Hukumar Tsaro ta Kasa da Ofishin Bincike na Tarayyar Amurka , bisa ga abin da 85th babban cibiyar sabis na musamman (85 GCSS GRU) ana amfani da hadaddun malware da ake kira "Drovorub". Drovorub ya haɗa da rootkit a cikin nau'i na Linux kernel module, kayan aiki don canja wurin fayiloli da tura tashar jiragen ruwa na cibiyar sadarwa, da uwar garken sarrafawa. Sashen abokin ciniki na iya saukewa da loda fayiloli, aiwatar da umarni na sabani azaman tushen mai amfani, da kuma tura tashar jiragen ruwa zuwa wasu nodes na cibiyar sadarwa.
Cibiyar kula da Drovorub tana karɓar hanyar zuwa fayil ɗin sanyi a tsarin JSON azaman gardamar layin umarni:
{
"db_host":" ",
"db_port":" ",
"db_db":" ",
"db_mai amfani":" ",
"db_password":" ",
"lport":" ",
"lhost":" ",
"ping_sec":" ",
"priv_key_file":" ",
"yanzu":" »
}
MySQL DBMS ana amfani dashi azaman abin baya. Ana amfani da ka'idar WebSocket don haɗa abokan ciniki.
Abokin ciniki yana da haɗin ginin ciki, gami da URL ɗin uwar garken, maɓallin jama'a na RSA, sunan mai amfani da kalmar wucewa. Bayan shigar da rootkit, an adana saitin a matsayin fayil ɗin rubutu a tsarin JSON, wanda ke ɓoye daga tsarin ta hanyar Drovoruba kernel module:
{
«id» : «cbcf6abc-466b-11e9-853b-000c29cb9f6f»,
"key": "Y2xpZW50a2V5"
}
Anan, “id” wata maɓalli ce ta musamman da uwar garken ta bayar, wanda a cikinsa rago 48 na ƙarshe yayi daidai da adireshin MAC na cibiyar sadarwar uwar garken. Tsoffin sigar "maɓalli" shine kirtani mai rufaffiyar tushe64 "maɓallin abokin ciniki" wanda uwar garken ke amfani dashi yayin musafaha na farko. Bugu da kari, fayil ɗin daidaitawa na iya ƙunsar bayanai game da ɓoyayyun fayiloli, kayayyaki da tashoshin sadarwa:
{
«id» : «6fa41616-aff1-11ea-acd5-000c29283bbc»,
"key": "Y2xpZW50a2V5",
"mai dubawa": {
"file": [
{
"active": "gaskiya"
«id» : «d9dc492b-5a32-8e5f-0724-845aa13fff98»,
"mask": "testfile1"
}
],
"module": [
{
"active": "gaskiya"
«id» : «48a5e9d0-74c7-cc17-2966-0ea17a1d997a»,
"mask": "testmodule1"
}
],
"net": [
{
"active": "gaskiya"
«id» : «4f355d5d-9753-76c7-161e-7ef051654a2b»,
"tashar ruwa": "12345",
"protocol": "tcp"
}
]}
}
Wani bangaren Drovorub shine wakili; fayil ɗin sanyi ya ƙunshi bayani don haɗawa zuwa uwar garken:
{
"client_login": "user123",
"client_pass": "pass4567",
"clientid": "e391847c-bae7-11ea-b4bc-000c29130b71",
«clientkey_base64» : «Y2xpZW50a2V5»,
"pub_key_file" :"public_key",
"server_host": "192.168.57.100",
"server_port":"45122",
"server_uri":"/ws"
}
Filayen "clientid" da "clientkey_base64" sun ɓace da farko; ana ƙara su bayan rajista na farko akan sabar.
Bayan shigarwa, ana aiwatar da ayyuka masu zuwa:
- an ɗora nauyin kernel, wanda ke yin rajistar ƙugiya don kiran tsarin;
- abokin ciniki yayi rajista tare da tsarin kwaya;
- Tsarin kernel yana ɓoye tsarin abokin ciniki da ke gudana da fayil ɗin aiwatarwa akan faifai.
Ana amfani da na'ura mai ƙima, kamar /dev/zero, don sadarwa tsakanin abokin ciniki da tsarin kernel. Tsarin kernel yana rarraba duk bayanan da aka rubuta zuwa na'urar, kuma don watsawa ta wata hanya tana aika siginar SIGUSR1 ga abokin ciniki, bayan haka yana karanta bayanai daga na'urar iri ɗaya.
Don gano Lumberjack, zaku iya amfani da nazarin zirga-zirgar hanyar sadarwa ta amfani da NIDS (aikin cibiyar sadarwa mara kyau a cikin tsarin da ya kamu da cutar kansa ba za a iya gano shi ba, tunda kernel module yana ɓoye ginshiƙan cibiyar sadarwar da yake amfani da shi, ƙa'idodin netfilter, da fakiti waɗanda za a iya kama su ta hanyar raw sockets) . A kan tsarin da aka shigar da Drovorub, zaku iya gano ƙirar kwaya ta hanyar aika shi umarni don ɓoye fayil ɗin:
taba takardar shaida
amsa "ASDFZXCV: hf: testfile" > /dev/zero
ls
Fayil ɗin “testfile” da aka ƙirƙira ya zama marar ganuwa.
Sauran hanyoyin ganowa sun haɗa da ƙwaƙwalwar ajiya da nazarin abun ciki na diski. Don hana kamuwa da cuta, ana ba da shawarar yin amfani da tabbacin sa hannu na dole na kwaya da kayayyaki, ana samun su tun daga nau'in kernel na Linux 3.7.
Rahoton ya ƙunshi ƙa'idodin Snort don gano ayyukan cibiyar sadarwa na Drovorub da ka'idodin Yara don gano abubuwan da ke cikin sa.
Bari mu tuna cewa 85th GTSSS GRU (rashin soji 26165) yana da alaƙa da ƙungiyar. , alhakin yawan hare-haren yanar gizo.
source: budenet.ru