Tus email: anwenqq2690502116@gmail.com
Aiming ntawm internet ntawm tej yam, Ib variant tshiab ntawm tus "Gafgyt" Trojan tshwm
Ntua, Huorong Security Lab sab ib tug kab mob intrusion xwm, Uas twb paub tseeb hais tias yuav muaj ib tug tshiab variant ntawm tus Gafgyt Trojan kab mob tom qab kev tshawb nrhiav thiab tsom xam.
Gafgyt yog ib qho kev pab cuam IoT botnet raws li tus IRC protocol, uas mas tus kab mob Linux kuas IoT li Tso distributed tsis kam muab kev pab tuaj (DDoS). Nws yog ib yam IoT botnet tsev neeg uas tsis yog tsev neeg Mirai.
Tom qab nws qhov chaws code yog leaked thiab uploaded rau GitHub hauv 2015, Ntau yam variants thiab exploits emerged ib tom qab lwm, Posing ntau dua kev hem thawj rau cov neeg siv. Thaum tam sim no, Huorong ruaj ntseg khoom yuav cuam tshuam thiab tua tau cov kab mob saum toj no-hais txog cov kab mob. Enterprise cov neeg siv yuav thov hloov tus kab mob database nyob rau lub sij hawm rau cov kws muaj txuj ci.
1. Tsom xam
Tus kab mob thawj renames nws tus kheej txoj kev mus "/usr/sbin/dropbear" Lossis "sshd" nkaum nws tus kheej:
txheej txheem
Ntawm lawv, Txoj hlua encrypted nyob, thiab cov decryption algorithm yog tus XOR ntawm 0xDEDEFFBA. Thaum siv, Tsuas yog siv cov uas tsuas yog cov uas tsuas siv tau xwb, tab sis tsuas 4 ua tau siv:
Encrypted txoj hlua thiab decryption algorithm
Thawj siv yog tsuas tso zis rau corresponding txoj hlua rau qhov screen, Thiab nruab nrab ob references yog haujlwm rau txoj kev watchdog kom tsis txhob poob tswj vim ntaus restart:
decrypt thiab tsocai
Cov haujlwm ntxiv yog ris hauv ib loop, nrog rau qhov kev twb kev txuas C2 (94.156.161.21:671), xa lub platform ntaus ntawv, Tau txais cov xa command thiab executing lub corresponding module lag luam. Thiab piv nrog rau qhov chaws chaws leaked los Gafgy, Daim ntawv thiab txheej txheem ntawm tus hais kom ua muaj tsis hloov ntau npaum li cas, thiab daim ntawv ntawm qhov hais kom ua yog tseem "!*hais kom ua [parameter]"
loop lag luam code
Nyob rau hauv tus txheej txheemCmd function, nraud 14 Commands yog teb thiab corresponding DDOS tuaj yog launched, Nrog: "HTTP", "CUDP", "UDP", "STD", "CTCP", "TCP", "SYN" , "ACK", "CXMAS", "XMAS", "CVSE", "VSE", "CNC", "NIGGA"
hais kom ua screenshot - IoT ruaj ntseg
Ntawm lawv, CUDP, UDP, CTCP, thiab TCP modules yuav xa random strings rau lub specified IP thiab chaw nres nkoj, thiab yuav reconstruct TCP thiab UDP packets los ntawm nws tus kheej ua IP headers nkaum qhov chaw IP chaw nyob.
hais lus
Tus prefix C yog guessed yuav tus abbreviation ntawm kev lis kev cai. Noj CUDP thiab UDP li piv txwv, Nyob rau hauv cov thawj version ntawm Gafgyt, Cov parameters nyob rau hauv qhov tawm command muaj xws li: nyiaj ua tsis tau, chaw nres nkoj, Sij hawm, spoofed, packetsize, pollinterval thiab lwm teb qhov tseem ceeb thiab chij bits rau qhov siv ntawm UDP packets. Nyob rau hauv cov qauv no, txawm li ntawd los, Cov qhabnias observed tau qhia tias nws yog daim ntawv thov ntawm cov parameters txawv degrees txwv tsis pub txwv, Uas yuav txhim khu cov yooj ywm ntawm DDOS tuaj.
Comparison ntawm CUDP thiab UDP
Cov kev ua hauj lwm ntawm lwm modules muaj xws li ntxiv ib tug xov tooj ntawm cov neeg siv-agent strings, Uas siv los tso HTTP commands rau CC tuaj:
CC nres
Muaj ntau tus Valve qhov chaw engine servers: ("Tau qhov cav cav" queries yog ib feem ntawm cov kev sib txuas lus txhua hnub ntawm cov neeg tau thiab kev ua si servers Siv cov Valve software protocol)
Muaj ntau tus gaming kev lag luam
Xws li CNC commands uas yuav hloov tau kev twb kev txuas IP:
hloov kev twb kev txuas IP
Muaj xws li SYN thiab ACK tuaj:
SYN thiab ACK tuaj
Nrog rau UDP STD dej nyab tuaj:
KAB MOB KAS CEES NO
XMAS nres: (uas yog, Christmas ntoo nres, Yog teem tag nrho cov chij bits ntawm TCP rau 1, li no noj ntau lo lus teb rau cov chaw muab kev pab ntawm lub hom phaj)
XMAS nres
Tus NIGGA module yog sib npaug rau lub KILLATTK hais kom ua nyob rau hauv cov thawj version, Uas nres DoSS tuaj uas tag nrho cov me nyuam txheej txheem tsuas yog txoj kev loj plaws
NIGGA module
Comparative tsom xam
Tus txheej txheem functionCmd tias khw muag khoom noj lub ntsiab logic nyob rau hauv qhov chaws chaws muaj xws li PING, GETLOCALIP, SCANNER, TUS EMAIL, QUA NTXI, UDP, TCP, PUAG, KILLATTK, thiab LOLNOGTFO modules. Tsuas yooj yim versions ntawm UDP thiab TCP modules coexist hauv lub variant exploit yuav lub sij hawm no. .
Thiab nyob rau hauv lub lag luam uas tau txais lub zos IP, Tus thawj version tau txais lub zos IP los ntawm /proc/net/route thiab rov qab mus txog rau GETLOCALIP module. Tib lub lag luam tau cai nyob rau hauv no variant, Tiam sis yog tsis MUAJ GETLOCALIP module thiab tsis muaj references yog cai.
Tau lub zos IP
Nws puas tsim nyog ntsoov teev tias yog tsis muaj thawj version ntawm lub SCANNER module siv los moj tej tawg SSH (chaw nres nkoj 22) hom qauv no, Thiab tsis muaj lwm variants uas embed ntau yam "daim ntawv thov/ntaus ntawv" vulnerabilities kis tau los ntawm Payload. Nws yuav pom tias tus attacker splits lub propagation module rau hauv cov kev pab cuam ywj siab, Thiab tom qab ntse logging rau tus neeg ntawd host, Nws yuav download cov kev sib txuas lus rau cov theem tom ntej los executing lub shellcode, uas yog, tsom xam cov qauv.
Execute shellcode piv txwv
Noj cov qauv tau los ntawm tib qhov chaw raws li ib qho piv txwv, Tus attacker stripped cov ntaub ntawv debugging rau feem ntau ntawm cov qauv, tshwj tsis yog ob peb, xws li: x86.
