev ruaj ntseg

Ntawm lawv, lub CUDP, UDP, JSC, thiab TCP modules tuaj yeem xa cov hlua tsis sib xws mus rau IP thiab chaw nres nkoj, thiab tuaj yeem tsim kho TCP thiab UDP pob ntawv los ntawm tus kheej tsim IP headers los nkaum qhov chaw nyob IP.

lus qauv

Lub prefix C yog kwv yees ua tus luv ntawm kev cai. Siv CUDP thiab UDP ua piv txwv, nyob rau hauv thawj version ntawm Gafgyt, cov parameters nyob rau hauv cov lus txib uas muaj xws li: ib ip, chaw nres nkoj, sij hawm, ua dag, pob ntawv loj, pollinterval thiab lwm yam nuj nqis teb thiab chij khoom Rau kev tsim kho ntawm UDP pob ntawv. Hauv qhov qauv no, txawm li cas los xij, cov kev soj ntsuam pom tau hais tias nws yog daim ntawv thov ntawm cov kev txwv no rau txawv qib ntawm kev txwv, uas tuaj yeem txhim kho qhov hloov pauv ntawm qee hom kev tawm tsam DDOS.

Kev sib piv ntawm CUDP thiab UDP

Cov haujlwm ntawm lwm cov modules suav nrog ntxiv ntau tus neeg siv-tus neeg saib xyuas cov hlua, uas yog siv los tua HTTP cov lus txib rau CC tawm tsam:

CC nres

suav nrog rau kev tawm tsam tawm tsam Valve's Source Engine servers: ("Qhov Chaw Cav" Cov lus nug yog ib feem ntawm kev sib txuas lus txhua hnub ntawm cov neeg siv khoom thiab game servers siv lub Valve software raws tu qauv)

Tawm tsam tawm tsam kev lag luam gaming

Xws li CNC cov lus txib uas tuaj yeem hloov kev sib txuas IP:

hloov kev sib txuas IP

suav nrog SYN thiab ACK tawm tsam:

SYN thiab ACK tawm tsam

suav nrog UDP STD dej nyab tawm tsam:

STD nres

suav nrog XMAS nres: (uas yog, Christmas ntoo tua, los ntawm kev teeb tsa tag nrho cov chij ntawm TCP rau 1, yog li siv ntau cov lus teb ua cov peev txheej ntawm lub hom phiaj system)

XMAS attack

NIGGA module yog sib npaug rau KILLATTK cov lus txib hauv thawj version, uas nres DoSS tawm tsam los ntawm kev tua tag nrho cov txheej txheem menyuam yaus tshwj tsis yog cov txheej txheem tseem ceeb

NIGGA module

Kev sib piv
Cov txheej txheem ua haujlwmCmd uas khaws cov ntsiab lus tseem ceeb hauv qhov chaws suav nrog PING, GETLOCALIP, SCANNER, EMAIL, JUNK, UDP, TCP, THOV, KILLATTK, thiab LOLNOGTFO modules. Tsuas yog simplified versions ntawm UDP thiab TCP modules coexist nyob rau hauv variant exploit ntes lub sij hawm no. .

Thiab hauv kev ua haujlwm kom tau txais IP hauv zos, tus thawj version tau txais IP hauv zos los ntawm /proc/net/route thiab xa rov qab los ntawm GETLOCALIP module. Tib tau txais kev ua haujlwm yog pom nyob rau hauv no variant, tab sis tsis muaj GETLOCALIP module thiab tsis muaj cov ntaub ntawv pov thawj.

Tau txais IP hauv zos

Nws yog tsim nyog sau cia tias tsis muaj thawj version ntawm SCANNER module siv los tawg SSH (chaw nres nkoj 22) hauv hom qauv no, thiab tsis muaj lwm yam variants uas embed ntau "apps/device" vulnerabilities kis tau los ntawm Payload. Nws tuaj yeem pom tau tias tus neeg tawm tsam tau faib cov kev nthuav tawm rau hauv cov kev pabcuam ywj pheej, thiab tom qab ua tiav nkag rau hauv tus neeg raug tsim txom host, nws yuav rub tawm cov qauv kev sib txuas lus rau theem tom ntej los ntawm kev ua tiav cov shellcode, uas yog, tus qauv tsom xam.

Execute shellcode piv txwv

Noj cov qauv uas tau los ntawm tib qhov chaw ua piv txwv, tus attacker stripped cov ntaub ntawv debugging rau feem ntau ntawm cov qauv, tsuas yog ob peb, xws li: x86 ua.