ProHoster > Blog > internet nhau > Duqu - yakaipa nesting chidhori

Duqu - yakaipa nesting chidhori

Nhanganyaya

Musi waGunyana 1, 2011, faira rakanzi ~DN1.tmp rakatumirwa kuVirusTotal webhusaiti kubva kuHungary. Panguva iyoyo, faira yakaonekwa seine hutsinye nemainjini maviri chete antivirus - BitDefender uye AVIRA. Aya ndiwo matangiro akaita nyaya yaDuqu. Kutarisa kumberi, zvinofanirwa kutaurwa kuti mhuri yeDuqu malware yakatumidzwa zita reiyi faira. Nekudaro, iyi faira ndeye yakazvimiririra yakazvimirira spyware module ine keylogger mabasa, yakaiswa, pamwe, ichishandisa yakaipa downloader-dropper, uye inogona kungoonekwa se "payload" yakatakurwa neDuqu malware panguva yekushanda kwayo, uye kwete sechikamu ( module) yeDuqu. Chimwe chezvikamu zveDuqu chakatumirwa kuVirustotal sevhisi chete munaGunyana 9. Chinhu chayo chakasiyana mutyairi akasainwa neC-Media. Dzimwe nyanzvi dzakabva dzatanga kudhirowa analogies nemumwe muenzaniso wakakurumbira wemalware - Stuxnet, iyo yakashandisawo vatyairi vakasaina. Huwandu hwemakomputa ane hutachiona hweDuqu akaonekwa nemakambani akasiyana-siyana eantivirus pasi rose ari mumakumi mazhinji. Makambani mazhinji anoti Iran zvakare ndiyo inonyanya kutariswa, asi tichifunga nezvekugovewa kwehutachiona, izvi hazvigone kutaurwa zvechokwadi.
Duqu - yakaipa nesting chidhori
Muchiitiko ichi, unofanira kutaura nechivimbo chete nezveimwe kambani ine shoko idzva APT (advanced persistent threat).

Maitiro ekushandisa system

Ongororo yakaitwa nenyanzvi kubva kusangano reHungary CrySyS (Hungarian Laboratory yeCryptography uye System Security paBudapest University of Technology and Economics) yakatungamira mukuwanikwa kweiyo installer (dropper) iyo system yakabatwa nayo. Yakanga iri Microsoft Word faira ine exploit ye ​​win32k.sys driver vulnerability (MS11-087, yakatsanangurwa neMicrosoft muna Mbudzi 13, 2011), iyo inokonzeresa iyo TTF font rendering mechanism. Shellcode yekushandisa inoshandisa font inonzi 'Dexter Regular' yakadzikwa mugwaro, ine Showtime Inc. yakanyorwa semugadziri wefonti. Sezvauri kuona, vagadziri veDuqu havasi vatorwa kune yekuseka: Dexter muurayi, gamba reterevhizheni yezita rimwe chetero, rakagadzirwa neShowtime. Dexter anouraya chete (kana zvichibvira) matsotsi, ndiko kuti, anotyora mutemo muzita remutemo. Pamwe, nenzira iyi, vagadziri veDuqu vanoshamisika kuti vari kuita zvisiri pamutemo zviitiko nezvinangwa zvakanaka. Kutumira maemail kwakaitwa nemaune. Iyo inotumirwa ingangove yakashandisa yakakanganiswa (yakavharwa) makomputa semurevereri kuita kuti kutsvaga kunetse.
Gwaro reShoko nokudaro raive nezvikamu zvinotevera:

  • zvinyorwa zvinyorwa;
  • yakavakirwa-mukati font;
  • kushandisa shellcode;
  • driver;
  • installer (DLL raibhurari).

Kana ikabudirira, iyo yekushandisa shellcode yakaita zvinotevera mashandiro (mu kernel mode):

  • cheki yakaitwa yekutapurirazve utachiona; nekuda kweizvi, kuvapo kwekiyi ye'CF4D' kwakatariswa murejista kukero 'HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones1'; kana izvi zvaive zvechokwadi, shellcode yakapedza kuita kwayo;
  • mafaira maviri akacheneswa - mutyairi (sys) uye mugadziri (dll);
  • mutyairi akapinzwa mukati mesevhisi.exe process uye akatanga iyo installer;
  • Pakupedzisira, iyo shellcode yakadzima ne zero mundangariro.

Nekuda kwekuti win32k.sys inoitwa pasi pemushandisi ane rombo rakanaka 'System', vagadziri veDuqu vakagadzirisa zvine mutsindo dambudziko rekuvhurwa kusingatenderwe uye kuwedzera kwekodzero (inoshanda pasi peakaundi yemushandisi ine kodzero shoma).
Mushure mekugamuchira kutonga, mugadziri akabvisa mabhuraki matatu e data irimo mundangariro, ine:

  • mutyairi akasaina (sys);
  • main module (dll);
  • dhizaini yekumisikidza data (pnf).

A date range yakataurwa muinstaller configuration data (nenzira yezvitambi zviviri - kutanga nekuguma). Iyo yekuisa yakaongorora kana zuva razvino rakabatanidzwa mariri, uye kana zvisiri, yakapedza kuurayiwa kwayo. Zvakare mune yekuisa dhizaini data aive mazita ayo mutyairi uye main module akachengetwa. Mune ino kesi, iyo huru module yakachengetwa pa diski mune encrypted fomu.

Duqu - yakaipa nesting chidhori

Kuti utange Duqu otomatiki, sevhisi yakagadzirwa uchishandisa faira remutyairi iro rakaburitsa iyo huru module panhunzi uchishandisa makiyi akachengetwa murejista. Iyo huru module ine yayo yekumisikidza data block. Pakatanga kutangwa, yakadhindwa, zuva rekugadzika rakapinzwa mariri, mushure mezvo rakavharidzirwa zvakare uye rakachengetwa nemodule huru. Nekudaro, mune yakakanganiswa sisitimu, pakuiswa kwakabudirira, mafaera matatu akachengetwa - mutyairi, iyo huru module uye yayo yekumisikidza data faira, nepo maviri ekupedzisira mafaera akachengetwa pa diski mune encrypted fomu. Ese decoding maitiro akaitwa mundangariro chete. Iyi yakaoma yekuisa maitiro yakashandiswa kuderedza mukana wekuonekwa neantivirus software.

Iyo huru module

Main module (resource 302), maererano ruzivo kambani Kaspersky Lab, yakanyorwa uchishandisa MSVC 2008 muC yakachena, asi uchishandisa nzira yakatarisana nechinhu. Iyi nzira haina hunhu kana uchigadzira yakaipa kodhi. Semutemo, kodhi yakadai inonyorwa muC kuderedza ukuru uye kubvisa nhare dzisina kujeka dziri muC ++. Pane imwe symbiosis pano. Uyezve, chivakwa chinofambiswa nechiitiko chakashandiswa. Vashandi veKaspersky Lab vakarerekera kune dzidziso yekuti iyo huru module yakanyorwa uchishandisa pre-processor yekuwedzera iyo inobvumidza iwe kunyora C kodhi mune chinhu chimiro.
Iyo huru module ine basa rekuita kwekugamuchira mirairo kubva kune vanoshanda. Duqu inopa akati wandei nzira dzekudyidzana: kushandisa iyo HTTP neHTTPS mapuroteni, pamwe nekushandisa ane mazita mapaipi. YeHTTP(S), mazita enzvimbo dzekuraira akatsanangurwa, uye kugona kushanda kuburikidza neproxy server kwakapihwa - zita remushandisi nepassword zvakatsanangurwa kwavari. Iyo IP kero uye zita rayo zvinotsanangurwa kune chiteshi. Iyo data yakatsanangurwa inochengetwa muhombe module yekumisikidza data block (mune encrypted fomu).
Kuti tishandise mapaipi ane mazita, takatangisa yedu RPC server kuita. Yakatsigira mabasa manomwe anotevera:

  • dzorera iyo yakaiswa shanduro;
  • jekiseni dll mune yakatarwa maitiro uye fonera iyo yakatarwa basa;
  • load dll;
  • tanga maitiro nekufonera CreateProcess();
  • verenga zviri mukati mefaira rakapihwa;
  • nyora data kune yakatarwa faira;
  • bvisa faira rataurwa.

Mapombi ane zita anogona kushandiswa mukati metiweki yemuno kugovera akagadziridzwa mamodule uye data yekumisikidza pakati peDuqu-infected makomputa. Mukuwedzera, Duqu inogona kuita sevhavha yeproxy kune mamwe makombiyuta ane utachiona (ayo akanga asina kuwana Internet nekuda kwezvirongwa zvefirewall pagedhi). Dzimwe shanduro dzeDuqu dzainge dzisina RPC mashandiro.

Inozivikanwa "payloads"

Symantec yakawana angangoita mana emhando dzemihoro yakatorwa pasi pekuraira kubva kuDuqu control centre.
Uyezve, mumwe chete wavo ndiye aigara uye akaumbwa sefaira rinogoneka (exe), iro rakachengetwa kudhisiki. Iwo matatu akasara akaitwa se dll library. Iwo akaremerwa zvine simba uye akaurayiwa mundangariro pasina kuchengetwa kudhisiki.

Mugari "mubhadharo" yaive spy module (infostealer) ne keylogger mabasa. Yakanga iri kuburikidza nekuitumira kuVirusTotal kuti basa paDuqu tsvakurudzo rakatanga. Iyo huru spy mashandiro aive mune sosi, yekutanga 8 kilobytes yaive nechikamu chemufananidzo weiyo galaxy NGC 6745 (yecamouflage). Zvinofanira kurangarirwa pano kuti muna Kubvumbi 2012, mamwe midhiya akaburitsa ruzivo (http://www.mehrnews.com/en/newsdetail.aspx?NewsID=1297506) kuti Iran yakaratidzwa kune imwe yakaipa software "Stars", ukuwo ruzivo rwe chiitiko hachina kuburitswa. Zvichida yaingova sampuli yakadaro yeDuqu "payload" yakawanikwa ipapo muIran, saka zita rekuti "Nyeredzi".
Iyo spy module yakaunganidza inotevera ruzivo:

  • runyorwa rwekumhanya maitiro, ruzivo nezve iyezvino mushandisi uye domain;
  • rondedzero yemadhiraivha anonzwisisika, kusanganisira madhiraivha etiweki;
  • skrini;
  • network interface kero, matafura ekufambisa;
  • log faira ye keyboard keystrokes;
  • mazita emahwindo ekushandisa akazaruka;
  • runyoro rwezviwanikwa zvetiweki zviripo (kugovera zviwanikwa);
  • runyoro rwakakwana rwemafaira pamadhisiki ese, kusanganisira anobviswa;
  • rondedzero yemakomputa mu "network environment".

Imwe spy module (infostealer) yakanga iri mutsauko wezvakange zvatotsanangurwa, asi yakagadzirwa sedhiraibhurari yedll; mabasa eiyo keylogger, kunyora runyoro rwemafaira uye kunyora makombiyuta akaiswa mudura akabviswa kubva mairi.
Next module (kubvuma) yakaunganidza ruzivo rwehurongwa:

  • kana komputa iri chikamu chenzvimbo;
  • nzira dzeWindows system madhairekitori;
  • operating system version;
  • zita remushandisi razvino;
  • rondedzero ye network adapters;
  • system uye nguva yemuno, pamwe nenzvimbo yenguva.

Last module (lifespan extender) yakashandisa basa rekuwedzera kukosha (kuchengetwa mune huru module configuration data file) yehuwandu hwemazuva asara kusvikira basa rapera. Nekumisikidza, kukosha uku kwakaiswa kumazuva makumi matatu kana makumi matatu nematanhatu zvichienderana nekugadziriswa kweDuqu, uye kwakadzikira nerimwe zuva rega rega.

Command centers

Musi waGumiguru 20, 2011 (mazuva matatu mushure mekunge ruzivo rwekuwanikwa rwaparadzirwa), vafambisi veDuqu vakaita nzira yekuparadza zvisaririra zvekushanda kwenzvimbo dzekuraira. Nzvimbo dzekuraira dzaive pamaseva akabiwa pasirese - muVietnam, India, Germany, Singapore, Switzerland, Great Britain, Holland, neSouth Korea. Sezvineiwo, maseva ese akaonekwa aimhanyisa CentOS shanduro 5.2, 5.4 kana 5.5. MaOS aive ese ari maviri 32-bit uye 64-bit. Kunyangwe hazvo mafaera ese ane chekuita nekushanda kwenzvimbo dzekuraira akabviswa, nyanzvi dzeKaspersky Lab dzakakwanisa kudzoreredza mamwe eruzivo kubva kuLOG mafaera kubva munzvimbo yakashata. Chinhu chinonyanya kufadza ndechekuti vanorwisa maseva vanogara vachitsiva iyo default OpenSSH 4.3 package ine vhezheni 5.8. Izvi zvinogona kuratidza kuti kusazvibata kusingazivikanwe muOpenSSH 4.3 kwakashandiswa kubaya maseva. Haasi ese masisitimu akashandiswa senzvimbo dzekuraira. Vamwe, tichitonga nezvikanganiso mu sshd matanda pakuedza kudzosera traffic kune ports 80 uye 443, yakashandiswa se proxy server yekubatanidza kune yekupedzisira kuraira nzvimbo.

Mazuva uye modules

Gwaro reIzwi rakagoverwa muna Kubvumbi 2011, iro rakaongororwa neKaspersky Lab, raive nemutyairi wekurodha wekurodha ane zuva rekubatanidza raNyamavhuvhu 31, 2007. Mutyairi akafanana (saizi - 20608 bytes, MD5 - EEDCA45BD613E0D9A9E5C69122007F17) mugwaro rakawanikwa muCrySys marabhoritari rine zuva rekubatanidza raFebruary 21, 2008. Pamusoro pezvo, nyanzvi dzeKaspersky Lab dzakawana autorun driver rndismpc.sys (saizi - 19968 bytes, MD5 - 9AEC6E10C5EE9C05BED93221544C783E) nemusi waNdira 20, 2008. Hapana zvikamu zvakanzi 2009 zvakawanikwa. Zvichienderana nematempu enguva yekuunganidzwa kwezvikamu zvega zveDuqu, kusimudzira kwayo kunogona kubva pakutanga 2007. Kuratidzwa kwayo kwekutanga kwakabatana nekuonekwa kwemafaira enguva pfupi yemhando ~ DO (zvichida yakagadzirwa neimwe ye spyware modules), zuva rekugadzira iro raNovember 28, 2008 (chinyorwa "Duqu & Stuxnet: Nguva Yezviitiko Zvinofadza"). Zuva richangoburwa rakabatana neDuqu raive Kukadzi 23, 2012, riri mudhiraivha yekurodha yakawanikwa neSymantec munaKurume 2012.

Kwakabva ruzivo rwakashandiswa:

nhevedzano yezvinyorwa nezveDuqu kubva kuKaspersky Lab;
Symantec analytical report "W32.Duqu Inotangira kune inotevera Stuxnet", shanduro 1.4, Mbudzi 2011 (pdf).

Source: www.habr.com

Voeg