Email: anwenqq2690502116@gmail.com

Nchọpụta Tinder na igbu mmadụ

Na-achọ ịntanetị nke ihe, ọhụrụ variant nke "Gaffyt" Trojan pụtara

Na-achọ ịntanetị nke ihe, ọhụrụ variant nke "Gaffyt" Trojan pụtara. Na nso nso a, Huorong Security Lab achọpụtala ihe mere mbanye nje, nke akwadoro na ọ bụ ụdị ọhụrụ nke nje Gafgyt Trojan mgbe nyocha na nyocha.

Na-achọ ịntanetị nke ihe, ọhụrụ variant nke "Gaffyt" Trojan pụtara

Na nso nso a, Huorong Security Lab achọpụtala ihe mere mbanye nje, nke akwadoro na ọ bụ ụdị ọhụrụ nke nje Gafgyt Trojan mgbe nyocha na nyocha.

Gafgyt bụ mmemme botnet nke IoT dabere na usoro IRC, nke na-ebutekarị Linux dabeere Ngwa IoT ịmalite ịgọnarị mbuso agha ọrụ (DDoS). Ọ bụ ezinụlọ botnet IoT kacha na-arụ ọrụ na-abụghị ezinụlọ Mirai.

Mgbe agbapuchara koodu isi mmalite ya wee bulite ya na GitHub in 2015, ụdịdị dị iche iche na nrigbu pụtara n'otu n'otu, na-etinye nnukwu ihe egwu nchekwa nye ndị ọrụ. Ugbu a, Ngwaahịa nchekwa Huorong nwere ike igbochi ma gbuo nje ndị a kpọtụrụ aha n'elu. A na-arịọ ndị ọrụ ụlọ ọrụ ka ha melite nchekwa data nje n'oge maka nchekwa.

Tinder detection and killing - Aiming at the Internet of Things, a new variant of the "Gafgyt" Trojan appears

1. Nyocha nlele
Nje bu ụzọ nyegharịa usoro nke ya aha "/usr / sbin / dropbear" ma ọ bụ "sshd" iji zoo onwe ya:

process rename
usoro nyegharịa aha

N'etiti ha, a na-achọta eriri ezoro ezo, na decryption algọridim bụ byte XOR nke 0xDEDEFFBA. Mgbe ejiri ya, ọ bụ naanị ndị eji eme ihe ka a na-atụgharị n'otu n'otu, mana naanị 4 na-ezo aka n'ezie:

Encrypted string and decryption algorithm
Eriri ezoro ezo na decryption algọridim

 

Ntụaka mbụ bụ naanị iwepụta eriri kwekọrọ na ihuenyo ahụ, na nrụtụ aka abụọ dị n'etiti bụ arụmọrụ na usoro nche iji zere ịkwụsị njikwa n'ihi ịmalitegharị ngwaọrụ:

decrypt and quote

decrypt na see okwu

 

A na-arụ ọrụ ndị fọdụrụ na akaghị aka, gụnyere ibido njikọ C2 (94.156.161.21:671), na-eziga ụdị ngwaọrụ ikpo okwu, ịnata iwu nloghachi ma na-arụ ọrụ modul kwekọrọ. Ma atụnyere koodu isi mmalite nke Gafgy wepụrụ, usoro na nhazi nke iwu agbanwebeghị nke ukwuu, na usoro nke iwu ka dị "!*Iwu [Oke]"

loop operation code

loop ọrụ koodu

 

Na usoroCmd ọrụ, ngụkọta nke 14 A na-aza iwu ma malite mwakpo DDOS kwekọrọ, gụnyere: "HTTP", "Mgbakwunye CUDP", "UDP", "STD", "JSC", "TCP", "SYN" , "ACK", "CXMAS", "XMAS", "CVSE", "Ihe niile", "CNC", "NIGGA"

command screenshot - IoT security
iwu nseta ihuenyo - Nchekwa IoT

 

N'etiti ha, nke CUDP, UDP, JSC, na TCP modul nwere ike izipu eriri enweghị usoro na IP na ọdụ ụgbọ mmiri akọwapụtara, ma nwee ike wughachi ngwugwu TCP na UDP site na nkụnye eji isi mee IP nke onwe ya wuo iji zoo adreesị IP isi mmalite.

 

message structure
usoro ozi

 

A na-eche na prefix C bụ mbiri nke omenala. Were CUDP na UDP dịka ọmụmaatụ, na ụdị Gafgyt mbụ, paramita dị na iwu enyere gụnyere: ip, ọdụ ụgbọ mmiri, oge, spoofed, ngwugwu, pollinterval na ụkpụrụ ubi ndị ọzọ na ibe n'ibe ọkọlọtọ Maka iwu nke ngwugwu UDP. N'ihe atụ a, Otú ọ dị, Nsonaazụ a hụrụ na-egosi na ọ bụ ntinye nke parampat ndị a na ogo mmachi dị iche iche, nke nwere ike ịkwalite mgbanwe nke ụdị ọgụ DDOS kpọmkwem.

Ntụle nke CUDP na UDP

Ọrụ nke modul ndị ọzọ gụnyere ịgbakwunye ọnụ ọgụgụ buru ibu nke eriri onye ọrụ-Agent, nke a na-eji malite iwu HTTP maka mwakpo CC:

Mwakpo CC

Agụnyere maka mbuso agha megide sava Valve's Source Engine: ("Isi mmalite Engine" ajụjụ bụ akụkụ nke nkwurịta okwu kwa ụbọchị n'etiti ndị ahịa na sava egwuregwu na-eji protocol software Valve)

Mwakpo megide ụlọ ọrụ egwuregwu

Gụnyere iwu CNC nwere ike ịgbanwe njikọ IP:

gbanwee njikọ IP

Gụnyere mwakpo SYN na ACK:

SYN na ACK ọgụ

Gụnyere Mwakpo Iju Mmiri UDP STD:

STD ọgụ

Gụnyere ọgụ XMAS: (ya bu, Mmegide osisi ekeresimesi, site na ịtọ ntọala ọkọlọtọ TCP niile na 1, si otú a na-eri ọtụtụ ihe nhazi nzaghachi nke usoro ebumnuche)

Mwakpo XMAS

Modul NIGGA dabara na iwu KILLATTK na ụdị izizi, nke na-akwụsị ọgụ DoSS site na igbu usoro ụmụaka niile ma e wezụga usoro isi

NIGGA modul

Nyocha atụnyere
Usoro ọrụCmd nke na-echekwa ezi mgbagha na koodu isi mmalite gụnyere PING, GETLOCALIP, Nyocha, EMAIL, JUNK, UDP, TCP, Jidesie, KILLATTK, na modul LOLNOGTFO. Naanị ụdị UDP na modul TCP ndị dị mfe na-ebikọ ọnụ na ụdị nrigbu a weghaara oge a.. .

Na ọrụ nke inweta IP mpaghara, Ụdị mbụ ahụ na-enweta IP mpaghara site na / proc/net/ụzọ wee weghachi ya site na GETLOCALIP modul.. A na-ahụ otu ọrụ ịnweta n'ụdị a, mana enweghị GETLOCALIP modul na enweghị ntụnyere aka hụrụ.

Nweta IP mpaghara

Ọ dị mma ịmara na ọ nweghị ụdị izizi nke modul SCANNER ejiri gbaa SSH (ọdụ ụgbọ mmiri 22) na ụdị sample, ma ọ dịghị ndị ọzọ variants na agbakwunyere otutu "ngwa / ngwaọrụ" adịghị ike gbasaa site na Payload. Enwere ike ịhụ na onye na-awakpo ahụ na-ekewa modul mgbasa n'ime mmemme nọọrọ onwe ya, na mgbe ịga nke ọma abanye n'aka onye ọbịa, ọ ga-ebudata ihe nlele nzikọrịta ozi maka ọkwa na-esote site na imezu koodu shell, ya bu, ihe nlele nyocha.

Mepụta ihe atụ shellcode

Na-ewere samples enwetara site n'otu ebe dị ka ihe atụ, onye mwakpo ahụ wepụrụ ozi nbipu maka ọtụtụ n'ime ihe nlele ahụ, ma ewezuga ole na ole, dị ka: x86.

Kekọrịta ịhụnanya gị

Ozi ndị metụtara

Hapụ azịza

Agaghị ebipụta adreesị ozi-e gị. Akara mpaghara achọrọ akara *