I-Arhente yoKhuseleko lweSizwe kunye ne-US Federal Bureau of Investigation , ngokutsho ukuba iziko le-85 lenkonzo ekhethekileyo (85 GCSS GRU) i-malware complex ebizwa ngokuba yi "Drovorub" isetyenziswa. I-Drovorub ibandakanya i-rootkit ngendlela yemodyuli ye-Linux kernel, isixhobo sokudlulisa iifayile kunye nokuqondisa kwakhona izibuko zenethiwekhi, kunye nomncedisi wokulawula. Inxalenye yomxhasi inokukhuphela kwaye ilayishe iifayile, yenza imiyalelo engafanelekanga njengomsebenzisi weengcambu, kwaye iphinde iqondise izibuko zenethiwekhi kwezinye iindawo zenethiwekhi.
Iziko lolawulo lweDrovorub lifumana indlela eya kwifayile yoqwalaselo kwifomathi ye-JSON njengengxoxo yomgca womyalelo:
{
"db_host" : "",
"db_port" : "",
"db_db" : "",
"db_user" : "",
"db_password" : "",
"lport" : "",
"lhost" : "",
"ping_sec" : "",
"priv_key_file" : "",
"ibinzana" : ""
}
I-MySQL DBMS isetyenziswa njenge-backend. Iprotocol yeWebSocket isetyenziselwa ukudibanisa abathengi.
Umxhasi unobumbeko olwakhelwe ngaphakathi, kuquka i-URL yomncedisi, isitshixo sikawonke-wonke saseRSA, igama lomsebenzisi kunye negama lokugqitha. Emva kokufaka i-rootkit, uqwalaselo lugcinwa njengefayile yombhalo kwifomati ye-JSON, efihliweyo kwinkqubo yimodyuli ye-kernel ye-Drovoruba:
{
«id» : «cbcf6abc-466b-11e9-853b-000c29cb9f6f»,
"isitshixo": "Y2xpZW50a2V5"
}
Apha "id" isazisi esisodwa esikhutshwe ngumncedisi, apho iibhithi zokugqibela ezingama-48 zihambelana nedilesi ye-MAC yojongano lwenethiwekhi yomncedisi. Ukungagqibekanga "isitshixo" iparameter yibase64 ekhowudiweyo "clientkey" esetyenziswa ngumncedisi ngexesha lokuqala ukuxhawula isandla. Ukongeza, ifayile yoqwalaselo inokuba nolwazi malunga neefayile ezifihliweyo, iimodyuli kunye namachweba womnatha:
{
«id» : «6fa41616-aff1-11ea-acd5-000c29283bbc»,
"isitshixo": "Y2xpZW50a2V5",
"imonitha": {
"ifayile": [
{
"active" : "yinyaniso"
«id» : «d9dc492b-5a32-8e5f-0724-845aa13fff98»,
"mask" : "testfile1"
}
],
"imodyuli": [
{
"active" : "yinyaniso"
«id» : «48a5e9d0-74c7-cc17-2966-0ea17a1d997a»,
"mask" : "testmodule1"
}
],
"umnatha": [
{
"active" : "yinyaniso"
«id» : «4f355d5d-9753-76c7-161e-7ef051654a2b»,
"izibuko": "12345",
"protocol" : "tcp"
}
] }
}
Elinye icandelo le-Drovorub yiarhente; ifayile yayo yoqwalaselo inolwazi lokudibanisa kumncedisi:
{
"client_login" : "umsebenzisi123",
"client_pass" : "pass4567",
"clientid" : "e391847c-bae7-11ea-b4bc-000c29130b71",
«clientkey_base64» : «Y2xpZW50a2V5»,
"pub_key_file" :"public_key",
"server_host" : "192.168.57.100",
"server_port" :45122″,
"server_uri" :"/ws"
}
Amasimi "umxhasi" kunye ne "clientkey_base64" alahlekile ekuqaleni; zongezwa emva kokubhaliswa kokuqala kumncedisi.
Emva kofakelo, le misebenzi ilandelayo yenziwa:
- imodyuli ye-kernel ilayishiwe, ebhalisa ii-hook kwiifowuni zenkqubo;
- umxhasi ubhalisa ngemodyuli yekernel;
- Umnqongo we kernel ufihla inkqubo yomxhasi osebenzayo kunye nefayile ephunyeziweyo kwidiski.
I-pseudo-device, njenge /dev/zero, isetyenziselwa ukunxibelelana phakathi komxhasi kunye nemodyuli yekernel. Imodyuli ye-kernel iyahlula yonke idatha ebhaliweyo kwisixhobo, kwaye ukuhanjiswa kwelinye icala ithumela i-SIGUSR1 isignali kumxhasi, emva koko ifunde idatha kwisixhobo esifanayo.
Ukubona i-Lumberjack, ungasebenzisa uhlalutyo lwetrafikhi yomnatha usebenzisa i-NIDS (umsebenzi wothungelwano olukhohlakeleyo kwinkqubo eyosulelekileyo ngokwayo ayinakubhaqwa, ekubeni imodyuli ye-kernel ifihla iziseko zothungelwano ezisebenzisayo, imithetho yokucoca i-netfilter, kunye neepakethi ezinokuthi zithintelwe ziziseko ezikrwada) . Kwinkqubo apho iDrovorub ifakwe khona, unokubona imodyuli yekernel ngokuyithumela umyalelo wokufihla ifayile:
touchfile testfile
phendula "ASDFZXCV:hf:testfile"> /dev/zero
ls
Ifayile ye "testfile" eyenziwe ingabonakali.
Ezinye iindlela zokubona ziquka imemori kunye nohlalutyo lomxholo wedisk. Ukuthintela usulelo, kuyacetyiswa ukuba kusetyenziswe uqinisekiso lwesiginitsha esisinyanzelo se-kernel kunye neemodyuli, ezikhoyo ukusuka kwi-Linux kernel version 3.7.
Ingxelo iqulethe imithetho ye-Snort yokufumanisa umsebenzi womnatha we-Drovorub kunye neYara imithetho yokufumanisa amacandelo ayo.
Masikhumbule ukuba i-85th GTSSS GRU (iyunithi yomkhosi 26165) inxulunyaniswa neqela. , uxanduva lohlaselo oluninzi lwe-cyber.
umthombo: opennet.ru