National Security Agency uye US Federal Bureau of Investigation , maererano neiyo 85th main centre yebasa rinokosha (85 GCSS GRU) malware complex inonzi "Drovorub" inoshandiswa. Drovorub inosanganisira rootkit muchimiro cheLinux kernel module, chishandiso chekufambisa mafaera uye kutungamira network ports, uye sevha yekudzora. Chikamu chemutengi chinogona kudhawunirodha uye kurodha mafaera, kuita zvekupokana mirairo semudziyo mushandisi, uye kutungamira network ports kune mamwe network node.
Iyo Drovorub control centre inogamuchira iyo nzira yekumisikidza faira muJSON fomati seyekuraira mutsara nharo:
{
"db_host" : " ",
"db_port" : " ",
"db_db" : " ",
"db_user" : " ",
"db_password" : " ",
"lport" : " ",
"mukuru" : " ",
"ping_sec" : " ",
"priv_key_file" : " ",
"chirevo": " »
}
MySQL DBMS inoshandiswa senge backend. Iyo WebSocket protocol inoshandiswa kubatanidza vatengi.
Mutengi ane yakavakirwa-mukati magadzirirwo, kusanganisira sevha URL, yayo RSA public kiyi, username uye password. Mushure mekuisa iyo rootkit, iyo yekumisikidza inochengetwa sechinyorwa faira muJSON fomati, iyo yakavanzwa kubva kune system neDrovoruba kernel module:
{
«id» : «cbcf6abc-466b-11e9-853b-000c29cb9f6f»,
"kiyi": "Y2xpZW50a2V5"
}
Pano "id" ideti yakasarudzika yakapihwa nesevha, umo iyo yekupedzisira 48 bits inoenderana neMAC kero yeserver's network interface. Iyo yakasarudzika "kiyi" paramende ndeye base64 encoded tambo "clientkey" iyo inoshandiswa neserver panguva yekutanga kubata maoko. Uye zvakare, iyo faira yekumisikidza inogona kunge iine ruzivo nezve yakavanzika mafaera, ma module uye network ports:
{
«id» : «6fa41616-aff1-11ea-acd5-000c29283bbc»,
"kiyi": "Y2xpZW50a2V5",
"monitor": {
"faira": [
{
"active" : "chokwadi"
«id» : «d9dc492b-5a32-8e5f-0724-845aa13fff98»,
"mask" : "testfile1"
}
],
"module" : [
{
"active" : "chokwadi"
«id» : «48a5e9d0-74c7-cc17-2966-0ea17a1d997a»,
"mask" : "testmodule1"
}
],
"net": [
{
"active" : "chokwadi"
«id» : «4f355d5d-9753-76c7-161e-7ef051654a2b»,
"port" : "12345",
"protocol" : "tcp"
}
] }
}
Chimwe chikamu cheDrovorub ndiye mumiriri; faira yayo yekumisikidza ine ruzivo rwekubatanidza kune server:
{
"client_login" : "mushandisi123",
"client_pass" : "pass4567",
"clientid" : "e391847c-bae7-11ea-b4bc-000c29130b71",
«clientkey_base64» : «Y2xpZW50a2V5»,
"pub_key_file" :"public_key",
"server_host" : "192.168.57.100",
"server_port" :45122″,
"server_uri" :/ws"
}
Minda "mutengi" uye "clientkey_base64" pakutanga haipo; ivo vanowedzerwa mushure mekutanga kunyoreswa pane server.
Mushure mekuisa, zvinotevera zviitwa zvinoitwa:
- iyo kernel module inoremerwa, iyo inonyoresa zvikorekedzo zvehurongwa hwekufona;
- mutengi anonyoresa ne kernel module;
- Iyo kernel module inovanza iyo inoshanda mutengi maitiro uye yayo inoteedzera faira pane dhisiki.
A pseudo-device, semuenzaniso /dev/zero, inoshandiswa kutaurirana pakati pemutengi uye kernel module. Iyo kernel module inoparadzanisa data yese yakanyorwa kune mudziyo, uye yekuendesa kune yakatarisana inotumira iyo SIGUSR1 chiratidzo kumutengi, mushure meiyo inoverenga data kubva kune imwechete mudziyo.
Kuti uone iyo Lumberjack, unogona kushandisa network yekuongorora traffic uchishandisa NIDS (yakashata network chiitiko mune ine hutachiona system pachayo haigone kuonekwa, sezvo kernel module inovanza network sockets yainoshandisa, netfilter mitemo, uye mapaketi anogona kubvumwa nezvigadziko zvakasvibirira) . Pane iyo iyo Drovorub yakaiswa, unogona kuona iyo kernel module nekutumira iyo murairo wekuviga faira:
bata testfile
echo "ASDFZXCV: hf: testfile"> /dev/zero
ls
Iyo yakagadzirwa "testfile" faira inova isingaonekwe.
Dzimwe nzira dzekuona dzinosanganisira ndangariro uye disk content analysis. Kuti udzivise kutapukirwa, zvinokurudzirwa kushandisa inosungirwa siginecha verification yekernel nemamodule, anowanikwa kutanga kubva kuLinux kernel vhezheni 3.7.
Chirevo chine mitemo yeSnort yekuona network yeDrovorub uye Yara mitemo yekuona zvikamu zvayo.
Ngatiyeukei kuti 85th GTSSS GRU (mauto unit 26165) yakabatana neboka. , inokonzera kurwiswa kwakawanda kwe-cyber.
Source: opennet.ru