Ihlose ku-inthanethi Yezinto, okuhlukile okusha kwe "I-Gaffyt" Kuvela iTrojani

Ihlose ku-inthanethi Yezinto, okuhlukile okusha kwe "I-Gaffyt" Kuvela iTrojani

Muva nje, I-Huorong Security Lab ithole isigameko sokungenwa yigciwane, okuqinisekiswe ukuthi kuhlukile kwegciwane le-Gafgyt Trojan ngemuva kophenyo nokuhlaziywa.

I-Gafgyt iwuhlelo lwe-IoT botnet olususelwe kuphrothokholi ye-IRC, ethelela kakhulu i-Linux-based Amadivayisi we-IoT ukwethula ukunqatshelwa kokusatshalaliswa kokuhlaselwa kwesevisi (I-DDoS). Ingumndeni omkhulu osebenzayo we-IoT botnet ngaphandle komndeni wakwaMirai.

Ngemuva kokuthi ikhodi yomthombo iputshuziwe futhi ilayishwe ku-GitHub ku 2015, kwavela izinhlobonhlobo ezihlukahlukene kanye nokuxhaphazayo ngokulandelana, okubeka engcupheni enkulu yokuvikeleka kubasebenzisi. Okwamanje, Imikhiqizo yezokuphepha ye-Huorong inganqanda futhi ibulale amagciwane ashiwo ngenhla. Abasebenzisi bebhizinisi bayacelwa ukuthi babuyekeze imininingwane yegciwane kusenesikhathi ukuze bavikeleke.

1. Ukuhlaziywa kwesampula
Igciwane kuqala liqamba kabusha inqubo yalo ukuze "/usr/sbin/dropbear" noma "sshd" ukuzifihla:

cubungula ukuqamba kabusha

Phakathi kwazo, iyunithi yezinhlamvu ebethelwe iyatholakala, futhi i-algorithm yokususa ukubethela i-byte XOR ye-0xDEDEFFBA. Lapho isetshenziswa, ezisetshenzisiwe kuphela ezisuswa ukubethela ngakunye, kodwa kuphela 4 empeleni kubhekiselwa kubo:

Iyunithi yezinhlamvu ebethelwe kanye ne-algorithm yokususa ukubethela

Ireferensi yokuqala iwukukhipha kuphela iyunithi yezinhlamvu ehambisanayo esikrinini, futhi izinkomba ezimbili ezimaphakathi ziyimisebenzi yenqubo ye-watchdog ukugwema ukulahlekelwa ukulawula ngenxa yokuqalisa kabusha idivayisi:

decrypt futhi ucaphune

Imisebenzi esele yenziwa ngeluphu, okuhlanganisa ukuqalisa uxhumano lwe-C2 (94.156.161.21:671), ukuthumela uhlobo lwedivayisi yesikhulumi, ukuthola umyalo wokubuyisela nokwenza umsebenzi wemojula ohambisanayo. Futhi uma kuqhathaniswa nekhodi yomthombo eputshuzwe ngu-Gafgy, ifomethi nokucutshungulwa komyalo akushintshile kakhulu, futhi ifomethi yomyalo isamile "!*Umyalo [Ipharamitha]"

ikhodi yokusebenza ye-loop

Kumsebenzi we-processCmd, ingqikithi ye 14 imiyalo iyaphendulwa futhi ukuhlaselwa kweDDOS okuhambisanayo kuyethulwa, kuhlanganise: "I-HTTP", "Isandiso se-CUDP", "I-UDP", "I-STD", "I-JSC", "I-TCP", "I-SYN" , "I-ACK", "I-CXMAS", "I-XMAS", "I-CVSE", "KONKE", "CNC", "I-NIGGA"

umyalo isithombe-skrini - Ukuphepha kwe-IoT

Phakathi kwazo, iCUDP, I-UDP, I-JSC, futhi amamojula e-TCP angathumela wonke amayunithi ezinhlamvu okungahleliwe ku-IP eshiwo kanye nembobo, futhi ingakha kabusha amaphakethe e-TCP nawe-UDP ngamakhanda e-IP azakhele wona ukuze afihle ikheli le-IP eliwumthombo.

ukwakheka komyalezo

Isiqalo C siqagelwa njengesifinyezo somkhuba. Ukuthatha i-CUDP ne-UDP njengezibonelo, enguqulweni yokuqala ye-Gafgyt, imingcele emyalweni okhishiwe ihlanganisa: ip, itheku, isikhathi, i-spoofed, usayizi wephakethe, i-pollinterval namanye amanani enkundla kanye nezingcezu zefulegi Ukuze kwakhiwe amaphakethe e-UDP. Kulesi sampula, nokho, imiphumela ephawuliwe ibonisa ukuthi ukusetshenziswa kwalawa mapharamitha kumazinga ahlukene okukhawulela, okungathuthukisa ukuguquguquka kwezinhlobo ezithile zokuhlaselwa kwe-DDOS.

Ukuqhathaniswa kwe-CUDP ne-UDP

Imisebenzi yamanye amamojula ihlanganisa ukungeza inombolo enkulu yeyunithi yezinhlamvu zomenzeli womsebenzisi, ezisetshenziselwa ukwethula imiyalo ye-HTTP yokuhlaselwa kwe-CC:

CC ukuhlasela

Ifakwe ekuhlaselweni okubhekiswe kumaseva we-Source Engine: ("Injini Yomthombo" imibuzo iyingxenye yokuxhumana kwansuku zonke phakathi kwamakhasimende kanye amaseva wegeyimu usebenzisa iphrothokholi yesoftware yeValve)

Ukuhlaselwa kwemboni yemidlalo

Kubandakanya imiyalo ye-CNC engashintsha uxhumano lwe-IP:

shintsha uxhumano lwe-IP

Kufaka phakathi ukuhlaselwa kwe-SYN ne-ACK:

Ukuhlasela kwe-SYN ne-ACK

Kubandakanya ukuhlaselwa kwezikhukhula kwe-UDP STD:

Ukuhlasela kwe-STD

Kubandakanya ukuhlasela kwe-XMAS: (leyo, Ukuhlasela kwesihlahla sikaKhisimusi, ngokusetha zonke izingcezu zefulegi ze-TCP zibe 1, ngaleyo ndlela kudla izinsiza zokucubungula izimpendulo ezengeziwe zohlelo oluqondiwe)

Ukuhlasela kwe-XMAS

Imojula ye-NIGGA ilingana nomyalo we-KILLATTK enguqulweni yokuqala, emisa ukuhlasela kwe-DoSS ngokubulala zonke izinqubo zezingane ngaphandle kwenqubo eyinhloko

Imodeli ye-NIGGA

Ukuhlaziya okuqhathanisayo
I-function processCmd egcina i-logic eyinhloko kukhodi yomthombo ihlanganisa i-PING, I-GETLOCALIP, ISIKENA, I-EMAIL, JUNK, I-UDP, I-TCP, BAMBA, KILLATTK, kanye namamojula we-LOLNOGTFO. Izinguqulo ezenziwe lula kuphela zamamojula e-UDP kanye ne-TCP ezihlala ndawonye ekwakhiweni okuhlukile okuthathwe ngalesi sikhathi. .

Futhi ekusebenzeni kokuthola i-IP yendawo, inguqulo yasekuqaleni ithola i-IP yendawo nge-/proc/net/route futhi iyibuyisele ngemojula ye-GETLOCALIP. Umsebenzi ofanayo wokuthola uyabonwa kulokhu okuhlukile, kodwa ayikho imojuli ye-GETLOCALIP futhi azikho izithenjwa ezibonwayo.

Thola i-IP yendawo

Kuyaqapheleka ukuthi ayikho inguqulo yoqobo yemojuli ye-SCANNER esetshenziselwa ukuqhuma i-SSH (itheku 22) kulolu hlobo lwesampula, futhi azikho ezinye izinhlobo ezishumeka okuningi "izinhlelo zokusebenza/idivayisi" ubungozi bokusabalalisa nge-Payload. Kungabonakala ukuthi umhlaseli uhlukanisa imojuli yokusakaza ibe izinhlelo ezizimele, futhi ngemva kokungena ngempumelelo kumsingathi wezisulu, uzolanda isampula yokuxhumana yesigaba esilandelayo ngokwenza i-shellcode, leyo, isampula yokuhlaziya.

Yenza isibonelo se-shellcode

Ukuthatha amasampula atholwe emthonjeni ofanayo njengesibonelo, umhlaseli ukhumule ulwazi lokususa iphutha kumasampuli amaningi, ngaphandle kwabambalwa, njenge: x86.