I-Arhente yoKhuseleko lweSizwe kunye ne-US Federal Bureau of Investigation
Iziko lolawulo lweDrovorub lifumana indlela eya kwifayile yoqwalaselo kwifomathi ye-JSON njengengxoxo yomgca womyalelo:
{
"db_host" : "",
"db_port" : "",
"db_db" : "",
"db_user" : "",
"db_password" : "",
"lport" : "",
"lhost" : "",
"ping_sec" : "",
"priv_key_file" : "",
"ibinzana" : ""
}
I-MySQL DBMS isetyenziswa njenge-backend. Iprotocol yeWebSocket isetyenziselwa ukudibanisa abathengi.
Umxhasi unobumbeko olwakhelwe ngaphakathi, kuquka i-URL yomncedisi, isitshixo sikawonke-wonke saseRSA, igama lomsebenzisi kunye negama lokugqitha. Emva kokufaka i-rootkit, uqwalaselo lugcinwa njengefayile yombhalo kwifomati ye-JSON, efihliweyo kwinkqubo yimodyuli ye-kernel ye-Drovoruba:
{
«id» : «cbcf6abc-466b-11e9-853b-000c29cb9f6f»,
"isitshixo": "Y2xpZW50a2V5"
}
Apha "id" isazisi esisodwa esikhutshwe ngumncedisi, apho iibhithi zokugqibela ezingama-48 zihambelana nedilesi ye-MAC yojongano lwenethiwekhi yomncedisi. Ukungagqibekanga "isitshixo" iparameter yibase64 ekhowudiweyo "clientkey" esetyenziswa ngumncedisi ngexesha lokuqala ukuxhawula isandla. Ukongeza, ifayile yoqwalaselo inokuba nolwazi malunga neefayile ezifihliweyo, iimodyuli kunye namachweba womnatha:
{
«id» : «6fa41616-aff1-11ea-acd5-000c29283bbc»,
"isitshixo": "Y2xpZW50a2V5",
"imonitha": {
"ifayile": [
{
"active" : "yinyaniso"
«id» : «d9dc492b-5a32-8e5f-0724-845aa13fff98»,
"mask" : "testfile1"
}
],
"imodyuli": [
{
"active" : "yinyaniso"
«id» : «48a5e9d0-74c7-cc17-2966-0ea17a1d997a»,
"mask" : "testmodule1"
}
],
"umnatha": [
{
"active" : "yinyaniso"
«id» : «4f355d5d-9753-76c7-161e-7ef051654a2b»,
"izibuko": "12345",
"protocol" : "tcp"
}
] }
}
Elinye icandelo le-Drovorub yiarhente; ifayile yayo yoqwalaselo inolwazi lokudibanisa kumncedisi:
{
"client_login" : "umsebenzisi123",
"client_pass" : "pass4567",
"clientid" : "e391847c-bae7-11ea-b4bc-000c29130b71",
«clientkey_base64» : «Y2xpZW50a2V5»,
"pub_key_file" :"public_key",
"server_host" : "192.168.57.100",
"server_port" :45122″,
"server_uri" :"/ws"
}
Amasimi "umxhasi" kunye ne "clientkey_base64" alahlekile ekuqaleni; zongezwa emva kokubhaliswa kokuqala kumncedisi.
Emva kofakelo, le misebenzi ilandelayo yenziwa:
- imodyuli ye-kernel ilayishiwe, ebhalisa ii-hook kwiifowuni zenkqubo;
- umxhasi ubhalisa ngemodyuli yekernel;
- Umnqongo we kernel ufihla inkqubo yomxhasi osebenzayo kunye nefayile ephunyeziweyo kwidiski.
I-pseudo-device, njenge /dev/zero, isetyenziselwa ukunxibelelana phakathi komxhasi kunye nemodyuli yekernel. Imodyuli ye-kernel iyahlula yonke idatha ebhaliweyo kwisixhobo, kwaye ukuhanjiswa kwelinye icala ithumela i-SIGUSR1 isignali kumxhasi, emva koko ifunde idatha kwisixhobo esifanayo.
Ukubona i-Lumberjack, ungasebenzisa uhlalutyo lwetrafikhi yomnatha usebenzisa i-NIDS (umsebenzi wothungelwano olukhohlakeleyo kwinkqubo eyosulelekileyo ngokwayo ayinakubhaqwa, ekubeni imodyuli ye-kernel ifihla iziseko zothungelwano ezisebenzisayo, imithetho yokucoca i-netfilter, kunye neepakethi ezinokuthi zithintelwe ziziseko ezikrwada) . Kwinkqubo apho iDrovorub ifakwe khona, unokubona imodyuli yekernel ngokuyithumela umyalelo wokufihla ifayile:
touchfile testfile
phendula "ASDFZXCV:hf:testfile"> /dev/zero
ls
Ifayile ye "testfile" eyenziwe ingabonakali.
Ezinye iindlela zokubona ziquka imemori kunye nohlalutyo lomxholo wedisk. Ukuthintela usulelo, kuyacetyiswa ukuba kusetyenziswe uqinisekiso lwesiginitsha esisinyanzelo se-kernel kunye neemodyuli, ezikhoyo ukusuka kwi-Linux kernel version 3.7.
Ingxelo iqulethe imithetho ye-Snort yokufumanisa umsebenzi womnatha we-Drovorub kunye neYara imithetho yokufumanisa amacandelo ayo.
Masikhumbule ukuba i-85th GTSSS GRU (iyunithi yomkhosi 26165) inxulunyaniswa neqela.
umthombo: opennet.ru