ProHoster > Блог > rongo ipurangi > Ka pangia te pūnaha whakahaere e te pūmanawa kino a Drovorub Linux

Ka pangia te pūnaha whakahaere e te pūmanawa kino a Drovorub Linux

Te Tari Haumaru ā-Motu me te Tari Tirotiro ā-Motu whakaputaina he purongo, e ai ki te pokapū matua 85 o ngā ratonga motuhake Te Tari Matua o ngā Kaimahi Matua o ngā Ope Taua o te Rūhia (85th Main Intelligence Directorate of the GRU) e whakamahi ana i tētahi huinga pūmanawa kino e kiia nei ko "Drovorub." Kei roto i "Drovorub" tētahi rootkit i te āhua o tētahi kōwae kernel. Linux, he taputapu whakawhiti kōnae me te tuku tauranga whatunga me te tūmau whakahaere. Ka taea e te kiritaki te tango me te tukuake i ngā kōnae, te whakahaere i ngā whakahau tūpono hei kaiwhakamahi pūtake, me te tuku tauranga whatunga ki ētahi atu pūnga whatunga.

Ka whiwhi te pokapū whakahaere Drovorub i te ara ki te kōnae whirihoranga i roto i te hōputu JSON mā te tautohe raina whakahau:

{
"db_host": " »,
"db_port": " »,
«db_db» : « »,
"db_kaiwhakamahi": " »,
"db_password": " »,

"lport": »,
"lhost": »,
"ping_sec": " »,

"kōnae_kī_tūmataiti": " »,
"kīanga": " »
}

Ko te pātengi raraunga MySQL te pūtake o te pūnaha. Ko te kawa WebSocket te pūtake mō ngā hononga kiritaki.

He whirihoranga kua hangaia ki roto i te kiritaki, tae atu ki te URL tūmau, tōna kī RSA tūmatanui, ingoa kaiwhakamahi, me te kupuhipa. I muri i te tāutanga o te rootkit, ka tiakina te whirihoranga hei kōnae tuhinga JSON, ka hunaia mai i te pūnaha e te kōwae kernel Drovorub:

{
«id» : «cbcf6abc-466b-11e9-853b-000c29cb9f6f»,
"kī": "Y2xpZW50a2V5"
}

I konei, ko te "id" he tohu motuhake i tukuna e te tūmau, ko ngā moka 48 whakamutunga e rite ana ki te wāhitau MAC o te atanga whatunga o te tūmau. Ko te tawhā "key", mā te taunoa, he aho kua whakamāoritia ki te base64, "clientkey," e whakamahia ana e te tūmau i te wā o te rūrū ringa tuatahi. Hei tāpiri, kei roto pea i te kōnae whirihoranga ngā mōhiohio mō ngā kōnae huna, ngā kōwae, me ngā tauranga whatunga:

{
«id» : «6fa41616-aff1-11ea-acd5-000c29283bbc»,
"kī": "Y2xpZW50a2V5",
"aroturuki": {
"kōnae": [
{
"kaha": "pono",
«id» : «d9dc492b-5a32-8e5f-0724-845aa13fff98»,
"mask": "kōnae whakamātautau1"
}
],
"kōwae": [
{
"kaha": "pono",
«id» : «48a5e9d0-74c7-cc17-2966-0ea17a1d997a»,
"mask": "whakamātautau1"
}
],
"kāo": [
{
"kaha": "pono",
«id» : «4f355d5d-9753-76c7-161e-7ef051654a2b»,
"tauranga": "12345",
"protocol": "tcp"
}
]
}
}

Ko tētahi atu wāhanga o Drovorub ko te kaihoko, kei roto i tana kōnae whirihoranga ngā mōhiohio mō te hono atu ki te tūmau:

{
"takiuru_kiritaki": "kaiwhakamahi123",
"client_pass": "pass4567",
"kiritaki": "e391847c-bae7-11ea-b4bc-000c29130b71",
«clientkey_base64» : «Y2xpZW50a2V5»,
"pūnaha_kī_pub": "kī_tūmatanui",
"server_host": "192.168.57.100",
"tauranga_tūmau":"45122",
"server_uri":"/ws"
}

Kāore i te tuatahi ngā āpure "clientid" me "clientkey_base64"; ka tāpirihia ēnei i muri i te rēhitatanga tuatahi ki te tūmau.

I muri i te tāutanga, ka mahia ngā mahi e whai ake nei:

  • ka utaina he kōwae kernel e rēhita ana i ngā matau mō ngā waeatanga pūnaha;
  • ka rēhita te kiritaki ki te kōwae kernel;
  • Ka huna e te kōwae kernel te tukanga kiritaki e rere ana me tana kōnae whakahaere i runga i te kōpae.

Ka whakamahia he pūrere rūpahu, pērā i te /dev/zero, hei whakawhitiwhiti kōrero i waenga i te kiritaki me te kōwae kernel. Ka tātarihia e te kōwae kernel ngā raraunga katoa kua tuhia ki te pūrere, ā, mō te tuku whakamuri, ka tukuna te tohu SIGUSR1 ki te kiritaki, ā, muri iho ka pānuihia e te kiritaki ngā raraunga mai i taua pūrere anō.

Hei kimi i a Drovorub, ka taea e koe te whakamahi i te tātaritanga waka whatunga me ngā taputapu NIDS (kāore e taea te kimi i ngā mahi kino o te whatunga i roto i te pūnaha kua pangia, nā te mea ka huna e te kōwae kernel ngā hononga whatunga e whakamahia ana e ia, ngā ture netfilter, me ngā mōkihi ka taea te haukoti e ngā hononga mata). I runga i te pūnaha kua tāutahia a Drovorub, ka taea e koe te kimi i te kōwae kernel mā te tuku i tētahi whakahau huna kōnae ki a ia:

pā ki te kōnae whakamātautau
echo "ASDFZXCV:hf:kōnae whakamātautau" > /dev/kore
ls

Ka kore e kitea te kōnae "testfile" i hangaia.

Ko ētahi atu tikanga kimi ko te tātari i ngā ihirangi mahara me te kōpae. Hei ārai i te mate, e taunakihia ana kia whakamahia te manatoko waitohu kernel me te kōwae whakahau, e wātea ana mai i te putanga kernel Linux 3.7.

Kei roto i te pūrongo ngā ture Snort mō te kimi i ngā mahi whatunga a Drovorub me ngā ture Yara mō te kimi i ōna wāhanga.

Kia maumahara tātou kei te hono te 85 o ngā GRU GCSS (te ope taua 26165) ki te rōpū APT28 (Pea Rerehua), te take o ngā whakaekenga ipurangi maha.

Source: opennet.ru

Hokona te manaaki pono mo nga waahi me te tiaki DDoS, nga kaiwhakarato VPS VDS 🔥 Hokona he manaaki paetukutuku pono me te tiakitanga DDoS, ngā tūmau VPS VDS | ProHoster