I-imeyile: anwenqq2690502116@gmail.com
Ukujolisa kwi-Intanethi yeZinto, uhlobo olutsha lwe "Gaffyt" I-Trojan ibonakala
Kutshanje, I-Huorong Security Lab ifumene isiganeko sokungenwa yintsholongwane, eyaqinisekiswa ukuba luhlobo olutsha lwentsholongwane yeGafgyt Trojan emva kophando kunye nohlalutyo.
I-Gafgyt yinkqubo ye-botnet ye-IoT esekwe kwiprothokholi ye-IRC, eyosulela iLinux-based Izixhobo ze-IoT ukuqalisa ukwaliwa kohlaselo lwenkonzo (DDoS). Yeyona ntsapho inkulu esebenzayo ye-IoT botnet ngaphandle kosapho lakwaMirai.
Emva kokuba ikhowudi yomthombo ivuziwe kwaye yalayishwa kwi-GitHub ngaphakathi 2015, ezahlukeneyo kunye nokuxhaphaza kwavela enye emva kwenye, ibeka isoyikiso esikhulu sokhuseleko kubasebenzisi. Ngoku, Iimveliso zokhuseleko ze-Huorong zinokuthintela kwaye zibulale iintsholongwane ezikhankanywe ngasentla. Abasebenzisi bamashishini bayacelwa ukuba bahlaziye idatha yedatha yentsholongwane ngexesha lokukhusela.
1. Uhlalutyo lwesampula
Intsholongwane iqala ithiya ngokutsha inkqubo yayo ukuze "/usr/sbin/dropbear" okanye "sshd" ukuzifihla:
qhubekisa ukuqamba ngokutsha
Phakathi kwabo, umtya ofihliweyo ufunyenwe, kunye ne-algorithm yokuguqulela kwi-byte yi-byte XOR ye-0xDEDEFFBA. Xa isetyenziswa, kuphela ezisetyenzisiweyo zikhutshiwe ngokuzimeleyo, kodwa kuphela 4 zibhekiselwe ngokwenene:
Umtya ofihliweyo kunye ne-algorithm yokuguqulelwa kwentsonkotha
Ireferensi yokuqala kukuvelisa kuphela umtya ohambelana nesikrini, kunye neembekiselo ezimbini ezisembindini ziyimisebenzi kwinkqubo yemboniselo ukunqanda ukuphulukana nolawulo ngenxa yokuqaliswa kwakhona kwesixhobo:
decrypt kwaye ucaphule
Imisebenzi eseleyo iqhutywa kwi-loop, kuquka nokuqalisa uxhulumaniso lweC2 (94.156.161.21:671), ukuthumela uhlobo lwesixhobo seqonga, ukufumana umyalelo wokubuyisela kunye nokwenza umsebenzi wemodyuli ohambelanayo. Kwaye xa kuthelekiswa nekhowudi yomthombo evuzwe nguGafgy, ifomati kunye noqhubekeko lomyalelo azitshintshanga kakhulu, kwaye ifomathi yomyalelo isamile "!*Umyalelo [Ipharamitha]"
ikhowudi yokusebenza yelophu
Kwinkqubo yeCmd umsebenzi, iyonke 14 imiyalelo iyaphendulwa kwaye uhlaselo oluhambelanayo lweDDOS luyaqaliswa, kuquka: "HTTP", "Ukwandiswa kweCUDP", "UDP", "STD", "JSC", "I-TCP", "SYN" , "ACK", "CXMAS", "XMAS", "CVSE", "YONKE INTO", "CNC", "NIGGA"
umyalelo wekhusi - Ukhuseleko lwe-IoT
Phakathi kwabo, iCUDP, UDP, JSC, kunye neemodyuli ze-TCP zinokuthumela zonke iintambo ezingaqhelekanga kwi-IP echaziweyo kunye ne-port, kwaye inokwakha kwakhona iipakethi ze-TCP kunye ne-UDP ngokuzakhela ii-headers ze-IP ukufihla idilesi ye-IP yomthombo.
Ulwakhiwo lomyalezo
Isimaphambili C siqikelelwa ukuba sisishunqulelo sesiko. Ukuthatha iCUDP kunye ne-UDP njengemizekelo, kuguqulelo lokuqala lweGafgyt, iiparamitha kumyalelo okhutshiweyo zibandakanya: ip, izibuko, ixesha, spoofed, ubungakanani bepakethi, I-pollinterval kunye namanye amaxabiso entsimi kunye neebhithi zeflegi Kukwakhiwa kweepakethi ze-UDP. Kule sampuli, nangona kunjalo, iziphumo eziqatshelweyo zibonisa ukuba kukusetyenziswa kwezi parameters ukuya kumanqanaba ahlukeneyo othintelo, enokuphucula ukuguquguquka kweentlobo ezithile zohlaselo lweDDOS.
Ukuthelekiswa kweCUDP kunye ne-UDP
Imisebenzi yezinye iimodyuli ibandakanya ukongeza inani elikhulu leentambo zoMsebenzisi-Arhente, ezisetyenziselwa ukuqalisa imiyalelo ye-HTTP yohlaselo lweCC:
Uhlaselo lweCC
Ibandakanyiwe kuhlaselo oluchasene neeseva zeNjini yoMthombo weValve: ("Injini yomthombo" imibuzo yinxalenye yonxibelelwano lwemihla ngemihla phakathi kwabathengi kunye abancedisi bomdlalo usebenzisa iValve software protocol)
Uhlaselo oluchasene neshishini lokudlala
Kubandakanya imiyalelo ye-CNC enokutshintsha uxhumano lwe-IP:
tshintsha uqhagamshelo IP
Kubandakanya ukuhlaselwa kweSYN kunye ne-ACK:
Ukuhlaselwa kweSYN kunye ne-ACK
Kuquka uhlaselo lwezikhukhula ze-UDP STD:
Uhlaselo lwe-STD
Kubandakanya uhlaselo lwe-XMAS: (yiyo i, Ukuhlaselwa komthi weKrisimesi, ngokucwangcisa zonke iisuntswana zeflegi ye-TCP ku 1, ngoko ke kudla ngokusetyenziswa izibonelelo zokusetyenzwa kweempendulo zenkqubo ekujoliswe kuyo)
Uhlaselo lwe-XMAS
Imodyuli ye-NIGGA ilingana nomyalelo we-KILLATTK kuguqulelo loqobo, eyeka ukuhlaselwa kweDoSS ngokubulala zonke iinkqubo zabantwana ngaphandle kweyona nkqubo iphambili
Imodyuli ye-NIGGA
Uhlalutyo lokuthelekisa
Inkqubo yomsebenziCmd egcina ingqiqo ephambili kwikhowudi yomthombo iquka i-PING, I-GETLOCALIP, ISAKANANI, EMAIL, I-JUNK, UDP, I-TCP, BAMBA, KILLATTK, kunye neemodyuli zeLOLNOGTFO. Kuphela ziinguqulelo ezenziwe lula zeemodyuli ze-UDP kunye ne-TCP ezihlala kunye kulwahlulo lokuxhaphaza oluthathiweyo ngeli xesha.. .
Kwaye ekusebenzeni kokufumana i-IP yendawo, inguqulelo yoqobo ifumana i-IP yendawo nge/proc/net/indlela kwaye iyibuyisela ngeGETLOCALIP imodyuli. Ukufumana ukusebenza okufanayo kubonwa kolu tshintsho, kodwa akukho modyuli yeGETLOCALIP kwaye akukho zimbekiselo zijongwayo.
Fumana i-IP yendawo
Kubalulekile ukuqaphela ukuba akukho nguqulelo yantlandlolo yemodyuli ye-SCANNER esetyenziselwa ukuqhushumba i-SSH (izibuko 22) kolu hlobo lwesampulu, kwaye azikho ezinye iinguqulelo ezizinzisa ezininzi "izicelo/isixhobo" ukuba sesichengeni ukusasazeka ngePayload. Ingabonwa ukuba umhlaseli wahlula imodyuli yosasazo kwiinkqubo ezizimeleyo, kwaye emva kokungena ngempumelelo kwi-host host, uya kukhuphela isampuli yonxibelelwano kwinqanaba elilandelayo ngokwenza i-shellcode, yiyo i, isampuli yohlalutyo.
Yenza umzekelo wekhowudi ye-shell
Ukuthatha iisampulu ezifunyenwe kumthombo ofanayo njengomzekelo, umhlaseli wahluba ulwazi lokulungisa iisampulu ezininzi, ngaphandle nje abambalwa, njenge: x86.