ProHoster > Блог > labaran intanet > Duqu - yar tsana mai lalata

Duqu - yar tsana mai lalata

Gabatarwar

A ranar 1 ga Satumba, 2011, an aika fayil mai suna ~DN1.tmp zuwa gidan yanar gizon VirusTotal daga Hungary. A lokacin, an gano fayil ɗin a matsayin ɓarna ta injunan riga-kafi guda biyu kawai - BitDefender da AVIRA. Haka labarin Duqu ya fara. Duban gaba, dole ne a faɗi cewa dangin Duqu malware an sawa sunan wannan fayil ɗin. Koyaya, wannan fayil ɗin ƙirar kayan leƙen asiri ce gabaɗaya mai zaman kanta tare da ayyukan keylogger, shigar, mai yiwuwa, ta amfani da magudanar zazzage-dropper, kuma za'a iya la'akari da shi azaman “loading” ne kawai wanda Duqu malware ya ɗora a kansa, ba a matsayin sashi ba ( module) of Duqu . An aika ɗaya daga cikin abubuwan Duqu zuwa sabis na Virustotal kawai a ranar 9 ga Satumba. Siffar sa ta musamman ita ce direban da C-Media ya sa hannu ta lambobi. Wasu ƙwararrun nan da nan suka fara zana kwatance tare da wani sanannen misali na malware - Stuxnet, wanda kuma ya yi amfani da direbobin sa hannu. Adadin kwamfutocin da suka kamu da cutar Duqu da kamfanonin riga-kafi daban-daban a duniya suka gano suna cikin dozin. Kamfanoni da yawa sun yi iƙirarin cewa Iran ita ce babbar manufa, amma idan aka yi la'akari da yadda ake rarraba cututtuka, ba za a iya tabbatar da hakan ba.
Duqu - yar tsana mai lalata
A wannan yanayin, ya kamata ka amince da magana kawai game da wani kamfani tare da sabuwar kalma APT (barazana ta ci gaba).

Hanyar aiwatar da tsarin

Wani bincike da ƙwararru daga ƙungiyar Hungary CrySyS (Hungarian Laboratory of Cryptography and System Security a Jami'ar Fasaha da Tattalin Arziki ta Budapest) suka gudanar ya haifar da gano mai sakawa (dropper) wanda tsarin ya kamu da cutar. Fayil ɗin Microsoft Word ne tare da cin gajiyar raunin direban win32k.sys (MS11-087, wanda Microsoft ya bayyana a ranar 13 ga Nuwamba, 2011), wanda ke da alhakin tsarin samar da font na TTF. Lambar harsashi ta amfani tana amfani da rubutun da ake kira 'Dexter Regular' wanda aka saka a cikin takaddar, tare da Showtime Inc. da aka jera a matsayin mahaliccin rubutun. Kamar yadda kake gani, masu yin Duqu ba baƙi ba ne ga jin dadi: Dexter shine mai kisan kai, jarumi na jerin talabijin na wannan sunan, wanda Showtime ya samar. Dexter yana kashe kawai (idan zai yiwu) masu laifi, wato, ya karya doka da sunan halayya. Wataƙila, ta wannan hanyar, masu haɓaka Duqu suna da ban mamaki cewa suna yin ayyukan da ba bisa ka'ida ba don dalilai masu kyau. An yi aika imel da gangan. Yiwuwar jigilar kayayyaki ta yi amfani da kwamfutoci da aka yi wa katsalandan (hacked) a matsayin tsaka-tsaki don yin wahalar bin diddigi.
Takardun Word don haka ya ƙunshi abubuwa masu zuwa:

  • abun ciki na rubutu;
  • ginanniyar font;
  • amfani da shellcode;
  • direba;
  • mai sakawa (labarin DLL).

Idan ya yi nasara, amfani da shellcode yayi ayyuka masu zuwa (a cikin yanayin kernel):

  • an yi rajistan sake kamuwa da cutar, saboda wannan, an duba kasancewar maɓallin 'CF4D' a cikin wurin yin rajista a adireshin 'HKEY_LOCAL_MACHINESOFTWAREMIcrosoftWindowsCurrentVersionInternet SettingsZones1'; idan wannan daidai ne, lambar shell ta gama aiwatar da ita;
  • Fayiloli biyu an lalata su - direba (sys) da mai sakawa (dll);
  • an shigar da direban a cikin tsarin services.exe kuma ya kaddamar da mai sakawa;
  • A ƙarshe, lambar harsashi ta goge kanta tare da sifili a ƙwaƙwalwar ajiya.

Saboda gaskiyar cewa an aiwatar da win32k.sys a ƙarƙashin 'Tsarin' mai amfani mai gata, masu haɓaka Duqu cikin ladabi sun warware matsalar duka ƙaddamarwa mara izini da haɓaka haƙƙoƙi (akan gudana ƙarƙashin asusun mai amfani tare da iyakacin haƙƙin).
Bayan ya karɓi iko, mai sakawa ya ɓata tubalan bayanan da ke cikinta a ƙwaƙwalwar ajiya, wanda ya ƙunshi:

  • direban da aka sanya hannu (sys);
  • babban module (dll);
  • bayanan saitin mai sakawa (pnf).

An ƙayyade kewayon kwanan wata a cikin bayanan saitin mai sakawa (a cikin nau'i na tambura sau biyu - farawa da ƙare). Mai sakawa ya duba ko an haɗa kwanan watan a ciki, kuma idan ba haka ba, ya gama aiwatar da shi. Hakanan a cikin bayanan daidaitawar mai sakawa akwai sunayen da aka ajiye direba da babban module a ƙarƙashinsu. A wannan yanayin, an ajiye babban tsarin akan faifai a rufaffen tsari.

Duqu - yar tsana mai lalata

Don kunna Duqu ta atomatik, an ƙirƙiri sabis ta amfani da fayil ɗin direba wanda ya ɓoye babban tsarin akan gardama ta amfani da maɓallan da aka adana a cikin wurin yin rajista. Babban tsarin yana ƙunshe da nasa toshe bayanan daidaitawa. Lokacin da aka fara ƙaddamar da shi, an ɓoye shi, an shigar da ranar shigarwa a ciki, bayan haka an sake ɓoye shi kuma babban tsarin ya adana shi. Don haka, a cikin tsarin da abin ya shafa, bayan nasarar shigarwa, an adana fayiloli guda uku - direba, babban module da fayil ɗin bayanan sanyi, yayin da fayilolin biyu na ƙarshe an adana su akan faifai a cikin ɓoyayyen tsari. An gudanar da duk hanyoyin yankewa ne kawai a cikin ƙwaƙwalwar ajiya. Anyi amfani da wannan hadadden tsarin shigarwa don rage yiwuwar ganowa ta software na riga-kafi.

Babban module

Babban module (resource 302), bisa ga bayanai kamfanin Kaspersky Lab, wanda aka rubuta ta amfani da MSVC 2008 a cikin tsantsar C, amma ta amfani da hanyar da ta dace. Wannan hanyar ba ta da wani hali yayin haɓaka lambar ɓarna. A matsayinka na mai mulki, ana rubuta irin wannan lambar a cikin C don rage girman da kuma kawar da kiraye-kirayen da ke cikin C ++. Akwai wani symbiosis a nan. Ƙari ga haka, an yi amfani da tsarin gine-ginen da ya gudana. Ma'aikatan Kaspersky Lab sun karkata zuwa ga ka'idar cewa an rubuta babban tsarin ta amfani da ƙari na pre-processor wanda ke ba ku damar rubuta lambar C a cikin salon abu.
Babban tsarin yana da alhakin tsarin karɓar umarni daga masu aiki. Duqu yana ba da hanyoyin hulɗa da yawa: ta amfani da ka'idojin HTTP da HTTPS, da kuma amfani da bututu mai suna. Don HTTP(S), an ƙayyade sunayen yanki na cibiyoyin umarni, kuma an samar da ikon yin aiki ta hanyar uwar garken wakili - an ƙayyade sunan mai amfani da kalmar wucewa a gare su. An kayyade adireshin IP da sunan sa don tashar. Ana adana ƙayyadaddun bayanan a cikin babban toshe bayanan sanyi na module (a cikin rufaffen tsari).
Don amfani da bututu mai suna, mun ƙaddamar da namu aikin sabar RPC. Ya goyi bayan ayyuka guda bakwai masu zuwa:

  • mayar da shigar da sigar;
  • shigar dll cikin ƙayyadadden tsari kuma kira aikin da aka ƙayyade;
  • shigar dll;
  • fara tsari ta hanyar kiran CreateProcess();
  • karanta abubuwan da ke cikin fayil ɗin da aka bayar;
  • rubuta bayanai zuwa fayil ɗin da aka ƙayyade;
  • share takamaiman fayil ɗin.

Ana iya amfani da bututu mai suna a cikin hanyar sadarwa ta gida don rarraba sabbin kayayyaki da bayanan daidaitawa tsakanin kwamfutocin da suka kamu da cutar Duqu. Bugu da kari, Duqu na iya aiki a matsayin uwar garken wakili ga sauran kwamfutocin da suka kamu da cutar (waɗanda ba su da damar shiga Intanet saboda saitunan wuta a ƙofar). Wasu nau'ikan Duqu ba su da aikin RPC.

Sanannun "mai biya"

Symantec ya gano aƙalla nau'ikan nau'ikan nau'ikan nau'ikan kayan aiki guda huɗu waɗanda aka zazzage ƙarƙashin umarni daga cibiyar kula da Duqu.
Bugu da ƙari, ɗaya kawai daga cikinsu ya kasance mazaunin kuma an haɗa shi azaman fayil mai aiwatarwa (exe), wanda aka adana a cikin faifai. Sauran ukun an aiwatar da su azaman ɗakunan karatu na dll. An ɗora su da ƙarfi kuma an aiwatar da su cikin ƙwaƙwalwar ajiya ba tare da adana su cikin faifai ba.

Mazauna "loading" tsarin leken asiri ne (mai sanyaya bayanai) tare da ayyukan keylogger. Ta hanyar aika shi zuwa VirusTotal ne aka fara aikin binciken Duqu. Babban aikin leken asiri ya kasance a cikin albarkatun, 8 kilobytes na farko wanda ya ƙunshi wani ɓangare na hoton galaxy NGC 6745 (don kama hoto). Ya kamata a tuna a nan cewa a cikin Afrilu 2012, wasu kafofin watsa labaru sun buga bayanai (http://www.mehrnews.com/en/newsdetail.aspx?NewsID=1297506) cewa Iran ta fallasa wasu software na "Stars", yayin da cikakkun bayanai Ba a bayyana lamarin ba. Watakila kawai irin wannan samfurin Duqu "payload" da aka gano a lokacin a Iran, don haka sunan "Stars".
Tsarin leken asiri ya tattara bayanai masu zuwa:

  • jerin hanyoyin tafiyar da aiki, bayanai game da mai amfani da yanki na yanzu;
  • jerin abubuwan tafiyarwa masu ma'ana, gami da abubuwan tafiyar da hanyar sadarwa;
  • hotunan kariyar kwamfuta;
  • adiresoshin sadarwa na cibiyar sadarwa, tebur na kwatance;
  • log fayil na maɓallan maɓalli;
  • sunayen bude aikace-aikacen windows;
  • jerin albarkatun cibiyar sadarwa da ake da su (raba albarkatun);
  • cikakken jerin fayiloli akan duk faifai, gami da masu cirewa;
  • jerin kwamfutoci a cikin "yanayin hanyar sadarwa".

Wani tsarin leken asiri (mai sanyaya bayanai) ya kasance bambancin abin da aka riga aka kwatanta, amma an haɗa shi azaman ɗakin karatu na dll; an cire ayyukan keylogger, tsara jerin fayiloli da lissafin kwamfutocin da ke cikin yankin.
Module na gaba (bincike) bayanan tsarin da aka tattara:

  • ko kwamfutar wani yanki ne na yanki;
  • hanyoyi zuwa kundayen adireshi na tsarin Windows;
  • sigar tsarin aiki;
  • sunan mai amfani na yanzu;
  • jerin adaftar cibiyar sadarwa;
  • tsarin da lokacin gida, da kuma yankin lokaci.

Ƙarshe module (tsawon rai) aiwatar da wani aiki don ƙara ƙima (an adana shi a cikin babban fayil ɗin bayanan daidaitawa na module) na adadin kwanakin da suka rage har sai an kammala aikin. Ta hanyar tsoho, an saita wannan ƙimar zuwa kwanaki 30 ko 36 dangane da gyaran Duqu, kuma an rage shi da ɗaya kowace rana.

Cibiyoyin umarni

A ranar 20 ga Oktoba, 2011 (kwana uku bayan da aka watsa bayanai game da binciken), ma'aikatan Duqu sun aiwatar da wata hanya don lalata alamun ayyukan cibiyoyin umarni. Cibiyoyin umarni suna kan sabar sabar da aka yi kutse a duniya - a Vietnam, Indiya, Jamus, Singapore, Switzerland, Burtaniya, Holland, Koriya ta Kudu. Abin sha'awa, duk sabar da aka gano suna gudana nau'ikan CentOS 5.2, 5.4 ko 5.5. OSes sun kasance duka 32-bit da 64-bit. Duk da cewa an share duk fayilolin da suka danganci ayyukan cibiyoyin umarni, ƙwararrun Kaspersky Lab sun sami damar dawo da wasu bayanan daga fayilolin LOG daga sararin samaniya. Gaskiya mafi ban sha'awa ita ce masu kai hari akan sabobin koyaushe suna maye gurbin tsohuwar kunshin OpenSSH 4.3 tare da sigar 5.8. Wannan na iya nuna cewa an yi amfani da raunin da ba a san shi ba a cikin OpenSSH 4.3 don hacking ɗin sabar. Ba duk tsarin da aka yi amfani da su azaman cibiyoyin umarni ba. Wasu, yin la'akari da kurakurai a cikin rajistan ayyukan sshd lokacin ƙoƙarin tura zirga-zirgar ababen hawa zuwa tashar jiragen ruwa 80 da 443, an yi amfani da su azaman sabar wakili don haɗawa zuwa cibiyoyin umarni na ƙarshe.

Kwanan wata da kayayyaki

Takardun Kalma da aka rarraba a cikin Afrilu 2011, wanda Kaspersky Lab ya bincika, ya ƙunshi direban saukar da mai sakawa tare da ranar da aka tattara na Agusta 31, 2007. Direba mai kama da (girman - 20608 bytes, MD5 - EEDCA45BD613E0D9A9E5C69122007F17) a cikin takaddar da aka samu a dakunan gwaje-gwaje na CrySys yana da ranar tattarawa ta Fabrairu 21, 2008. Bugu da ƙari, ƙwararrun Kaspersky Lab sun sami direban autorun rndismpc.sys (girman - 19968 bytes, MD5 - 9AEC6E10C5EE9C05BED93221544C783E) tare da kwanan watan Janairu 20, 2008. Ba a sami wasu abubuwan da aka yiwa alama a 2009 ba. Dangane da tambura na tarin sassa na Duqu, ci gaban sa na iya farawa tun farkon 2007. Bayyanawarsa ta farko tana da alaƙa da gano fayilolin wucin gadi na nau'in ~ DO (wataƙila ɗayan samfuran kayan leken asiri ne ya ƙirƙira), ranar ƙirƙirar ta shine Nuwamba 28, 2008 (labarin "Duqu & Stuxnet: Jadawalin Al'amura Masu Ban sha'awa"). Kwanan kwanan baya mai alaƙa da Duqu shine 23 ga Fabrairu, 2012, ƙunshe a cikin direban saukar da mai sakawa wanda Symantec ya gano a cikin Maris 2012.

Tushen bayanan da aka yi amfani da su:

jerin labarai game da Duqu daga Kaspersky Lab;
Rahoton nazari na Symantec "W32.Duqu The precursor zuwa na gaba Stuxnet", sigar 1.4, Nuwamba 2011 (pdf).

source: www.habr.com

Add a comment