Imelo: anwenqq2690502116@gmail.com

Kuzindikira ndi kupha Tinder

Kufufuza pa intaneti ya Zinthu, mtundu watsopano wa "Gaffyt" Trojan ikuwoneka

Kufufuza pa intaneti ya Zinthu, mtundu watsopano wa "Gaffyt" Trojan ikuwoneka. Posachedwapa, Huorong Security Lab adapeza vuto lolowera kachilombo, zomwe zidatsimikiziridwa kukhala mtundu watsopano wa kachilombo ka Gafgyt Trojan pambuyo pofufuza ndi kusanthula.

Kufufuza pa intaneti ya Zinthu, mtundu watsopano wa "Gaffyt" Trojan ikuwoneka

Posachedwapa, Huorong Security Lab adapeza vuto lolowera kachilombo, zomwe zidatsimikiziridwa kukhala mtundu watsopano wa kachilombo ka Gafgyt Trojan pambuyo pofufuza ndi kusanthula.

Gafgyt ndi pulogalamu ya botnet ya IoT yotengera protocol ya IRC, zomwe zimakhudza kwambiri Linux-based Zida za IoT kuyambitsa kukana kukana kwa ntchito (DDoS). Ndilo banja lalikulu kwambiri la IoT botnet kupatula banja la Mirai.

Pambuyo pa code yake idatsitsidwa ndikukwezedwa ku GitHub in 2015, zosiyanasiyana ndi zopambana anatulukira mmodzi ndi mzake, kuyika chiwopsezo chachikulu kwa ogwiritsa ntchito. Pakadali pano, Zida zachitetezo za Huorong zitha kupha ndikupha ma virus omwe atchulidwa pamwambapa. Ogwiritsa ntchito mabizinesi akufunsidwa kuti asinthe nkhokwe ya virus munthawi yake kuti atetezedwe.

Tinder detection and killing - Aiming at the Internet of Things, a new variant of the "Gafgyt" Trojan appears

1. Kusanthula kwachitsanzo
Kachilomboka kayamba kutchulanso njira yakeyake kuti "/usr/sbin/dropbear" kapena "sshd" kudzibisa:

process rename
ndondomeko rename

Mwa iwo, chingwe chobisika chapezeka, ndipo decryption algorithm ndi byte XOR ya 0xDEDEFFBA. Pamene ntchito, okhawo ogwiritsidwa ntchito amasinthidwa payekhapayekha, koma chete 4 kwenikweni amatchulidwa:

Encrypted string and decryption algorithm
Chingwe chobisika ndi decryption algorithm

 

Kufotokozera koyamba ndikungotulutsa chingwe chofananira pazenera, ndi maumboni awiri apakati ndi ntchito pa ndondomeko ya watchdog kupewa kutaya mphamvu chifukwa choyambitsanso chipangizo:

decrypt and quote

decrypt ndi quote

 

Zotsalazo zimachitidwa mozungulira, kuphatikiza kuyambitsa kulumikizana kwa C2 (94.156.161.21:671), kutumiza mtundu wa chipangizo cha nsanja, kulandira lamulo lobwerera ndikuchita ntchito yofanana ya module. Ndipo poyerekeza ndi gwero code inatsitsidwa ndi Gafgy, mawonekedwe ndi kukonza kwa lamulo sizinasinthe kwambiri, ndipo mawonekedwe a lamulo akadali "!*Lamulo [Parameter]"

loop operation code

loop code ntchito

 

Mu processCmd ntchito, okwana 14 malamulo amayankhidwa ndikuwukira kofanana ndi DDOS kumayambika, kuphatikizapo: "HTTP", "Zowonjezera zokhudzana ndi CUDP", "UDP", "Matenda a STD", "JSC", "TCP", "SYN" , "ACK", "Mtengo wa CXMAS", "XMAS", "CVSE", "ZONSE", "CNC", "NINGA"

command screenshot - IoT security
command screenshot - Chitetezo cha IoT

 

Mwa iwo, CUDP, UDP, JSC, ndi ma module a TCP amatha kutumiza zingwe zosasinthika ku IP ndi doko lodziwika, ndipo imatha kupanganso mapaketi a TCP ndi UDP pogwiritsa ntchito mitu yodzipangira yokha kuti abise magwero a IP adilesi.

 

message structure
dongosolo la uthenga

 

Chiyambi C chimaganiziridwa kukhala chidule cha mwambo. Kutenga CUDP ndi UDP ngati zitsanzo, mu mtundu woyambirira wa Gafgyt, magawo mu lamulo loperekedwa akuphatikizapo: ip, doko, nthawi, spoofed, packetsize, pollinterval ndi zina zamunda ndi mitengo ya mbendera Pomanga mapaketi a UDP. Mu chitsanzo ichi, komabe, zotsatira zomwe zawonedwa zikuwonetsa kuti ndikugwiritsa ntchito magawowa ku magawo osiyanasiyana a ziletso, zomwe zingapangitse kusinthasintha kwa mitundu ina ya kuukira kwa DDOS.

Kuyerekeza kwa CUDP ndi UDP

Ntchito zama modules ena zikuphatikiza kuwonjezera zingwe zambiri za User-Agent, zomwe zimagwiritsidwa ntchito kuyambitsa malamulo a HTTP pakuwukira kwa CC:

CC kuukira

Kuphatikizidwa pakuwukiridwa ndi ma seva a Valve's Source Engine: ("Source Engine" mafunso ndi gawo la kulumikizana kwatsiku ndi tsiku pakati pa makasitomala ndi maseva amasewera pogwiritsa ntchito protocol ya Valve)

Zowukira makampani amasewera

Kuphatikizira malamulo a CNC omwe amatha kusintha kulumikizana kwa IP:

kusintha IP kugwirizana

Zimaphatikizapo kuukira kwa SYN ndi ACK:

SYN ndi ACK akuukira

Kuphatikizirapo kusefukira kwa madzi a UDP STD:

Matenda a STD

Kuphatikizapo kuukira kwa XMAS: (kuti, Kuukira kwa mtengo wa Khrisimasi, pokhazikitsa zingwe zonse za mbendera za TCP kuti 1, motero amawononga zambiri zopangira mayankho a dongosolo lomwe mukufuna)

Kuukira kwa XMAS

Module ya NIGGA ndi yofanana ndi lamulo la KILLATTK mu mtundu woyambirira, zomwe zimayimitsa kuukira kwa DoSS mwa kupha njira zonse za ana kupatula njira yayikulu

Mtengo wa NIGGA

Kuyerekeza kusanthula
Ntchito processCmd yomwe imasunga malingaliro akulu mu code source ikuphatikiza PING, Chithunzi cha GETLOCALIP, SCANNER, EMAIL, ZOTHANDIZA, UDP, TCP, GWANITSA, KILLATTK, ndi LOLNOGTFO modules. Ma module osavuta okha a UDP ndi TCP amakhala limodzi muzosiyana zomwe zalandidwa nthawi ino.. .

Ndipo pogwira ntchito yopezera IP yakomweko, mtundu wapachiyambi umapeza IP yakomweko kudzera / proc/net/route ndikuibwezera kudzera mu gawo la GETLOCALIP. Zomwezo zopeza ntchito zimawonedwa muzosintha izi, koma palibe gawo la GETLOCALIP ndipo palibe maumboni omwe amawonedwa.

Pezani IP yakomweko

Ndizofunikira kudziwa kuti palibe mtundu woyambirira wa module ya SCANNER yomwe imagwiritsidwa ntchito kuphulitsa SSH (doko 22) mu chitsanzo ichi, ndipo palibe mitundu ina yomwe imayika angapo "mapulogalamu/chipangizo" zofooka kuti zifalikire kudzera pa Payload. Zitha kuwoneka kuti wowukirayo amagawa gawo lofalitsa kukhala mapulogalamu odziyimira pawokha, ndipo mutalowa bwinobwino kwa wozunzidwayo, adzatsitsa zitsanzo zoyankhulirana za gawo lotsatira pochita shellcode, kuti, chitsanzo cha kusanthula.

Pangani chitsanzo cha shellcode

Kutenga zitsanzo zotengedwa kuchokera ku gwero lomwelo monga chitsanzo, wowukirayo adavula zambiri za zitsanzo zambiri, kupatula ochepa, monga: x86.

Gawani chikondi chanu

Zolemba Zogwirizana

Siyani Yankho

Imelo yanu sisindikizidwa. Minda yofunikira yalembedwa *