å°å ¥
1 幎 2011 æ 1 æ¥ã~DN9.tmp ãšããååã®ãã¡ã€ã«ããã³ã¬ãªãŒãã VirusTotal Web ãµã€ãã«éä¿¡ãããŸããããã®æç¹ã§ã¯ããã®ãã¡ã€ã«ãæªæã®ãããã¡ã€ã«ãšããŠæ€åºãããã®ã¯ãBitDefender ãš AVIRA ã® XNUMX ã€ã®ãŠã€ã«ã¹å¯Ÿçãšã³ãžã³ã ãã§ãããããããŠDuquã®ç©èªãå§ãŸããŸãããä»åŸã®ããšãèãããšãDuqu ãã«ãŠã§ã¢ ãã¡ããªã¯ãã®ãã¡ã€ã«ã®ååã«ã¡ãªãã§åœåããããšèšããããåŸãŸããããã ãããã®ãã¡ã€ã«ã¯ãããŒãã¬ãŒæ©èœãåããå®å
šã«ç¬ç«ããã¹ãã€ãŠã§ã¢ ã¢ãžã¥ãŒã«ã§ãããããããæªæã®ããããŠã³ããŒã㌠ãããããŒã䜿çšããŠã€ã³ã¹ããŒã«ãããDuqu ãã«ãŠã§ã¢ãåäœäžã«ããŒãããããã€ããŒãããšããŠã®ã¿èããããã³ã³ããŒãã³ããšããŠã¯èããããŸãã ( Duqu ã®ã¢ãžã¥ãŒã«ïŒã Duqu ã³ã³ããŒãã³ãã® XNUMX ã€ã¯ãXNUMX æ XNUMX æ¥ã«ã®ã¿ Virustotal ãµãŒãã¹ã«éä¿¡ãããŸãããç¹åŸŽçãªã®ã¯ãC-Media ã«ãã£ãŠããžã¿ã«çœ²åããããã©ã€ããŒã§ããäžéšã®å°é家ã¯ããã«ãå¥ã®æåãªãã«ãŠã§ã¢ã®äŸã§ãã Stuxnet ãšã®é¡äŒŒç¹ãæãå§ããŸãããStuxnet ã眲åä»ããã©ã€ããŒã䜿çšããŠããŸãããäžçäžã®ããŸããŸãªãŠã€ã«ã¹å¯ŸçäŒç€Ÿã«ãã£ãŠæ€åºããã Duqu ã«ææããã³ã³ãã¥ãŒã¿ãŒã®ç·æ°ã¯æ°åå°ã§ããå€ãã®äŒæ¥ã¯åã³ã€ã©ã³ãäž»ãªæšçã§ãããšäž»åŒµããŠããããææã®å°ççååžããå€æãããšãããã¯ç¢ºå®ãšã¯èšããªãã
ãã®å Žåãèªä¿¡ãæã£ãŠæ°ããèšèã§ä»ç€Ÿã«ã€ããŠã®ã¿è©±ãå¿
èŠããããŸãã
ã·ã¹ãã å°å
¥æé
ãã³ã¬ãªãŒã®çµç¹ CrySyS (ãããã¹ãå·¥ç§çµæžå€§åŠã®ãã³ã¬ãªãŒæå·åããã³ã·ã¹ãã ã»ãã¥ãªãã£ç 究æ) ã®å°é家ã«ãã£ãŠè¡ããã調æ»ã«ãããã·ã¹ãã ãææããã€ã³ã¹ããŒã©ãŒ (ãããããŒ) ãçºèŠãããŸãããããã¯ãTTF ãã©ã³ã ã¬ã³ããªã³ã° ã¡ã«ããºã ã®åå ãšãªã win32k.sys ãã©ã€ããŒã®èåŒ±æ§ (MS11-087ã13 幎 2011 æ XNUMX æ¥ã« Microsoft ã«ãã£ãŠèª¬æ) ãæªçšãã Microsoft Word ãã¡ã€ã«ã§ããããã®ãšã¯ã¹ããã€ãã®ã·ã§ã«ã³ãŒãã§ã¯ãããã¥ã¡ã³ãã«åã蟌ãŸãããDexter Regularããšãããã©ã³ãã䜿çšãããŠããããã©ã³ãã®äœæè
ãšã㊠Showtime Inc. ãèšèŒãããŠããŸããã芧ã®ãšãããDuqu ã®å¶äœè
ã¯ãŠãŒã¢ã¢ã®ã»ã³ã¹ã«ç²ŸéããŠããŸãããã¯ã¹ã¿ãŒã¯é£ç¶æ®ºäººç¯ã§ãããShowtime ãå¶äœããååã®ãã¬ã ã·ãªãŒãºã®äž»äººå
¬ã§ãããã¯ã¹ã¿ãŒã¯ïŒå¯èœã§ããã°ïŒç¯çœªè
ã ãã殺ããŸããã€ãŸããåæ³æ§ã®åã®äžã«æ³åŸãç ŽããŸããããããããã®ããã«ãDuqu éçºè
ã¯ãåæã®ç®çã§éæ³è¡çºã«åŸäºããŠããããšãç®èã£ãŠããã®ã§ããããé»åã¡ãŒã«ã®éä¿¡ã¯æå³çã«è¡ãããŸããããã®è²šç©ã¯ã远跡ãå°é£ã«ããããã«ã䟵害ããã (ãããã³ã°ããã) ã³ã³ãã¥ãŒã¿ãŒã仲ä»ãšããŠäœ¿çšããå¯èœæ§ãé«ããªããŸãã
ãããã£ãŠãWord ææžã«ã¯æ¬¡ã®ã³ã³ããŒãã³ããå«ãŸããŠããŸããã
- ããã¹ãã³ã³ãã³ãã
- å èµãã©ã³ãã
- ã·ã§ã«ã³ãŒããæªçšããŸãã
- é転è ;
- ã€ã³ã¹ããŒã©ãŒïŒDLLã©ã€ãã©ãªïŒã
æåããå Žåããšã¯ã¹ããã€ã ã·ã§ã«ã³ãŒãã¯æ¬¡ã®æäœã (ã«ãŒãã« ã¢ãŒãã§) å®è¡ããŸããã
- åææã®ãã§ãã¯ãå®è¡ãããŸããããã®ããã«ãã¢ãã¬ã¹ãHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones4ãã®ã¬ãžã¹ããªå ã®ããŒãCF1Dãã®ååšããã§ãã¯ãããŸããããããæ£ãããã°ãã·ã§ã«ã³ãŒãã¯å®è¡ãå®äºããŸããã
- ãã©ã€ã㌠(sys) ãšã€ã³ã¹ããŒã©ãŒ (dll) ã® 2 ã€ã®ãã¡ã€ã«ã埩å·åãããŸããã
- ãã©ã€ããŒã services.exe ããã»ã¹ã«æ¿å ¥ãããã€ã³ã¹ããŒã©ãŒãèµ·åãããŸããã
- æåŸã«ãã·ã§ã«ã³ãŒãã¯ã¡ã¢ãªå ã®ãŒããæ®ããŠèªèº«ãæ¶å»ããŸããã
win32k.sys ã¯ç¹æš©ãŠãŒã¶ãŒãã·ã¹ãã ãã«ä»£ãã£ãŠå®è¡ããããããDuqu éçºè
ã¯ãäžæ£ãªèµ·åãšæš©éã®ææ Œ (æš©éãå¶éããããŠãŒã¶ãŒ ã¢ã«ãŠã³ãã§å®è¡ããã) ã®äž¡æ¹ã®åé¡ãèŠäºã«è§£æ±ºããŸããã
å¶åŸ¡ãåãåã£ãåŸãã€ã³ã¹ããŒã©ãŒã¯ã¡ã¢ãªå
ã«å«ãŸãã次㮠3 ã€ã®ããŒã¿ ãããã¯ã埩å·åããŸããã
- 眲åä»ããã©ã€ã㌠(sys);
- ã¡ã€ã³ã¢ãžã¥ãŒã«(dll);
- ã€ã³ã¹ããŒã©ãŒæ§æããŒã¿ (pnf)ã
ã€ã³ã¹ããŒã©ãŒæ§æããŒã¿ã§æ¥ä»ç¯å²ãæå®ãããŸãã (éå§ãšçµäºã® 2 ã€ã®ã¿ã€ã ã¹ã¿ã³ãã®åœ¢åŒã§)ãã€ã³ã¹ããŒã©ãŒã¯çŸåšã®æ¥ä»ãå«ãŸããŠãããã©ããã確èªããå«ãŸããŠããªãå Žåã¯å®è¡ãå®äºããŸãããã€ã³ã¹ããŒã©ãŒæ§æããŒã¿ã«ã¯ããã©ã€ããŒãšã¡ã€ã³ã¢ãžã¥ãŒã«ãä¿åãããååãå«ãŸããŠããŸããããã®å Žåãã¡ã€ã³ ã¢ãžã¥ãŒã«ã¯æå·åããã圢åŒã§ãã£ã¹ã¯ã«ä¿åãããŸããã
Duqu ãèªåèµ·åããããã«ãã¬ãžã¹ããªã«ä¿åãããŠããããŒã䜿çšããŠãªã³ã¶ãã©ã€ã§ã¡ã€ã³ ã¢ãžã¥ãŒã«ã埩å·åãããã©ã€ã㌠ãã¡ã€ã«ã䜿çšããŠãµãŒãã¹ãäœæãããŸãããã¡ã€ã³ ã¢ãžã¥ãŒã«ã«ã¯ç¬èªã®æ§æããŒã¿ ãããã¯ãå«ãŸããŠããŸããæåã«èµ·åãããšãæå·åã解é€ãããã€ã³ã¹ããŒã«æ¥ãå
¥åããããã®åŸãã¡ã€ã³ ã¢ãžã¥ãŒã«ã«ãã£ãŠå床æå·åãããŠä¿åãããŸãããããã£ãŠã圱é¿ãåããã·ã¹ãã ã§ã¯ãã€ã³ã¹ããŒã«ãæåãããšããã©ã€ããŒãã¡ã€ã³ ã¢ãžã¥ãŒã«ãããã³ãã®æ§æããŒã¿ ãã¡ã€ã«ã® 3 ã€ã®ãã¡ã€ã«ãä¿åãããæåŸã® 2 ã€ã®ãã¡ã€ã«ã¯æå·åããã圢åŒã§ãã£ã¹ã¯ã«ä¿åãããŸããããã¹ãŠã®ãã³ãŒãæé ã¯ã¡ã¢ãªå
ã§ã®ã¿å®è¡ãããŸããããã®è€éãªã€ã³ã¹ããŒã«æé ã¯ããŠã€ã«ã¹å¯ŸçãœãããŠã§ã¢ã«ããæ€åºã®å¯èœæ§ãæå°éã«æããããã«äœ¿çšãããŸããã
ã¡ã€ã³ã¢ãžã¥ãŒã«
ã¡ã€ã³ã¢ãžã¥ãŒã« (ãªãœãŒã¹ 302)ãã«ãããš
ã¡ã€ã³ã¢ãžã¥ãŒã«ã¯ããªãã¬ãŒã¿ãŒããã³ãã³ããåä¿¡ããæé ãæ
åœããŸãã Duqu ã¯ãHTTP ããã³ HTTPS ãããã³ã«ã®äœ¿çšãååä»ããã€ãã®äœ¿çšãªã©ãããã€ãã®å¯Ÿè©±æ¹æ³ãæäŸããŸãã HTTP(S) ã®å Žåãã³ãã³ã ã»ã³ã¿ãŒã®ãã¡ã€ã³åãæå®ããããããã· ãµãŒããŒãä»ããŠåäœããæ©èœãæäŸããããŠãŒã¶ãŒåãšãã¹ã¯ãŒããæå®ãããŸããããã£ãã«ã«ã¯ IP ã¢ãã¬ã¹ãšãã®ååãæå®ãããŸããæå®ãããããŒã¿ã¯ãã¡ã€ã³ã¢ãžã¥ãŒã«æ§æããŒã¿ãããã¯ã«ïŒæå·åããã圢åŒã§ïŒä¿åãããŸãã
ååä»ããã€ãã䜿çšããããã«ãç¬èªã® RPC ãµãŒããŒå®è£
ãéå§ããŸããã以äžã®7ã€ã®æ©èœããµããŒãããŸããã
- ã€ã³ã¹ããŒã«ãããŠããããŒãžã§ã³ãè¿ããŸãã
- æå®ãããããã»ã¹ã« DLL ãæ¿å ¥ããæå®ãããé¢æ°ãåŒã³åºããŸãã
- DLLãããŒãããŸãã
- CreateProcess() ãåŒã³åºããŠããã»ã¹ãéå§ããŸãã
- æå®ããããã¡ã€ã«ã®å 容ãèªã¿åããŸãã
- æå®ããããã¡ã€ã«ã«ããŒã¿ãæžã蟌ã¿ãŸãã
- æå®ããããã¡ã€ã«ãåé€ããŸãã
ååä»ããã€ããããŒã«ã« ãããã¯ãŒã¯å ã§äœ¿çšããŠãDuqu ã«ææããã³ã³ãã¥ãŒã¿éã§æŽæ°ãããã¢ãžã¥ãŒã«ãæ§æããŒã¿ãé åžããå¯èœæ§ããããŸããããã«ãDuqu ã¯ãææããä»ã®ã³ã³ãã¥ãŒã¿ (ã²ãŒããŠã§ã€ã®ãã¡ã€ã¢ãŠã©ãŒã«èšå®ã«ããã€ã³ã¿ãŒãããã«ã¢ã¯ã»ã¹ã§ããªãã£ãã³ã³ãã¥ãŒã¿) ã®ãããã· ãµãŒããŒãšããŠæ©èœããå¯èœæ§ããããŸãã Duqu ã®äžéšã®ããŒãžã§ã³ã«ã¯ RPC æ©èœããããŸããã§ããã
æ¢ç¥ã®ããã€ããŒãã
ã·ãã³ããã¯ã¯ãDuqu ã³ã³ãããŒã« ã»ã³ã¿ãŒããã®æ什ã«ããããŠã³ããŒããããå°ãªããšã 4 çš®é¡ã®ãã€ããŒããçºèŠããŸããã
ããã«ããã®ãã¡ã® 1 ã€ã ããåžžé§ããå®è¡å¯èœãã¡ã€ã« (exe) ãšããŠã³ã³ãã€ã«ããããã£ã¹ã¯ã«ä¿åãããŸãããæ®ãã® 3 ã€ã¯ dll ã©ã€ãã©ãªãšããŠå®è£
ãããŸããããããã¯åçã«ããŒãããããã£ã¹ã¯ã«ä¿åãããã«ã¡ã¢ãªå
ã§å®è¡ãããŸããã
åžžé§ã®ããã€ããŒããã¯ã¹ã〠ã¢ãžã¥ãŒã«ã§ãã (æ
å ±è©æ¬ºåž«) ããŒãã¬ãŒæ©èœãåããŠããŸãã Duqu ç 究ã®åãçµã¿ãå§ãŸã£ãã®ã¯ãããã VirusTotal ã«éä¿¡ããããšã§ãããäž»ãªã¹ãã€æ©èœã¯ãªãœãŒã¹å
ã«ããããã®æåã® 8 ãããã€ãã«ã¯éæ²³ NGC 6745 ã®åçã®äžéš (ã«ã¢ãã©ãŒãžã¥çš) ãå«ãŸããŠããŸãããããã§ã2012 幎 1297506 æã«ãäžéšã®ã¡ãã£ã¢ããã€ã©ã³ãããã€ãã®æªæã®ãããœãããŠã§ã¢ãStarsãã«ãããããŠãããšããæ
å ± (http://www.mehrnews.com/en/newsdetail.aspx?NewsID=XNUMX) ãå
¬éãããããã®è©³çŽ°ã¯æãåºãããã¹ãã§ãããäºä»¶ã¯æããã«ãããªãã£ããããããããã¯ãåœæã€ã©ã³ã§çºèŠããã Duqu ã®ããã€ããŒããã®ãŸãã«ãã®ãããªãµã³ãã«ã§ãã£ãããããStarsããšããååãä»ããããŸããã
ã¹ã〠ã¢ãžã¥ãŒã«ã¯æ¬¡ã®æ
å ±ãåéããŸããã
- å®è¡äžã®ããã»ã¹ã®ãªã¹ããçŸåšã®ãŠãŒã¶ãŒãšãã¡ã€ã³ã«é¢ããæ å ±ã
- ãããã¯ãŒã¯ãã©ã€ããå«ãè«çãã©ã€ãã®ãªã¹ãã
- ã¹ã¯ãªãŒã³ã·ã§ãã;
- ãããã¯ãŒã¯ã€ã³ã¿ãŒãã§ã€ã¹ã¢ãã¬ã¹ãã«ãŒãã£ã³ã°ããŒãã«ã
- ããŒããŒãã®ããŒã¹ãããŒã¯ã®ãã° ãã¡ã€ã«ã
- éããŠããã¢ããªã±ãŒã·ã§ã³ ãŠã£ã³ããŠã®ååã
- å©çšå¯èœãªãããã¯ãŒã¯ ãªãœãŒã¹ (ãªãœãŒã¹ã®å ±æ) ã®ãªã¹ãã
- ãªã ãŒããã«ãã£ã¹ã¯ãå«ããã¹ãŠã®ãã£ã¹ã¯äžã®ãã¡ã€ã«ã®å®å šãªãªã¹ãã
- ããããã¯ãŒã¯ç°å¢ãå ã®ã³ã³ãã¥ãŒã¿ã®ãªã¹ãã
å¥ã®ã¹ã〠ã¢ãžã¥ãŒã« (æ
å ±è©æ¬ºåž«) ã¯ããã§ã«èª¬æãããã®ã®ããªãšãŒã·ã§ã³ã§ãããDLL ã©ã€ãã©ãªãšããŠã³ã³ãã€ã«ãããŠããããã¡ã€ã«ã®ãªã¹ããã³ã³ãã€ã«ãããã¡ã€ã³ã«å«ãŸããã³ã³ãã¥ãŒã¿ããªã¹ãããããŒãã¬ãŒã®æ©èœãåé€ãããŠããŸãã
次ã®ã¢ãžã¥ãŒã« (åµå¯) åéãããã·ã¹ãã æ
å ±:
- ã³ã³ãã¥ãŒã¿ããã¡ã€ã³ã®äžéšã§ãããã©ããã
- Windows ã·ã¹ãã ãã£ã¬ã¯ããªãžã®ãã¹ã
- ãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã®ããŒãžã§ã³ã
- çŸåšã®ãŠãŒã¶ãŒåã
- ãããã¯ãŒã¯ã¢ããã¿ãŒã®ãªã¹ãã
- ã·ã¹ãã æéãçŸå°æéãããã³ã¿ã€ã ãŸãŒã³ã
æåŸã®ã¢ãžã¥ãŒã« (寿åœå»¶é·å€) ãžã§ãå®äºãŸã§ã®æ®ãæ¥æ°ã®å€(ã¡ã€ã³ã¢ãžã¥ãŒã«æ§æããŒã¿ãã¡ã€ã«ã«æ ŒçŽ)ãå¢å ãããæ©èœãå®è£ ããŸãããããã©ã«ãã§ã¯ããã®å€ã¯ Duqu ã®å€æŽã«å¿ã㊠30 æ¥ãŸã㯠36 æ¥ã«èšå®ãããæ¯æ¥ XNUMX æ¥ãã€æžå°ããŸãã
ã³ãã³ãã»ã³ã¿ãŒ
20 幎 2011 æ 5.2 æ¥ (çºèŠã«é¢ããæ å ±ãåºãŸã£ãŠãã 5.4 æ¥åŸ)ãDuqu ã®ãªãã¬ãŒã¿ãŒã¯æ什ã»ã³ã¿ãŒã®æ©èœã®çè·¡ãç Žå£ããæé ãå®è¡ããŸãããæ什ã»ã³ã¿ãŒã¯ããããã ãã€ã³ãããã€ããã·ã³ã¬ããŒã«ãã¹ã€ã¹ãã€ã®ãªã¹ããªã©ã³ããéåœãªã©ãäžçäžã®ãããã³ã°ããããµãŒããŒäžã«ãããŸãããèå³æ·±ãããšã«ãç¹å®ããããã¹ãŠã®ãµãŒããŒã¯ CentOS ããŒãžã§ã³ 5.5ã32ããŸã㯠64 ãå®è¡ããŠããŸããã OSã¯4.3ããããš5.8ãããã®äž¡æ¹ã§ãããã³ãã³ã ã»ã³ã¿ãŒã®æäœã«é¢é£ãããã¹ãŠã®ãã¡ã€ã«ãåé€ããããšããäºå®ã«ãããããããKaspersky Lab ã®å°é家ã¯ç©ºãé åã«ãã LOG ãã¡ã€ã«ããæ å ±ã®äžéšã埩å ããããšã«æåããŸãããæãèå³æ·±ãäºå®ã¯ããµãŒããŒäžã®æ»æè ãåžžã«ããã©ã«ãã® OpenSSH 4.3 ããã±ãŒãžãããŒãžã§ã³ 80 ã«çœ®ãæããŠããããšã§ããããã¯ãOpenSSH 443 ã®æªç¥ã®è匱æ§ããµãŒããŒã®ãããã³ã°ã«äœ¿çšãããããšã瀺ããŠããå¯èœæ§ããããŸãããã¹ãŠã®ã·ã¹ãã ãæ什ã»ã³ã¿ãŒãšããŠäœ¿çšãããããã§ã¯ãããŸãããããŒã XNUMX ããã³ XNUMX ãžã®ãã©ãã£ãã¯ããªãã€ã¬ã¯ãããããšãããšãã® sshd ãã°ã®ãšã©ãŒããå€æãããšãäžéšã¯ãšã³ã ã³ãã³ã ã»ã³ã¿ãŒã«æ¥ç¶ããããã®ãããã· ãµãŒããŒãšããŠäœ¿çšãããŠããŸããã
æ¥ä»ãšã¢ãžã¥ãŒã«
ã«ã¹ãã«ã¹ããŒã調æ»ãã 2011 幎 31 æã«é
åžããã Word ææžã«ã¯ãã³ã³ãã€ã«æ¥ã 2007 幎 20608 æ 5 æ¥ã®ã€ã³ã¹ããŒã©ãŒ ããŠã³ããŒã ãã©ã€ããŒãå«ãŸããŠããŸããã CrySys ç 究æã§èŠã€ãã£ãããã¥ã¡ã³ãå
ã®åæ§ã®ãã©ã€ã㌠(ãµã€ãº - 45 ãã€ããMD613 - EEDCA0BD9E9D5A69122007E17C21F2008) ã®ã³ã³ãã€ã«æ¥ã¯ 19968 幎 5 æ 9 æ¥ã§ãããããã«ãKaspersky Lab ã®å°é家ã¯ãæ¥ä»ã 6 幎 10 æ 5 æ¥ã®èªåå®è¡ãã©ã€ã㌠rndismpc.sys (ãµã€ãº - 9 ãã€ããMD05 - 93221544AEC783E20C2008EE2009C2007BED28C2008E) ãçºèŠããŸããã XNUMX ãšããŒã¯ãããã³ã³ããŒãã³ãã¯èŠã€ãããŸããã§ããã Duqu ã®åã
ã®éšåã®ã³ã³ãã€ã«ã®ã¿ã€ã ã¹ã¿ã³ãã«åºã¥ããšããã®éçºã¯ XNUMX 幎åé ã«é¡ãå¯èœæ§ããããŸãããã®æåã®å
åã¯ã~DO ã¿ã€ãã®äžæãã¡ã€ã« (ããããã¹ãã€ãŠã§ã¢ ã¢ãžã¥ãŒã«ã® XNUMX ã€ã«ãã£ãŠäœæããããã®) ã®æ€åºã«é¢é£ããŠããããã®äœææ¥ã¯ XNUMX 幎 XNUMX æ XNUMX æ¥ã§ã (
䜿çšãããæ å ±æºïŒ
ã·ãã³ããã¯ã®åæã¬ããŒã
åºæïŒ habr.com