ProHoster > Ibhulogi > iindaba ze-intanethi > I-Duqu yi-matryoshka enobungozi

I-Duqu yi-matryoshka enobungozi

Intshayelelo

NgoSeptemba 1, 2011, ifayile ebizwa ngokuba ~DN1.tmp yathunyelwa kwiwebhusayithi yeVirusTotal esuka eHungary. Ngelo xesha, ifayile yafunyaniswa inobungozi kwiinjini ezimbini kuphela ze-antivirus - i-BitDefender kunye ne-AVIRA. Le yindlela ibali likaDuqu elaqala ngayo. Ukujonga phambili, kufuneka kuthiwe usapho lwe-malware lwakwaDuqu lwathiywa ngale fayile. Nangona kunjalo, le fayile yimodyuli ye-spy ezimeleyo ngokupheleleyo enemisebenzi ye-keylogger, mhlawumbi ifakwe ngoncedo lwe-dropper eyingozi yokhuphelo, kwaye inokuthathwa njenge "payload" ekhutshelwe yi-malware ye-Duqu ngexesha lokusebenza kwayo, kodwa ingeyonto ebalulekileyo. inxalenye (imodyuli) yeDuqu. Elinye lamacandelo eDuqu lathunyelwa kwinkonzo yeVirustotal kuphela nge-9 kaSeptemba. Isici sayo esahlulayo ngumqhubi osayinwe kunye nesignesha yedijithali evela kwi-C-Media. Ezinye iingcali zaqala ngokukhawuleza ukudweba ukulinganisa kunye nomnye umzekelo owaziwayo we-malware - i-Stuxnet, eyayisebenzisa abaqhubi abasayiniweyo. Itotali yenani leekhompyuter ezosulelwe yi-Duqu, ezifunyenwe ziinkampani ezahlukeneyo ze-antivirus kwihlabathi jikelele, kumashumi. Iinkampani ezininzi zithi i-Iran kwakhona yeyona nto iphambili ekujoliswe kuyo, kodwa ngokujonga ijografi yokusasazwa kosulelo, oku akunakuthethwa ngokuqinisekileyo.
I-Duqu yi-matryoshka enobungozi
Kule meko, umntu kufuneka athethe ngokuzithemba kuphela ngenye inkampani enegama elitsha APT (usongelo oluqhubekayo oluqhubekayo).

Inkqubo yokuphunyezwa kwinkqubo

Uphando olwenziwe ziingcali ezivela kwintlangano yaseHungary i-CrySyS (i-Hungarian Laboratory ye-Cryptography kunye neNkqubo yoKhuseleko lweYunivesithi yaseBudapest yeThekhnoloji kunye ne-Economics) yakhokelela ekufumaneni i-installer (i-dropper) apho inkqubo yasuleleka khona. Yayiyifayile ye-Microsoft Word ene-exploit yokuba sesichengeni somqhubi we-win32k.sys (MS11-087, echazwe nguMicrosoft ngoNovemba 13, 2011), ejongene nokunikezela ngeefonti ze-TTF. I-shellcode ye-exploit isebenzisa ifonti efakwe kuxwebhu olubizwa ngokuba yi-'Dexter Regular', kwaye i-Showtime Inc. inikwe imbeko njengomyili wefonti. Njengoko ubona, abadali beDuqu abaqhelekanga kuburharha: uDexter ngumbulali olandelanayo, igorha lomdlalo kamabonakude wegama elifanayo, efotwe nguShowtime. UDexter ubulala kuphela (ukuba kunokwenzeka) izigebenga, oko kukuthi, uphula umthetho egameni lomthetho. Mhlawumbi, ngale ndlela, abaphuhlisi baseDuqu bayaxaka ukuba benza imisebenzi engekho mthethweni ngeenjongo ezilungileyo. Ukuthumela iileta nge-imeyile kwenziwe ngenjongo. Ukuthumela, okunokwenzeka, iikhomputha ezifakwe esichengeni (zigqekeziwe) zisetyenziswe njengomlamli ukwenza ukulandelela kube nzima.
Uxwebhu lweWord luqulathe la macandelo alandelayo:

  • umxholo wokubhaliweyo;
  • ifonti elungisiweyo;
  • sebenzisa i-silkcode;
  • umqhubi;
  • isifakeli (DLL).

Kwimeko yokuphunyezwa ngempumelelo, i-shellcode ye-exploit yenza le misebenzi ilandelayo (kwimo yekernel):

  • utshekisho losulelo kwakhona lwenziwa, ngenxa yoku, ubukho beqhosha 'CF4D' lakhangelwa kwindawo yobhaliso e-'HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones1', ukuba yinyani, i-shellcode igqibe ukwenziwa kwayo;
  • iifayile ezimbini zaye zacinywa - umqhubi (sys) kunye ne-installer (dll);
  • umqhubi ufakwe kwinkqubo yeenkonzo.exe kwaye uqalise i-installer;
  • Ekugqibeleni, ikhowudi yekhowudi yazisula ngoqanda kwinkumbulo.

Ngokusebenzisa i-win32k.sys njengomsebenzisi wengcambu 'Inkqubo', abaphuhlisi be-Duqu bayisombulule kakuhle ingxaki yokusungulwa okungagunyaziswanga kunye nokuphakama (ukuqhuba phantsi kweakhawunti yomsebenzisi kunye namalungelo alinganiselweyo).
Umfaki, emva kokufumana ulawulo, uguqule iibhloko ezintathu zedatha kwimemori equlethe:

  • umqhubi osayiniweyo (sys);
  • imodyuli engundoqo (dll);
  • idatha yoqwalaselo lwesifakeli (pnf).

Kwidatha yokumisela i-installer, uluhlu lwemihla lucacisiwe (ngendlela yee-timestamps ezimbini - ukuqala nokuphela). Umfakeli uhlolisise ukuba umhla wangoku uwela kuyo, ukuba akunjalo, igqibe ukuphunyezwa kwayo. Kwakhona, kwidatha yokumisela i-installer, amagama apho umqhubi kunye nemodyuli ephambili agcinwe phantsi kwayo abonakalisiwe. Kule meko, imodyuli ephambili igcinwe kwidisk kwifom efihliweyo.

I-Duqu yi-matryoshka enobungozi

Ukuqala ngokuzenzekelayo i-Duqu, inkonzo yadalwa esebenzisa ifayile yomqhubi ekhupha imodyuli ephambili kubhabho, isebenzisa izitshixo ezigcinwe kwirejista. Imodyuli ephambili iqulethe ibhloko yayo yoqwalaselo lwedatha. Ekuqaleni, yachithwa, umhla wofakelo wangeniswa kuyo, emva koko yabhalwa ngekhowudi kwakhona kwaye yagcinwa yimodyuli ephambili. Ngaloo ndlela, kwinkqubo echaphazelekayo, ngexesha lofakelo oluyimpumelelo, iifayile ezintathu zagcinwa - umqhubi, imodyuli ephambili kunye nefayile yedatha yoqwalaselo, ngelixa iifayile ezimbini zokugqibela zigcinwe kwidiski kwifom efihliweyo. Zonke iinkqubo zokuqhafaza ziqhutywa kwinkumbulo kuphela. Le nkqubo yokufakela entsonkothileyo isetyenziselwe ukunciphisa ukubonwa kwesoftware ye-antivirus.

Imodyuli ephambili

Imodyuli engundoqo (umthombo 302), ngo ulwazi nguKaspersky Lab, ebhalwe kusetyenziswa i-MSVC 2008 kwiC esulungekileyo, kodwa isebenzisa indlela ejolise kwinto. Le ndlela ayinasimilo xa kusenziwa ikhowudi ekhohlakeleyo. Njengomthetho, ikhowudi enjalo ibhalwa kwi-C ukuze kuncitshiswe ubungakanani kunye nokulahla iifowuni ezicacileyo ezihambelana ne-C ++. Kukho kwakhona i-symbiosis apha. Ngaphezu koko, i-architecture ejoliswe kwisiganeko yasetyenziswa. Abasebenzi baseKaspersky Lab bathambekele kwithiyori yokuba imodyuli ephambili yabhalwa kusetyenziswa i-pre-processor add-on ekuvumela ukuba ubhale ikhowudi kwiC kwisitayile sento.
Imodyuli ephambili inoxanduva lwenkqubo yokufumana imiyalelo kubaqhubi. I-Duqu ibonelela ngeendlela ezininzi zokusebenzisana: ukusebenzisa i-HTTP kunye ne-HTTPS protocol, kunye nokusebenzisa imibhobho enegama (umbhobho). Kwi-HTTP (S), amagama esizinda samaziko omyalelo acacisiwe, ngelixa kwakunokwenzeka ukusebenza ngomncedisi wommeleli - banikwe igama lomsebenzisi kunye negama lokugqitha. Ijelo linikwe idilesi ye-IP kunye negama letshaneli. Idatha ekhankanyiweyo igcinwe kwibhloko yedatha yoqwalaselo lwemodyuli engundoqo (efihliweyo).
Ukusebenzisa imibhobho enegama, ukuphunyezwa kwesiko lomncedisi we-RPC kwaqaliswa. Ixhase le misebenzi isixhenxe ilandelayo:

  • buyisela inguqulelo efakiweyo;
  • tofa i-dll kwinkqubo ekhankanyiweyo kwaye ubize umsebenzi ochaziweyo;
  • layisha dll;
  • uqalise inkqubo ngokufowunela CreateProcess ();
  • funda imixholo yefayile enikiweyo;
  • bhala idatha kwifayile ekhankanyiweyo;
  • cima ifayile enikiweyo.

Imibhobho enikwe igama ingasetyenziswa ngaphakathi kuthungelwano lwengingqi ukusasaza iimodyuli ezihlaziyiweyo kunye nedatha yoqwalaselo phakathi kweekhompyuter ezosulelwe yiDuqu. Ukongeza, i-Duqu inokusebenza njengomncedisi we-proxy kwezinye iikhomputha ezosulelekileyo (ezingakwazanga ukufikelela kwi-Intanethi ngenxa yezicwangciso ze-firewall kwisango). Ezinye iinguqulelo zeDuqu bezingenamsebenzi weRPC.

Kwaziwa "umthwalo ohlawulayo"

I-Symantec ichonge ubuncinane "imithwalo yentlawulo" elayishwe ngokomyalelo kwiziko lolawulo laseDuqu.
Nangona kunjalo, mnye kuphela kubo owahlala kwaye waqulunqwa njengefayile ephunyeziweyo (exe), eyagcinwa kwidiski. Ezithathu ezishiyekileyo zaphunyezwa njengamathala eencwadi e-dll. Baye balayishwa ngamandla kwaye babulawa kwimemori ngaphandle kokugcinwa kwidisk.

Umhlali "umthwalo wokuhlawula" yayiyimodyuli yentlola (infostealer) ngemisebenzi ye-keylogger. Kwakungokuyithumela kwiVirusTotal apho umsebenzi wophando lwaseDuqu waqala. Umsebenzi oyintloko wobuntlola wawukwisixhobo, iikhilobhayithi zokuqala ezi-8 eziqulathe inxalenye yesithombe somnyele we-NGC 6745 (yokufihla). Kufuneka kukhunjulwe apha ukuba ngo-Epreli ka-2012, ezinye imidiya zapapasha ulwazi (http://www.mehrnews.com/en/newsdetail.aspx?NewsID=1297506) ukuba i-Iran yavezwa kuhlobo oluthile lwe-malware yeNkwenkwezi, ngelixa iinkcukacha ze Isiganeko asizange sichazwe. Kungenzeka ukuba isampuli enjalo ye-Duqu "yomthwalo wokuhlawula" yafunyanwa ngoko e-Iran, ngoko ke igama elithi "Iinkwenkwezi" (iinkwenkwezi).
Imodyuli yentlola iqokelele olu lwazi lulandelayo:

  • uluhlu lweenkqubo ezisebenzayo, ulwazi malunga nomsebenzisi wangoku kunye nesizinda;
  • uluhlu lweedrive ezinengqiqo, kuquka ezothungelwano;
  • umfanekiso weskrini;
  • iidilesi zojongano lwenethiwekhi, iitafile zomzila;
  • ifayile yelog yezitshixo zebhodi yezitshixo;
  • amagama eefestile zesicelo ezivulekileyo;
  • uluhlu lwemithombo yenethiwekhi ekhoyo (ukwabelana ngezibonelelo);
  • uluhlu olupheleleyo lweefayile kuzo zonke iidrive, kuquka nezisusekayo;
  • uluhlu lweekhompyutha "kwimeko-bume yothungelwano".

Enye imodyuli yokuhlola (infostealer) yayiyinguqulelo esele ichaziwe, kodwa ihlanganiswe njengethala leencwadi le-dll, imisebenzi ye-keylogger, ukuqulunqa uluhlu lweefayile kunye neekhompyutha ezibalayo ezibandakanyiweyo kwi-domain zasuswa kuyo.
Imodyuli elandelayo (ukuqaphela) ulwazi lwenkqubo oluqokelelweyo:

  • nokuba ikhompyuter iyinxalenye yendawo;
  • iindlela eziya kubalawuli benkqubo yeWindows;
  • uguqulelo lwenkqubo yokusebenza;
  • igama lomsebenzisi wangoku;
  • uluhlu lweeadaptha zenethiwekhi;
  • inkqubo kunye nexesha lendawo, kunye nendawo yexesha.

Imodyuli yokugqibela (ixesha lokuphila) iphunyezwe umsebenzi wokwandisa ixabiso (eligcinwe kwifayile yoqwalaselo lwedatha yemodyuli ephambili) yenani leentsuku eziseleyo kude kube sekupheleni komsebenzi. Ngokungagqibekanga, eli xabiso lalimiselwe kwiintsuku ezingama-30 okanye ezingama-36 ngokuxhomekeke kuhlengahlengiso lweDuqu, kwaye lehla ngosuku olunye.

amaziko omyalelo

Ngo-Oktobha 20, i-2011 (iintsuku ezintathu emva kokufunyanwa koluntu), abaqhubi baseDuqu baqhube inkqubo yokutshabalalisa umkhondo wokusebenza kwamaziko omyalelo. Amaziko omyalelo aye abanjwa kwiiseva ezigqekeziweyo kwihlabathi liphela- eVietnam, eIndiya, eJamani, eSingapore, eSwitzerland, eGreat Britain, eHolland, eMzantsi Korea. Okubangela umdla kukuba, zonke iiseva ezichongiweyo beziqhuba iinguqulelo ze-CentOS 5.2, 5.4, okanye i-5.5. Ii-OS beziyi-32-bit kunye ne-64-bit. Ngaphandle kwento yokuba zonke iifayile ezinxulumene nokusebenza kwamaziko omyalelo zicinyiwe, iingcali zeKaspersky Lab zikwazile ukubuyisela ezinye iinkcukacha kwiifayile zeLOG kwindawo epholileyo. Eyona nyani inomdla yeyokuba abahlaseli kwiiseva bahlala betshintsha iphakheji ye-OpenSSH 4.3 engagqibekanga ngenguqulo 5.8. Oku kunokubonisa ukuba ubuthathaka obungaziwayo kwi-OpenSSH 4.3 busetyenziselwe ukugqekeza iiseva. Ayizizo zonke iinkqubo ezazisetyenziswa njengamaziko omyalelo. Abanye, begweba ngeempazamo kwiilogi ze-sshd xa bezama ukuqondisa kwakhona i-traffic kumachweba angama-80 kunye ne-443, basetyenziswe njengomncedisi we-proxy ukuxhuma kumaziko omyalelo wokugqibela.

Imihla kunye neemodyuli

Uxwebhu lweLizwi elasasazwa ngo-Epreli ka-2011, elavavanywa yiKaspersky Lab, liqulathe umqhubi wokukhuphela umfakeli onomhla wokuhlanganisa we-31 ka-Agasti ka-2007. Umqhubi ofanayo (ubukhulu - 20608 bytes, MD5 - EEDCA45BD613E0D9A9E5C69122007F17) kuxwebhu olungene kwilabhoratri ye-CrySys yayinomhla wokuqulunqa ngoFebruwari 21, 2008. Ukongeza, iingcali zeKaspersky Lab zifumene umqhubi we-autorun rndismpc.sys (ubukhulu - 19968 bytes, MD5 - 9AEC6E10C5EE9C05BED93221544C783E) yomhla wama-20 kaJanuwari 2008. Akukho macandelo aphawulwe ngo-2009 afunyenweyo. Ngokusekelwe kwiimpawu zexesha ezidityanisiweyo zeendawo ezithile zaseDuqu, uphuhliso lwayo lunokusukela emva ekuqaleni kuka-2007. Ukubonakaliswa kwayo kwangaphambili kuhambelana nokufunyanwa kweefayile zexeshana zefom ~ DO (mhlawumbi eyenziwe ngenye ye-spyware), umhla wokudalwa nguNovemba 28, 2008 (inqaku "Duqu & Stuxnet: Ixesha leziganeko ezinomdla"). Owona mhla wakutshanje onxulumene neDuqu nguFebruwari 23, 2012, equlethwe kumqhubi wokukhuphela umfakeli ofunyenwe yiSymantec ngoMatshi ka-2012.

Imithombo yolwazi esetyenzisiweyo:

uthotho lwamanqaku malunga neDuqu evela eKaspersky Lab;
Ingxelo yomhlalutyi weSymantec "W32.Duqu Umanduleli kwiStuxnet elandelayo", inguqulo 1.4, Novemba 2011 (pdf).

umthombo: www.habr.com

Yongeza izimvo