Email: anwenqq2690502116@gmail.com

Kuonekwa kweTinder uye kuuraya

Kuvavarira paInternet yezvinhu, mutsva mutsva we "Gaffyt" Trojan inooneka

Kuvavarira paInternet yezvinhu, mutsva mutsva we "Gaffyt" Trojan inooneka. Munguva pfupi yapfuura, Huorong Security Lab yakawana chiitiko chekupinda kwehutachiona, iyo yakasimbiswa kuve mutsva mutsva weGafgyt Trojan virus mushure mekuferefetwa nekuongorora.

Kuvavarira paInternet yezvinhu, mutsva mutsva we "Gaffyt" Trojan inooneka

Munguva pfupi yapfuura, Huorong Security Lab yakawana chiitiko chekupinda kwehutachiona, iyo yakasimbiswa kuve mutsva mutsva weGafgyt Trojan virus mushure mekuferefetwa nekuongorora.

Gafgyt chirongwa cheIoT botnet chakavakirwa paIRC protocol, iyo inonyanya kukanganisa Linux-based IoT zvishandiso kutanga kuparadzirwa kurambwa kwekurwiswa kwesevhisi (DDoS). Ndiyo yakakura inoshanda IoT botnet mhuri kunze kweiyo Mirai mhuri.

Mushure meiyo kodhi kodhi yakaburitswa uye yakaiswa kuGitHub mukati 2015, zvakasiyana-siyana uye zviitiko zvakabuda imwe pashure peimwe, kuunza njodzi huru yekuchengetedza vashandisi. Parizvino, Huorong kuchengetedza zvigadzirwa zvinogona kubata nekuuraya mavhairasi ataurwa pamusoro. Vashandisi vebhizinesi vanokumbirwa kugadzirisa dhatabhesi yehutachiona munguva yekudzivirira.

Tinder detection and killing - Aiming at the Internet of Things, a new variant of the "Gafgyt" Trojan appears

1. Sample analysis
Utachiona uhwo hunotanga kutumidza nzira yahwo kuti "/usr/sbin/dropbear" kana "sshd" kuzvivanza:

process rename
process rename

Pakati pavo, iyo encrypted tambo inowanikwa, uye decryption algorithm ndiyo byte XOR ye0xDEDEFFBA. Kana yashandiswa, chete dzakashandiswa dzinodzimwa yega yega, asi chete 4 zvinotariswa chaizvo:

Encrypted string and decryption algorithm
Encrypted tambo uye decryption algorithm

 

Yekutanga referensi ndeyekuburitsa tambo inoenderana kune iyo skrini, uye mareferensi maviri epakati maoperation ari pachirongwa chekutarisa kudzivirira kurasikirwa nekutonga nekuda kwekutangazve mudziyo:

decrypt and quote

decrypt uye quote

 

Mabasa asara anoitwa ari loop, kusanganisira kutanga kubatanidzwa kweC2 (94.156.161.21:671), kutumira chikuva mudziyo mhando, kugamuchira murairo wekudzoka uye nekuita inoenderana module mashandiro. Uye zvichienzaniswa nekodhi kodhi yakaburitswa naGafgy, mafomati uye kugadziridzwa kwemurairo hazvina kuchinja zvakanyanya, uye chimiro chemurairo chiripo "!*Command [Parameter]"

loop operation code

loop operation code

 

Mune processCmd basa, hwerengedzo ye 14 mirairo inopindurwa uye inoenderana neDDOS kurwisa inotangwa, kusanganisira: "HTTP", "CUDP kuwedzera", "UDP", "STD", "JSC", "TCP", "SYN" , "ACK", "CXMAS", "XMAS", "CVSE", "ZVINHU ZVOSE", "CNC", "NIGGA"

command screenshot - IoT security
command screenshot - IoT kuchengetedza

 

Pakati pavo, CUDP, UDP, JSC, uye TCP modules dzese dzinogona kutumira tambo dzisina kurongeka kune yakatsanangurwa IP uye chiteshi, uye inogona kuvakazve TCP uye UDP mapaketi nekuzvivaka-yega IP misoro kuviga iyo sosi IP kero.

 

message structure
chimiro chemeseji

 

Chivakashure C chinofungidzirwa kuva chidimbu chetsika. Kutora CUDP neUDP semuenzaniso, mushanduro yekutanga yeGafgyt, iyo parameter mumutemo wakapihwa inosanganisira: ip, port, nguva, spoofed, packetsize, pollinterval uye humwe hutsika hwemumunda uye mabheti emureza Pakuvaka UDP mapaketi. Mumuenzaniso uyu, zvisinei, mibairo yakacherekedzwa inoratidza kuti iko kushandiswa kweaya ma paramita kune akasiyana madhigirii ekurambidzwa, iyo inogona kusimudzira kuchinjika kwemhando dzakasiyana dzekurwiswa kweDDOS.

Kuenzanisa kweCUDP uye UDP

Mabasa emamwe mamodule anosanganisira kuwedzera nhamba huru yeMushandisi-Agent tambo, ayo anoshandiswa kuvhura mirairo yeHTTP yeCC kurwisa:

CC kurwisa

Inosanganisirwa kurwiswa kweValve's Source Engine maseva: ("Source Engine" mibvunzo chikamu chekutaurirana kwemazuva ese pakati pevatengi uye maseva emutambo uchishandisa iyo Valve software protocol)

Kurwiswa neindasitiri yemitambo

Kusanganisira CNC mirairo iyo inogona kushandura yekubatanidza IP:

chinja IP yekubatanidza

Inosanganisira SYN uye ACK kurwisa:

SYN uye ACK inorwisa

Kusanganisira UDP STD mafashama ekurwisa:

STD kurwisa

Kusanganisira XMAS kurwisa: (ndizvo, Kurwiswa kwemuti weKisimusi, nekuisa ese mabheti emureza eTCP ku 1, nokudaro kupedza mamwe mhinduro yekugadzirisa zviwanikwa zvechinangwa chegadziriro)

XMAS kurwisa

Iyo NIGGA module yakaenzana nemurairo weKILLATTK mune yekutanga vhezheni, iyo inomisa kurwiswa kweDoSS nekuuraya ese maitiro evana kunze kweiyo huru maitiro

NIGGA module

Kuenzanisa kuongorora
Iyo basa processCmd inochengeta iyo huru logic mune sosi kodhi inosanganisira PING, GETLOCALIP, SCANNER, EMAIL, TSVINA, UDP, TCP, BATA, KILLATTK, uye LOLNOGTFO modules. Mavhezheni akareruka chete eUDP neTCP modules anogara mune akasiyana exploit yakatorwa panguva ino.. .

Uye mukushanda kwekuwana IP yemunharaunda, iyo yepakutanga vhezheni inowana iyo yemuno IP kuburikidza / proc/net/nzira uye inoidzosera kuburikidza neGETLOCALIP module.. Kufanana kwekuwana kushanda kunoonekwa mune iyi musiyano, asi hapana GETLOCALIP module uye hapana mareferensi anocherechedzwa.

Tora IP yemuno

Izvo zvakakosha kucherechedza kuti hapana yekutanga vhezheni yeSCANNER module inoshandiswa kuputika SSH (port 22) mumhando iyi yemuenzaniso, uye hapana mimwe misiyano inomisikidza akawanda "application/device" kusagadzikana kupararira kuburikidza nePayload. Zvinogona kuoneka kuti anorwisa anotsemura module yekuparadzira kuita zvirongwa zvakazvimirira, uye mushure mekubudirira kupinda mumunhu anenge abatwa, anozodhawunirodha sampu yekutaurirana yechikamu chinotevera nekuita iyo shellcode, ndizvo, sampuli yekuongorora.

Enzanisa shellcode muenzaniso

Kutora sampuli dzakawanikwa kubva kune imwechete sosi semuenzaniso, murwi akabvisa ruzivo rwekugadzirisa kune mazhinji emasampuli, kunze kwevashoma, zvakaita se: x86.

Govera rudo rwako

Related Posts

siya mhinduro

Yako email kero haizoburitswa. Nzvimbo dzinodiwa dzakamakwa *