I-imeyili: anwenqq2690502116@gmail.com
Ihlose ku-inthanethi Yezinto, okuhlukile okusha kwe "I-Gaffyt" Kuvela iTrojani
Muva nje, I-Huorong Security Lab ithole isigameko sokungenwa yigciwane, okuqinisekiswe ukuthi kuhlukile kwegciwane le-Gafgyt Trojan ngemuva kophenyo nokuhlaziywa.
I-Gafgyt iwuhlelo lwe-IoT botnet olususelwe kuphrothokholi ye-IRC, ethelela kakhulu i-Linux-based Amadivayisi we-IoT ukwethula ukunqatshelwa kokusatshalaliswa kokuhlaselwa kwesevisi (I-DDoS). Ingumndeni omkhulu osebenzayo we-IoT botnet ngaphandle komndeni wakwaMirai.
Ngemuva kokuthi ikhodi yomthombo iputshuziwe futhi ilayishwe ku-GitHub ku 2015, kwavela izinhlobonhlobo ezihlukahlukene kanye nokuxhaphazayo ngokulandelana, okubeka engcupheni enkulu yokuvikeleka kubasebenzisi. Okwamanje, Imikhiqizo yezokuphepha ye-Huorong inganqanda futhi ibulale amagciwane ashiwo ngenhla. Abasebenzisi bebhizinisi bayacelwa ukuthi babuyekeze imininingwane yegciwane kusenesikhathi ukuze bavikeleke.
1. Ukuhlaziywa kwesampula
Igciwane kuqala liqamba kabusha inqubo yalo ukuze "/usr/sbin/dropbear" noma "sshd" ukuzifihla:
cubungula ukuqamba kabusha
Phakathi kwazo, iyunithi yezinhlamvu ebethelwe iyatholakala, futhi i-algorithm yokususa ukubethela i-byte XOR ye-0xDEDEFFBA. Lapho isetshenziswa, ezisetshenzisiwe kuphela ezisuswa ukubethela ngakunye, kodwa kuphela 4 empeleni kubhekiselwa kubo:
Iyunithi yezinhlamvu ebethelwe kanye ne-algorithm yokususa ukubethela
Ireferensi yokuqala iwukukhipha kuphela iyunithi yezinhlamvu ehambisanayo esikrinini, futhi izinkomba ezimbili ezimaphakathi ziyimisebenzi yenqubo ye-watchdog ukugwema ukulahlekelwa ukulawula ngenxa yokuqalisa kabusha idivayisi:
decrypt futhi ucaphune
Imisebenzi esele yenziwa ngeluphu, okuhlanganisa ukuqalisa uxhumano lwe-C2 (94.156.161.21:671), ukuthumela uhlobo lwedivayisi yesikhulumi, ukuthola umyalo wokubuyisela nokwenza umsebenzi wemojula ohambisanayo. Futhi uma kuqhathaniswa nekhodi yomthombo eputshuzwe ngu-Gafgy, ifomethi nokucutshungulwa komyalo akushintshile kakhulu, futhi ifomethi yomyalo isamile "!*Umyalo [Ipharamitha]"
ikhodi yokusebenza ye-loop
Kumsebenzi we-processCmd, ingqikithi ye 14 imiyalo iyaphendulwa futhi ukuhlaselwa kweDDOS okuhambisanayo kuyethulwa, kuhlanganise: "I-HTTP", "Isandiso se-CUDP", "I-UDP", "I-STD", "I-JSC", "I-TCP", "I-SYN" , "I-ACK", "I-CXMAS", "I-XMAS", "I-CVSE", "KONKE", "CNC", "I-NIGGA"
umyalo isithombe-skrini - Ukuphepha kwe-IoT
Phakathi kwazo, iCUDP, I-UDP, I-JSC, futhi amamojula e-TCP angathumela wonke amayunithi ezinhlamvu okungahleliwe ku-IP eshiwo kanye nembobo, futhi ingakha kabusha amaphakethe e-TCP nawe-UDP ngamakhanda e-IP azakhele wona ukuze afihle ikheli le-IP eliwumthombo.
ukwakheka komyalezo
Isiqalo C siqagelwa njengesifinyezo somkhuba. Ukuthatha i-CUDP ne-UDP njengezibonelo, enguqulweni yokuqala ye-Gafgyt, imingcele emyalweni okhishiwe ihlanganisa: ip, itheku, isikhathi, i-spoofed, usayizi wephakethe, i-pollinterval namanye amanani enkundla kanye nezingcezu zefulegi Ukuze kwakhiwe amaphakethe e-UDP. Kulesi sampula, nokho, imiphumela ephawuliwe ibonisa ukuthi ukusetshenziswa kwalawa mapharamitha kumazinga ahlukene okukhawulela, okungathuthukisa ukuguquguquka kwezinhlobo ezithile zokuhlaselwa kwe-DDOS.
Ukuqhathaniswa kwe-CUDP ne-UDP
Imisebenzi yamanye amamojula ihlanganisa ukungeza inombolo enkulu yeyunithi yezinhlamvu zomenzeli womsebenzisi, ezisetshenziselwa ukwethula imiyalo ye-HTTP yokuhlaselwa kwe-CC:
CC ukuhlasela
Ifakwe ekuhlaselweni okubhekiswe kumaseva we-Source Engine: ("Injini Yomthombo" imibuzo iyingxenye yokuxhumana kwansuku zonke phakathi kwamakhasimende kanye amaseva wegeyimu usebenzisa iphrothokholi yesoftware yeValve)
Ukuhlaselwa kwemboni yemidlalo
Kubandakanya imiyalo ye-CNC engashintsha uxhumano lwe-IP:
shintsha uxhumano lwe-IP
Kufaka phakathi ukuhlaselwa kwe-SYN ne-ACK:
Ukuhlasela kwe-SYN ne-ACK
Kubandakanya ukuhlaselwa kwezikhukhula kwe-UDP STD:
Ukuhlasela kwe-STD
Kubandakanya ukuhlasela kwe-XMAS: (leyo, Ukuhlasela kwesihlahla sikaKhisimusi, ngokusetha zonke izingcezu zefulegi ze-TCP zibe 1, ngaleyo ndlela kudla izinsiza zokucubungula izimpendulo ezengeziwe zohlelo oluqondiwe)
Ukuhlasela kwe-XMAS
Imojula ye-NIGGA ilingana nomyalo we-KILLATTK enguqulweni yokuqala, emisa ukuhlasela kwe-DoSS ngokubulala zonke izinqubo zezingane ngaphandle kwenqubo eyinhloko
Imodeli ye-NIGGA
Ukuhlaziya okuqhathanisayo
I-function processCmd egcina i-logic eyinhloko kukhodi yomthombo ihlanganisa i-PING, I-GETLOCALIP, ISIKENA, I-EMAIL, JUNK, I-UDP, I-TCP, BAMBA, KILLATTK, kanye namamojula we-LOLNOGTFO. Izinguqulo ezenziwe lula kuphela zamamojula e-UDP kanye ne-TCP ezihlala ndawonye ekwakhiweni okuhlukile okuthathwe ngalesi sikhathi. .
Futhi ekusebenzeni kokuthola i-IP yendawo, inguqulo yasekuqaleni ithola i-IP yendawo nge-/proc/net/route futhi iyibuyisele ngemojula ye-GETLOCALIP. Umsebenzi ofanayo wokuthola uyabonwa kulokhu okuhlukile, kodwa ayikho imojuli ye-GETLOCALIP futhi azikho izithenjwa ezibonwayo.
Thola i-IP yendawo
Kuyaqapheleka ukuthi ayikho inguqulo yoqobo yemojuli ye-SCANNER esetshenziselwa ukuqhuma i-SSH (itheku 22) kulolu hlobo lwesampula, futhi azikho ezinye izinhlobo ezishumeka okuningi "izinhlelo zokusebenza/idivayisi" ubungozi bokusabalalisa nge-Payload. Kungabonakala ukuthi umhlaseli uhlukanisa imojuli yokusakaza ibe izinhlelo ezizimele, futhi ngemva kokungena ngempumelelo kumsingathi wezisulu, uzolanda isampula yokuxhumana yesigaba esilandelayo ngokwenza i-shellcode, leyo, isampula yokuhlaziya.
Yenza isibonelo se-shellcode
Ukuthatha amasampula atholwe emthonjeni ofanayo njengesibonelo, umhlaseli ukhumule ulwazi lokususa iphutha kumasampuli amaningi, ngaphandle kwabambalwa, njenge: x86.