Ukujolisa kwi-Intanethi yeZinto, uhlobo olutsha lwe "Gafgyt" I-Trojan ibonakala

Ukujolisa kwi-Intanethi yeZinto, uhlobo olutsha lwe "Gaffyt" I-Trojan ibonakala

Ukujolisa kwi-Intanethi yeZinto, uhlobo olutsha lwe "Gaffyt" I-Trojan ibonakala. Kutshanje, I-Huorong Security Lab ifumene isiganeko sokungenwa yintsholongwane, eyaqinisekiswa ukuba luhlobo olutsha lwentsholongwane yeGafgyt Trojan emva kophando kunye nohlalutyo.

Ukujolisa kwi-Intanethi yeZinto, uhlobo olutsha lwe "Gaffyt" I-Trojan ibonakala

Kutshanje, I-Huorong Security Lab ifumene isiganeko sokungenwa yintsholongwane, eyaqinisekiswa ukuba luhlobo olutsha lwentsholongwane yeGafgyt Trojan emva kophando kunye nohlalutyo.

I-Gafgyt yinkqubo ye-botnet ye-IoT esekwe kwiprothokholi ye-IRC, eyosulela iLinux-based Izixhobo ze-IoT ukuqalisa ukwaliwa kohlaselo lwenkonzo (DDoS). Yeyona ntsapho inkulu esebenzayo ye-IoT botnet ngaphandle kosapho lakwaMirai.

Emva kokuba ikhowudi yomthombo ivuziwe kwaye yalayishwa kwi-GitHub ngaphakathi 2015, ezahlukeneyo kunye nokuxhaphaza kwavela enye emva kwenye, ibeka isoyikiso esikhulu sokhuseleko kubasebenzisi. Ngoku, Iimveliso zokhuseleko ze-Huorong zinokuthintela kwaye zibulale iintsholongwane ezikhankanywe ngasentla. Abasebenzisi bamashishini bayacelwa ukuba bahlaziye idatha yedatha yentsholongwane ngexesha lokukhusela.

1. Uhlalutyo lwesampula
Intsholongwane iqala ithiya ngokutsha inkqubo yayo ukuze "/usr/sbin/dropbear" okanye "sshd" ukuzifihla:

qhubekisa ukuqamba ngokutsha

Phakathi kwabo, umtya ofihliweyo ufunyenwe, kunye ne-algorithm yokuguqulela kwi-byte yi-byte XOR ye-0xDEDEFFBA. Xa isetyenziswa, kuphela ezisetyenzisiweyo zikhutshiwe ngokuzimeleyo, kodwa kuphela 4 zibhekiselwe ngokwenene:

Umtya ofihliweyo kunye ne-algorithm yokuguqulelwa kwentsonkotha

Ireferensi yokuqala kukuvelisa kuphela umtya ohambelana nesikrini, kunye neembekiselo ezimbini ezisembindini ziyimisebenzi kwinkqubo yemboniselo ukunqanda ukuphulukana nolawulo ngenxa yokuqaliswa kwakhona kwesixhobo:

decrypt kwaye ucaphule

Imisebenzi eseleyo iqhutywa kwi-loop, kuquka nokuqalisa uxhulumaniso lweC2 (94.156.161.21:671), ukuthumela uhlobo lwesixhobo seqonga, ukufumana umyalelo wokubuyisela kunye nokwenza umsebenzi wemodyuli ohambelanayo. Kwaye xa kuthelekiswa nekhowudi yomthombo evuzwe nguGafgy, ifomati kunye noqhubekeko lomyalelo azitshintshanga kakhulu, kwaye ifomathi yomyalelo isamile "!*Umyalelo [Ipharamitha]"

ikhowudi yokusebenza yelophu

Kwinkqubo yeCmd umsebenzi, iyonke 14 imiyalelo iyaphendulwa kwaye uhlaselo oluhambelanayo lweDDOS luyaqaliswa, kuquka: "HTTP", "Ukwandiswa kweCUDP", "UDP", "STD", "JSC", "I-TCP", "SYN" , "ACK", "CXMAS", "XMAS", "CVSE", "YONKE INTO", "CNC", "NIGGA"

umyalelo wekhusi - Ukhuseleko lwe-IoT

Phakathi kwabo, iCUDP, UDP, JSC, kunye neemodyuli ze-TCP zinokuthumela zonke iintambo ezingaqhelekanga kwi-IP echaziweyo kunye ne-port, kwaye inokwakha kwakhona iipakethi ze-TCP kunye ne-UDP ngokuzakhela ii-headers ze-IP ukufihla idilesi ye-IP yomthombo.

Ulwakhiwo lomyalezo

Isimaphambili C siqikelelwa ukuba sisishunqulelo sesiko. Ukuthatha iCUDP kunye ne-UDP njengemizekelo, kuguqulelo lokuqala lweGafgyt, iiparamitha kumyalelo okhutshiweyo zibandakanya: ip, izibuko, ixesha, spoofed, ubungakanani bepakethi, I-pollinterval kunye namanye amaxabiso entsimi kunye neebhithi zeflegi Kukwakhiwa kweepakethi ze-UDP. Kule sampuli, nangona kunjalo, iziphumo eziqatshelweyo zibonisa ukuba kukusetyenziswa kwezi parameters ukuya kumanqanaba ahlukeneyo othintelo, enokuphucula ukuguquguquka kweentlobo ezithile zohlaselo lweDDOS.

Ukuthelekiswa kweCUDP kunye ne-UDP

Imisebenzi yezinye iimodyuli ibandakanya ukongeza inani elikhulu leentambo zoMsebenzisi-Arhente, ezisetyenziselwa ukuqalisa imiyalelo ye-HTTP yohlaselo lweCC:

Uhlaselo lweCC

Ibandakanyiwe kuhlaselo oluchasene neeseva zeNjini yoMthombo weValve: ("Injini yomthombo" imibuzo yinxalenye yonxibelelwano lwemihla ngemihla phakathi kwabathengi kunye abancedisi bomdlalo usebenzisa iValve software protocol)

Uhlaselo oluchasene neshishini lokudlala

Kubandakanya imiyalelo ye-CNC enokutshintsha uxhumano lwe-IP:

tshintsha uqhagamshelo IP

Kubandakanya ukuhlaselwa kweSYN kunye ne-ACK:

Ukuhlaselwa kweSYN kunye ne-ACK

Kuquka uhlaselo lwezikhukhula ze-UDP STD:

Uhlaselo lwe-STD

Kubandakanya uhlaselo lwe-XMAS: (yiyo i, Ukuhlaselwa komthi weKrisimesi, ngokucwangcisa zonke iisuntswana zeflegi ye-TCP ku 1, ngoko ke kudla ngokusetyenziswa izibonelelo zokusetyenzwa kweempendulo zenkqubo ekujoliswe kuyo)

Uhlaselo lwe-XMAS

Imodyuli ye-NIGGA ilingana nomyalelo we-KILLATTK kuguqulelo loqobo, eyeka ukuhlaselwa kweDoSS ngokubulala zonke iinkqubo zabantwana ngaphandle kweyona nkqubo iphambili

Imodyuli ye-NIGGA

Uhlalutyo lokuthelekisa
Inkqubo yomsebenziCmd egcina ingqiqo ephambili kwikhowudi yomthombo iquka i-PING, I-GETLOCALIP, ISAKANANI, EMAIL, I-JUNK, UDP, I-TCP, BAMBA, KILLATTK, kunye neemodyuli zeLOLNOGTFO. Kuphela ziinguqulelo ezenziwe lula zeemodyuli ze-UDP kunye ne-TCP ezihlala kunye kulwahlulo lokuxhaphaza oluthathiweyo ngeli xesha.. .

Kwaye ekusebenzeni kokufumana i-IP yendawo, inguqulelo yoqobo ifumana i-IP yendawo nge/proc/net/indlela kwaye iyibuyisela ngeGETLOCALIP imodyuli. Ukufumana ukusebenza okufanayo kubonwa kolu tshintsho, kodwa akukho modyuli yeGETLOCALIP kwaye akukho zimbekiselo zijongwayo.

Fumana i-IP yendawo

Kubalulekile ukuqaphela ukuba akukho nguqulelo yantlandlolo yemodyuli ye-SCANNER esetyenziselwa ukuqhushumba i-SSH (izibuko 22) kolu hlobo lwesampulu, kwaye azikho ezinye iinguqulelo ezizinzisa ezininzi "izicelo/isixhobo" ukuba sesichengeni ukusasazeka ngePayload. Ingabonwa ukuba umhlaseli wahlula imodyuli yosasazo kwiinkqubo ezizimeleyo, kwaye emva kokungena ngempumelelo kwi-host host, uya kukhuphela isampuli yonxibelelwano kwinqanaba elilandelayo ngokwenza i-shellcode, yiyo i, isampuli yohlalutyo.

Yenza umzekelo wekhowudi ye-shell

Ukuthatha iisampulu ezifunyenwe kumthombo ofanayo njengomzekelo, umhlaseli wahluba ulwazi lokulungisa iisampulu ezininzi, ngaphandle nje abambalwa, njenge: x86.