National Security Agency thiab US Federal Bureau of Investigation , raws li 85th lub ntsiab chaw ntawm kev pabcuam tshwj xeeb (85 GCSS GRU) ib qho malware complex hu ua "Drovorub" yog siv. Drovorub suav nrog cov khoom siv hauv paus hauv daim ntawv ntawm Linux ntsiav module, ib qho cuab yeej rau kev hloov cov ntaub ntawv thiab xa rov qab cov chaw nres nkoj hauv network, thiab lub server tswj. Cov neeg siv khoom tuaj yeem rub tawm thiab xa cov ntaub ntawv, ua tiav cov lus txib raws li tus neeg siv hauv paus, thiab hloov pauv cov chaw nres nkoj network mus rau lwm lub network nodes.
Lub chaw tswj hwm Drovorub tau txais txoj hauv kev rau cov ntaub ntawv teeb tsa hauv JSON hom raws li kev sib cav kab lus:
{
"db_host" : " ",
"db_port" : " ",
"db_db" : " ",
"db_user" : " ",
"db_password" : " ",
"loj" : " ",
"loj" : " ",
"ping_sec" : " ",
"priv_key_file" : " ",
"lus": " »
}
MySQL DBMS yog siv los ua tus thaub qab. WebSocket raws tu qauv yog siv los txuas cov neeg siv khoom.
Tus neeg siv khoom tau tsim teeb tsa, suav nrog tus neeg rau zaub mov URL, nws tus yuam sij RSA pej xeem, tus neeg siv lub npe thiab tus password. Tom qab txhim kho lub hauv pauskit, qhov kev teeb tsa tau txais kev cawmdim raws li cov ntawv nyeem hauv JSON hom, uas tau muab zais los ntawm lub kaw lus los ntawm Drovoruba kernel module:
{
«id» : «cbcf6abc-466b-11e9-853b-000c29cb9f6f»,
"key": "Y2xpZW50a2V5"
}
Ntawm no "id" yog tus cim tshwj xeeb uas muab los ntawm tus neeg rau zaub mov, nyob rau hauv uas 48 cov khoom kawg sib raug rau MAC chaw nyob ntawm lub server lub network interface. Lub neej ntawd "key" parameter yog base64 encoded hlua "clientkey" uas yog siv los ntawm tus neeg rau zaub mov thaum pib tuav tes. Tsis tas li ntawd, cov ntaub ntawv teeb tsa yuav muaj cov ntaub ntawv hais txog cov ntaub ntawv zais, modules thiab network ports:
{
«id» : «6fa41616-aff1-11ea-acd5-000c29283bbc»,
"key": "Y2xpZW50a2V5",
"monitor": {
"file": [
{
"active": "muaj tseeb"
«id» : «d9dc492b-5a32-8e5f-0724-845aa13fff98»,
"mask": "testfile1"
}
],
"module": [
{
"active": "muaj tseeb"
«id» : «48a5e9d0-74c7-cc17-2966-0ea17a1d997a»,
"mask": "testmodule1"
}
],
"net": [
{
"active": "muaj tseeb"
«id» : «4f355d5d-9753-76c7-161e-7ef051654a2b»,
"chaw nres nkoj": "12345",
"protocol": "tcp"
}
]}
}
Lwm cov khoom ntawm Drovorub yog tus neeg sawv cev; nws cov ntaub ntawv teeb tsa muaj cov ntaub ntawv txuas rau lub server:
{
"client_login" : "neeg siv 123",
"client_pass" : "pass4567",
"clientid" : "e391847c-bae7-11ea-b4bc-000c29130b71",
«clientkey_base64» : «Y2xpZW50a2V5»,
"pub_key_file" : "public_key",
"server_host" : "192.168.57.100",
"server_port" : "45122",
"server_uri" :"/ws"
}
Cov teb "clientid" thiab "clientkey_base64" tau pib ploj lawm; lawv tau ntxiv tom qab pib sau npe ntawm server.
Tom qab kev teeb tsa, cov haujlwm hauv qab no tau ua:
- lub kernel module yog loaded, uas sau npe hooks rau lub kaw lus hu;
- tus neeg siv tau sau npe nrog lub kernel module;
- Lub kernel module hides cov txheej txheem khiav cov neeg siv khoom thiab nws cov ntaub ntawv executable ntawm disk.
Ib qho pseudo-device, piv txwv li /dev/zero, yog siv los sib txuas lus ntawm tus neeg siv khoom thiab cov kernel module. Lub kernel module parses tag nrho cov ntaub ntawv sau rau lub cuab yeej, thiab rau kev sib kis nyob rau hauv qhov opposite kev taw qhia nws xa cov teeb liab SIGUSR1 rau tus neeg siv, tom qab uas nws nyeem cov ntaub ntawv los ntawm tib lub cuab yeej.
Txhawm rau txheeb xyuas lub Lumberjack, koj tuaj yeem siv kev txheeb xyuas kev sib txuas hauv network siv NIDS (kev ua phem hauv network hauv cov kab mob nws tus kheej tsis tuaj yeem kuaj pom, vim tias cov ntsiav module zais lub network sockets nws siv, netfilter cov cai, thiab cov pob ntawv uas tuaj yeem cuam tshuam los ntawm cov khoom siv raw). . Ntawm lub kaw lus uas Drovorub tau teeb tsa, koj tuaj yeem ntes cov ntsiav module los ntawm kev xa nws cov lus txib kom zais cov ntaub ntawv:
kov cov ntaub ntawv xeem
ncha "ASDFZXCV:hf:testfile" > /dev/zero
ls
Cov ntaub ntawv tsim "testfile" ua tsis pom.
Lwm txoj hauv kev tshawb pom muaj xws li kev nco thiab kev txheeb xyuas cov ntsiab lus disk. Txhawm rau tiv thaiv kev kis kab mob, nws raug nquahu kom siv qhov yuav tsum tau kos npe pov thawj ntawm cov ntsiav thiab cov qauv, muaj pib los ntawm Linux kernel version 3.7.
Daim ntawv tshaj tawm muaj Snort cov cai rau kev kuaj xyuas lub network ua haujlwm ntawm Drovorub thiab Yara cov cai rau kev kuaj xyuas nws cov khoom.
Cia peb nco qab tias 85th GTSSS GRU (tub rog chav tsev 26165) cuam tshuam nrog pab pawg , lub luag haujlwm rau ntau yam kev tawm tsam cyber.
Tau qhov twg los: opennet.ru