National Security Agency ndi US Federal Bureau of Investigation , malinga ndi zomwe 85th likulu la utumiki wapadera (85 GCSS GRU) pulogalamu yaumbanda yotchedwa "Drovorub" imagwiritsidwa ntchito. Drovorub imaphatikizapo rootkit mu mawonekedwe a Linux kernel module, chida chosinthira mafayilo ndikulozeranso madoko a netiweki, ndi seva yowongolera. Gawo lamakasitomala limatha kutsitsa ndikukweza mafayilo, kulamula mopanda malire ngati wogwiritsa ntchito mizu, ndikuwongoleranso ma doko a netiweki kumalo ena amtaneti.
Malo olamulira a Drovorub amalandira njira yopita ku fayilo yosinthika mumtundu wa JSON ngati mkangano wa mzere wa lamulo:
{
"db_host": " ",
"db_port" : " ",
"db_db": " ",
"db_user" : " ",
"db_password" : " ",
"lport": " ",
"mzimu": " ",
"ping_sec" : " ",
"priv_key_file" : " ",
"mawu": " »
}
MySQL DBMS imagwiritsidwa ntchito ngati backend. Protocol ya WebSocket imagwiritsidwa ntchito kulumikiza makasitomala.
Makasitomala ali ndi masinthidwe ophatikizidwa, kuphatikiza ulalo wa seva, kiyi yake yapagulu ya RSA, dzina lolowera ndi mawu achinsinsi. Mukayika rootkit, kasinthidwe kameneka kamasungidwa ngati fayilo yamtundu wa JSON, yomwe imabisidwa ku dongosolo ndi module ya Drovoruba kernel:
{
«id» : «cbcf6abc-466b-11e9-853b-000c29cb9f6f»,
"kiyi": "Y2xpZW50a2V5"
}
Apa "id" ndi chizindikiritso chapadera choperekedwa ndi seva, momwe ma bits 48 omaliza amafanana ndi adilesi ya MAC ya mawonekedwe a seva. Chokhazikika cha "kiyi" ndi chingwe chokhazikika64 "clientkey" chomwe chimagwiritsidwa ntchito ndi seva pakugwirana chanza koyamba. Kuphatikiza apo, fayilo yosinthira ikhoza kukhala ndi zambiri zamafayilo obisika, ma module ndi ma doko a netiweki:
{
«id» : «6fa41616-aff1-11ea-acd5-000c29283bbc»,
"key": "Y2xpZW50a2V5",
"monitor" : {
"fayilo": [
{
"active" : "zoona"
«id» : «d9dc492b-5a32-8e5f-0724-845aa13fff98»,
"mask" : "testfile1"
}
],
"module": [
{
"active" : "zoona"
«id» : «48a5e9d0-74c7-cc17-2966-0ea17a1d997a»,
"mask" : "testmodule1"
}
],
"net": [
{
"active" : "zoona"
«id» : «4f355d5d-9753-76c7-161e-7ef051654a2b»,
"port": "12345",
"protocol" : "tcp"
}
]}
}
Chigawo china cha Drovorub ndi wothandizira; fayilo yake yosinthira ili ndi chidziwitso cholumikizira ku seva:
{
"client_login" : "user123",
"client_pass" : "pass4567",
"clientid" : "e391847c-bae7-11ea-b4bc-000c29130b71",
«clientkey_base64» : «Y2xpZW50a2V5»,
"pub_key_file" :"public_key",
"server_host" : "192.168.57.100",
"server_port": 45122″,
"server_uri" :"/ws"
}
Minda "clientid" ndi "clientkey_base64" ikusowa; iwo amawonjezedwa pambuyo polembetsa koyamba pa seva.
Pambuyo kukhazikitsa, ntchito zotsatirazi zimachitika:
- kernel module yadzaza, yomwe imalembetsa mbedza pamayitanidwe adongosolo;
- kasitomala amalembetsa ndi kernel module;
- Gawo la kernel limabisa momwe kasitomala amagwirira ntchito ndi fayilo yake yomwe ingathe kuchitidwa pa disk.
Chipangizo cha pseudo, mwachitsanzo /dev/zero, chimagwiritsidwa ntchito polumikizana pakati pa kasitomala ndi gawo la kernel. Module ya kernel imapanga deta yonse yolembedwa ku chipangizocho, ndipo kuti iperekedwe mosiyana imatumiza chizindikiro cha SIGUSR1 kwa kasitomala, pambuyo pake imawerenga deta kuchokera ku chipangizo chomwecho.
Kuti muzindikire Lumberjack, mutha kugwiritsa ntchito kusanthula kwamayendedwe apamtaneti pogwiritsa ntchito NIDS (zoyipa zapaintaneti zomwe zili ndi kachilomboka sizingadziwike, popeza gawo la kernel limabisa ma netiweki omwe amagwiritsa ntchito, malamulo a netfilter, ndi mapaketi omwe atha kulandidwa ndi socket yaiwisi) . Pakachitidwe komwe Drovorub imayikidwa, mutha kuzindikira gawo la kernel potumiza lamulo lobisa fayilo:
touchfile file
tchulani "ASDFZXCV: hf: testfile"> /dev/zero
ls
Fayilo ya "testfile" yopangidwa imakhala yosaoneka.
Njira zina zodziwira zimaphatikizapo kukumbukira kukumbukira ndi kusanthula zomwe zili mu disk. Pofuna kupewa matenda, tikulimbikitsidwa kugwiritsa ntchito siginecha yotsimikizika ya kernel ndi ma module, omwe amapezeka kuyambira ku Linux kernel version 3.7.
Lipotili lili ndi malamulo a Snort ozindikira ntchito za netiweki za Drovorub ndi Yara malamulo ozindikira zigawo zake.
Tikumbukire kuti 85 GTSSS GRU (gulu lankhondo 26165) ikugwirizana ndi gululi. , omwe amayambitsa ziwopsezo zambiri za pa intaneti.
Source: opennet.ru