Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Duqu - chidole choyikira zisa

Duqu - chidole choyikira zisa

Mau oyamba

Pa Seputembala 1, 2011, fayilo yotchedwa ~DN1.tmp idatumizidwa patsamba la VirusTotal kuchokera ku Hungary. Panthawiyo, fayiloyo idadziwika kuti ndi yoyipa ndi injini ziwiri zokha za antivayirasi - BitDefender ndi AVIRA. Umu ndi momwe nkhani ya Duqu idayambira. Kuyang'ana kutsogolo, ziyenera kunenedwa kuti banja la pulogalamu yaumbanda ya Duqu idatchedwa dzina la fayiloyi. Komabe, fayiloyi ndi gawo lodziyimira palokha la mapulogalamu aukazitape omwe ali ndi ntchito za keylogger, zomwe zimayikidwa, mwina, pogwiritsa ntchito chotsitsa chotsitsa, ndipo zitha kuonedwa ngati "payload" yodzaza ndi pulogalamu yaumbanda ya Duqu panthawi yogwira ntchito, osati ngati gawo ( module) ya Duqu. Chimodzi mwazinthu za Duqu chidatumizidwa ku Virustotal pa Seputembara 9. Chodziwika bwino ndi dalaivala yemwe wasainidwa ndi C-Media. Akatswiri ena nthawi yomweyo adayamba kujambula mafananidwe ndi chitsanzo china chodziwika bwino cha pulogalamu yaumbanda - Stuxnet, yomwe idagwiritsanso ntchito madalaivala osainidwa. Chiwerengero cha makompyuta omwe ali ndi kachilombo ka Duqu omwe azindikiridwa ndi makampani osiyanasiyana oletsa ma virus padziko lonse lapansi ndi ochuluka. Makampani ambiri amati Iran ndiyenso chandamale chachikulu, koma kutengera kufalikira kwa matenda, izi sizinganenedwe motsimikiza.
Duqu - chidole choyikira zisa
Pankhaniyi, muyenera kulankhula molimba mtima za kampani ina ndi mawu atsopano APT (chiwopsezo chopitilira patsogolo).

Ndondomeko yoyendetsera ndondomeko

Kufufuza kochitidwa ndi akatswiri a bungwe la Hungary CrySyS (Hungarian Laboratory of Cryptography and System Security ku Budapest University of Technology and Economics) kunapangitsa kuti apeze oyika (dropper) omwe dongosololi linakhudzidwa. Inali fayilo ya Microsoft Mawu yokhala ndi mwayi wogwiritsa ntchito Win32k.sys driver vulnerability (MS11-087, yofotokozedwa ndi Microsoft pa Novembara 13, 2011), yomwe ili ndi udindo pamakina amtundu wa TTF. Chipolopolo cha exploit chimagwiritsa ntchito font yotchedwa 'Dexter Regular' yomwe ili m'chikalatacho, Showtime Inc. yotchulidwa kuti ndi amene amapanga zilembozo. Monga mukuwonera, omwe adapanga Duqu sakhala achilendo ku nthabwala: Dexter ndi wakupha, ngwazi yapa kanema wawayilesi wa dzina lomwelo, wopangidwa ndi Showtime. Dexter amapha okha (ngati kuli kotheka) zigawenga, ndiko kuti, amaphwanya lamulo m'dzina lalamulo. Mwinamwake, motere, opanga Duqu ndi odabwitsa kuti akugwira ntchito zosaloledwa ndi zolinga zabwino. Kutumiza maimelo kudachitika mwadala. Zotumizazo mwina zimagwiritsa ntchito makompyuta otsekeka (otsekeredwa) ngati mkhalapakati kuti kusaka kukhale kovuta.
Chifukwa chake chikalata cha Mawu chinali ndi zigawo izi:

  • zolemba;
  • font yomangidwa;
  • kugwiritsa ntchito shellcode;
  • woyendetsa;
  • okhazikitsa (DLL library).

Ngati zidatheka, exploit shellcode idachita izi (mu kernel mode):

  • cheke idapangidwa kuti mutengenso kachilomboka; chifukwa cha izi, kupezeka kwa kiyi ya 'CF4D' kudayang'aniridwa mu registry pa adilesi 'HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones1';
  • owona awiri anali decrypted - dalaivala (sys) ndi okhazikitsa (dll);
  • dalaivala adalowetsedwa mu ntchito ya services.exe ndikuyambitsa installer;
  • Pomaliza, chipolopolocho chinazichotsa ndi ziro mu kukumbukira.

Chifukwa chakuti win32k.sys imachitidwa pansi pa 'System' ya wogwiritsa ntchito, omanga a Duqu athetsa mwachidwi vuto la kukhazikitsidwa kosaloleka ndi kukwera kwa ufulu (kuthamanga pansi pa akaunti ya wosuta yokhala ndi ufulu wochepa).
Atalandira chiwongolero, woyikirayo adachotsa midadada itatu ya data yomwe ili mkati mwake, yomwe ili ndi:

  • woyendetsa wosayina (sys);
  • gawo lalikulu (dll);
  • okhazikitsa kasinthidwe deta (pnf).

Madeti adanenedwa muzosunga zoyikirira (monga masitampu awiri - kuyambira ndi kutha). Woyikirayo adayang'ana ngati tsiku lomwe lilipo adaphatikizidwamo, ndipo ngati sichoncho, adamaliza kuphedwa kwake. Komanso mu data yoyika kasinthidwe anali mayina omwe dalaivala ndi gawo lalikulu adasungidwa. Pankhaniyi, gawo lalikulu lidasungidwa pa disk mu mawonekedwe obisika.

Duqu - chidole choyikira zisa

Kuti muyambitse Duqu, ntchito idapangidwa pogwiritsa ntchito fayilo yoyendetsa yomwe idatulutsa gawo lalikulu pakuwuluka pogwiritsa ntchito makiyi osungidwa mu registry. Gawo lalikulu liri ndi chipika chake cha kasinthidwe ka data. Pomwe idakhazikitsidwa koyamba, idasinthidwa, tsiku loyika idalowetsedwamo, pambuyo pake idasinthidwanso ndikusungidwa ndi gawo lalikulu. Chifukwa chake, pamakina okhudzidwa, pakuyika bwino, mafayilo atatu adasungidwa - dalaivala, gawo lalikulu ndi fayilo yake yosinthira, pomwe mafayilo awiri omaliza adasungidwa pa disk mu mawonekedwe obisika. Njira zonse zolembera zidachitika pokumbukira. Njira yoyikirayi yovutayi idagwiritsidwa ntchito kuchepetsa kuthekera kozindikirika ndi pulogalamu ya antivayirasi.

Mutu waukulu

Main module (chinthu 302), malinga ndi mudziwe kampani Kaspersky Lab, yolembedwa pogwiritsa ntchito MSVC 2008 mu C koyera, koma pogwiritsa ntchito njira yolunjika. Njira iyi ndi yolakwika popanga ma code oyipa. Monga lamulo, code yotereyi imalembedwa mu C kuti muchepetse kukula ndikuchotsa mafoni omwe ali mu C ++. Pali symbiosis ina apa. Kuphatikiza apo, zomanga zoyendetsedwa ndi zochitika zidagwiritsidwa ntchito. Ogwira ntchito ku Kaspersky Lab amakonda chiphunzitso chakuti gawo lalikulu linalembedwa pogwiritsa ntchito pre-processor add-on yomwe imakulolani kulemba C code mu kalembedwe ka chinthu.
Gawo lalikulu limayang'anira njira yolandirira malamulo kuchokera kwa ogwira ntchito. Duqu imapereka njira zingapo zolumikizirana: kugwiritsa ntchito ma protocol a HTTP ndi HTTPS, komanso kugwiritsa ntchito mapaipi otchulidwa. Kwa HTTP(S), mayina amadomeni a malo olamulira adanenedwa, ndipo kuthekera kogwiritsa ntchito seva ya proxy kunaperekedwa - dzina la ogwiritsa ntchito ndi mawu achinsinsi adawafotokozera. Adilesi ya IP ndi dzina lake zafotokozedwa pa tchanelo. Zomwe zatchulidwazi zimasungidwa mugawo lalikulu la kasinthidwe ka data (mu mawonekedwe obisika).
Kuti tigwiritse ntchito mapaipi otchulidwa, tidayambitsa kukhazikitsa seva yathu ya RPC. Idathandizira ntchito zisanu ndi ziwiri zotsatirazi:

  • bweretsani mtundu womwe wayikidwa;
  • lowetsani dll muzochitika zomwe zafotokozedwa ndikuyitanitsa ntchito yomwe yatchulidwa;
  • kutsegula dll;
  • yambitsani njira poyitana CreateProcess();
  • werengani zomwe zili mufayilo yoperekedwa;
  • lembani deta ku fayilo yotchulidwa;
  • chotsani fayilo yomwe mwasankha.

Mapaipi otchulidwa atha kugwiritsidwa ntchito mkati mwa netiweki yakomweko kuti agawire ma module osinthidwa komanso masinthidwe pakati pa makompyuta omwe ali ndi kachilombo ka Duqu. Kuphatikiza apo, Duqu atha kukhala ngati seva ya proxy pamakompyuta ena omwe ali ndi kachilombo (omwe analibe mwayi wopezeka pa intaneti chifukwa cha zoikamo zozimitsa moto pachipata). Mabaibulo ena a Duqu analibe machitidwe a RPC.

Amadziwika kuti "payloads"

Symantec idapeza pafupifupi mitundu inayi ya zolipira zomwe zidatsitsidwa molamulidwa kuchokera ku malo owongolera a Duqu.
Kuphatikiza apo, m'modzi yekha wa iwo adakhala ndikupangidwa ngati fayilo yotheka (exe), yomwe idasungidwa ku disk. Zina zitatu zotsalazo zidagwiritsidwa ntchito ngati malaibulale a dll. Adakwezedwa mwamphamvu ndikumakumbukira popanda kusungidwa ku diski.

"Payload" wokhalamo anali spy module (infostealer) ndi ntchito keylogger. Zinali potumiza ku VirusTotal kuti ntchito ya kafukufuku wa Duqu inayamba. Ntchito yaikulu ya akazitape inali mu gwero, ma kilobytes oyambirira 8 omwe anali ndi gawo la chithunzi cha mlalang'amba NGC 6745 (kwa kubisala). Tiyenera kukumbukira apa kuti mu Epulo 2012, zofalitsa zina zidafalitsa zambiri (http://www.mehrnews.com/en/newsdetail.aspx?NewsID=1297506) kuti Iran idawonetsedwa ndi pulogalamu yoyipa ya "Stars", pomwe zambiri za chochitikacho sichinaululidwe. Mwina chinali chitsanzo chotere cha "payload" ya Duqu yomwe idapezeka panthawiyo ku Iran, chifukwa chake amatchedwa "Stars".
Ntchito ya kazitape idatenga izi:

  • mndandanda wazomwe zikuyenda, zambiri za omwe akugwiritsa ntchito pano ndi adani;
  • mndandanda wama drive omveka, kuphatikiza ma drive a network;
  • zojambulajambula;
  • maadiresi a mawonekedwe a netiweki, matebulo owongolera;
  • log fayilo ya makiyi a kiyibodi;
  • mayina a mawindo otsegula otsegula;
  • mndandanda wazinthu zomwe zilipo pa intaneti (zogawana nawo);
  • mndandanda wathunthu wamafayilo pa disks zonse, kuphatikiza zochotseka;
  • mndandanda wamakompyuta mu "network environment".

Ntchito ina ya akazitape (infostealer) kunali kusiyanasiyana kwa zomwe zidafotokozedwa kale, koma zidapangidwa ngati laibulale ya dll; ntchito za keylogger, kupanga mndandanda wamafayilo ndi mndandanda wamakompyuta omwe adaphatikizidwa mu domain adachotsedwamo.
Gawo lotsatira (kudziwika) chidziwitso chadongosolo:

  • ngati kompyuta ili gawo la domain;
  • njira zopita ku maofesi a Windows;
  • makina ogwiritsira ntchito;
  • dzina la ogwiritsa ntchito;
  • mndandanda wa ma adapter network;
  • dongosolo ndi nthawi yakomweko, komanso zone ya nthawi.

gawo lomaliza (kutalika kwa moyo) adakhazikitsa ntchito kuti awonjezere mtengo (wosungidwa mufayilo yayikulu yosinthira ma module) amasiku otsala mpaka ntchitoyo itamalizidwa. Mwachikhazikitso, mtengowu udakhazikitsidwa kukhala masiku 30 kapena 36 kutengera kusinthidwa kwa Duqu, ndikutsika ndi tsiku limodzi.

Malo olamula

Pa Okutobala 20, 2011 (patatha masiku atatu chidziwitso chopezekacho chidafalitsidwa), oyendetsa a Duqu adachita njira yowononga magwiridwe antchito a malo olamulira. Malo olamulira anali pa maseva omwe adabedwa padziko lonse lapansi - ku Vietnam, India, Germany, Singapore, Switzerland, Great Britain, Holland, ndi South Korea. Chosangalatsa ndichakuti ma seva onse odziwika anali kugwiritsa ntchito mitundu ya CentOS 5.2, 5.4 kapena 5.5. Ma OS onse anali 32-bit ndi 64-bit. Ngakhale kuti mafayilo onse okhudzana ndi kagwiritsidwe ntchito ka malo olamula adachotsedwa, akatswiri a Kaspersky Lab adatha kubweza zina mwamafayilo a LOG kuchokera kumalo ocheperako. Chochititsa chidwi kwambiri ndichakuti omwe akuukira ma seva nthawi zonse amalowetsa phukusi la OpenSSH 4.3 ndi mtundu wa 5.8. Izi zitha kuwonetsa kuti chiwopsezo chosadziwika mu OpenSSH 4.3 chidagwiritsidwa ntchito kuthyola ma seva. Si machitidwe onse omwe amagwiritsidwa ntchito ngati malo olamulira. Ena, poyang'ana zolakwika zomwe zili mu sshd logs poyesa kuwongolera magalimoto a madoko 80 ndi 443, adagwiritsidwa ntchito ngati seva ya proxy kuti agwirizane ndi malo omaliza.

Madeti ndi ma module

Chikalata cha Mawu chomwe chinagawidwa mu Epulo 2011, chomwe chidawunikidwa ndi Kaspersky Lab, chinali ndi woyendetsa wotsitsa wokhala ndi tsiku lophatikiza pa Ogasiti 31, 2007. Dalaivala wofananira (kukula - 20608 bytes, MD5 - EEDCA45BD613E0D9A9E5C69122007F17) mu chikalata chopezeka mu CrySys laboratories chinali ndi tsiku lophatikiza pa February 21, 2008. Kuphatikiza apo, akatswiri a Kaspersky Lab adapeza dalaivala wa autorun rndismpc.sys (kukula - 19968 bytes, MD5 - 9AEC6E10C5EE9C05BED93221544C783E) ndi deti la Januware 20, 2008. Palibe zigawo zolembedwa mu 2009 zomwe zidapezeka. Kutengera masitampu anthawi yophatikizira magawo a Duqu, chitukuko chake chikhoza kuyambira koyambirira kwa 2007. Kuwonekera kwake koyambirira kumalumikizidwa ndi kupezeka kwa mafayilo osakhalitsa amtundu wa ~ DO (mwina wopangidwa ndi imodzi mwama module aukazitape), tsiku lopangidwa lomwe ndi Novembara 28, 2008 (nkhani "Duqu & Stuxnet: Nthawi ya Zochitika Zosangalatsa"). Tsiku laposachedwa kwambiri lolumikizidwa ndi Duqu linali February 23, 2012, lomwe lili mu dalaivala wotsitsa wopezeka ndi Symantec mu Marichi 2012.

Zomwe zagwiritsidwa ntchito:

mndandanda wa nkhani za Duqu kuchokera ku Kaspersky Lab;
Symantec analytical report "W32.Duqu Kalambulabwalo wa Stuxnet yotsatira", Baibulo 1.4, November 2011 (pdf).

Source: www.habr.com

Kuwonjezera ndemanga