Isingeniso
NgoSepthemba 1, 2011, ifayela eliqanjwe ngokuthi ~DN1.tmp lathunyelwa kuwebhusayithi ye-VirusTotal lisuka e-Hungary. Ngaleso sikhathi, ifayela latholwa njengezinjini eziyingozi ezimbili kuphela - i-BitDefender ne-AVIRA. Yaqala kanje indaba kaDuqu. Uma ubheka phambili, kufanele kushiwo ukuthi umndeni owuhlelo olungayilungele ikhompuyutha wakwaDuqu uqanjwe ngegama laleli fayela. Kodwa-ke, leli fayela liyimojula ye-spyware ezimele ngokuphelele enemisebenzi ye-keylogger, efakwe, mhlawumbe, isebenzisa i-downloader-dropper enonya, futhi ingabhekwa kuphela "njengomthwalo okhokhelwayo" olayishwe i-malware ye-Duqu phakathi nokusebenza kwayo, hhayi njengengxenye ( module) kaDuqu. Enye yezingxenye ze-Duqu yathunyelwa enkonzweni ye-Virustotal kuphela ngoSepthemba 9. Isici sayo esihlukile umshayeli osayinwe ngokwedijithali yi-C-Media. Abanye ochwepheshe baqala ngokushesha ukudweba ama-analogies nesinye isibonelo esidumile se-malware - i-Stuxnet, eyayisebenzisa abashayeli abasayiniwe. Isamba samakhompiyutha anama-Duqu atholwe yizinkampani ezihlukahlukene zokulwa namagciwane emhlabeni wonke siwadlanzana. Izinkampani eziningi zithi i-Iran isiphinde yaba yisona sizathu esiyinhloko, kodwa uma sibheka ukusatshalaliswa kwezifo ngezindawo, lokhu ngeke kushiwo ngokuqinisekile.
Kulokhu, kufanele ukhulume ngokuzethemba kuphela ngenye inkampani enegama elisha (usongo oluqhubekayo oluqhubekayo).
Inqubo yokuqalisa uhlelo
Uphenyo olwenziwa ochwepheshe benhlangano yaseHungary i-CrySyS (i-Hungarian Laboratory of Cryptography and System Security e-Budapest University of Technology and Economics) luholele ekutholakaleni kwesifaki (i-dropper) lapho uhlelo lutheleleke khona. Bekuyifayela le-Microsoft Word elinokuxhashazwa kwe-win32k.sys driver vulnerability (MS11-087, echazwe yi-Microsoft ngoNovemba 13, 2011), enesibopho sohlelo lokunikezela ngefonti ye-TTF. I-shellcode ye-exploit isebenzisa ifonti ebizwa ngokuthi 'Dexter Regular' eshumekwe kudokhumenti, ne-Showtime Inc. esohlwini lwabadali befonti. Njengoba ungabona, abadali be-Duqu ababona abantu abangaziwa emahlayeni: U-Dexter ungumbulali we-serial, iqhawe lochungechunge lwethelevishini lwegama elifanayo, elikhiqizwe i-Showtime. U-Dexter ubulala kuphela (uma kungenzeka) izigebengu, okungukuthi, wephula umthetho egameni lomthetho. Mhlawumbe, ngale ndlela, abathuthukisi be-Duqu bayaxaka ukuthi benza imisebenzi engekho emthethweni ngezinhloso ezinhle. Ukuthumela ama-imeyili kwenziwe ngenhloso. Ukuthunyelwa kungenzeka ukuthi kusetshenziswe amakhompuyutha afakwe engozini (agqekeziwe) njengomxhumanisi ukwenza ukulandelela kube nzima.
Ngakho-ke idokhumenti ye-Word iqukethe izingxenye ezilandelayo:
- okuqukethwe kombhalo;
- ifonti eyakhelwe ngaphakathi;
- sebenzisa i-shellcode;
- umshayeli;
- isifaki (DLL library).
Uma kuphumelele, i-shellcode yokuxhaphaza yenze lokhu okulandelayo (ngemodi ye-kernel):
- kwenziwe isheke lokuphinda litheleleke; kulokhu, ukuba khona kokhiye we-'CF4D' kwaqokwa ekubhaliseni ekhelini elithi 'HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones1'; uma lokhu kwakulungile, i-shellcode iqedele ukusebenza kwayo;
- Amafayela amabili asusiwe - umshayeli (sys) kanye nesifaki (dll);
- umshayeli ujovwe kunqubo ye-service.exe futhi wethula isifaki;
- Ekugcineni, ikhodi yegobolondo izisule ngoziro kumemori.
Ngenxa yokuthi i-win32k.sys isetshenziswa ngaphansi kwe-'System' yomsebenzisi onenhlanhla, onjiniyela be-Duqu bayixazulule kahle inkinga yakho kokubili ukwethulwa okungagunyaziwe kanye nokwenyuka kwamalungelo (okusebenza ngaphansi kwe-akhawunti yomsebenzisi enamalungelo alinganiselwe).
Ngemva kokuthola ukulawula, isifaki sisuse amabhlogo amathathu edatha equkethwe kuyo enkumbulweni, aqukethe:
- umshayeli osayiniwe (sys);
- module main (dll);
- idatha yokumisa isifaki (pnf).
Ibanga ledethi licaciswe kudatha yokumisa yesifaki (ngesimo sezitembu zesikhathi ezimbili - ukuqala nokuphetha). Isifaki sihlole ukuthi idethi yamanje ibifakiwe yini kuso, futhi uma kungenjalo, siqedele ukusebenza kwaso. Futhi kudatha yokumisa isifaki amagama okwakulondolozwe ngaphansi kwawo umshayeli nemojuli eyinhloko. Kulokhu, imojula eyinhloko ilondolozwe kudiski ngendlela ebethelwe.
Ukuze kuqalwe ngokuzenzakalela i-Duqu, isevisi yadalwa kusetshenziswa ifayela lomshayeli elisuse ukubethela kwemojuli eyinhloko endizeni kusetshenziswa okhiye abagcinwe kurejista. Imojula eyinhloko iqukethe ibhulokhi yayo yedatha yokucushwa. Lapho yethulwa okokuqala, yasuswa ukubethela, usuku lokufakwa lwafakwa kuyo, okwathi ngemva kwalokho yabethelwa futhi futhi yagcinwa yimojula eyinhloko. Ngakho-ke, ohlelweni oluthintekile, ekufakweni ngempumelelo, kwagcinwa amafayela amathathu - umshayeli, imojula eyinhloko kanye nefayela layo ledatha yokucushwa, kuyilapho amafayela amabili okugcina agcinwe kudiski ngendlela ebethelwe. Zonke izinqubo zokuqopha zenziwa ngenkumbulo kuphela. Le nqubo yokufaka eyinkimbinkimbi yasetshenziswa ukuze kuncishiswe amathuba okutholwa yi-software ye-antivirus.
Imojula eyinhloko
Imojula eyinhloko (insiza 302), ngokusho inkampani iKaspersky Lab, ebhalwe kusetshenziswa i-MSVC 2008 ngo-C ehlanzekile, kodwa isebenzisa indlela egxile entweni. Le ndlela ayinasici lapho kwenziwa ikhodi enonya. Njengomthetho, ikhodi enjalo ibhalwa ngo-C ukuze kwehliswe usayizi futhi kususwe izingcingo ezingacacile ezitholakala ku-C++. Kukhona i-symbiosis ethile lapha. Ngaphezu kwalokho, kwasetshenziswa i-architecture eqhutshwa umcimbi. Abasebenzi baseKaspersky Lab bathambekele embonweni wokuthi imojula eyinhloko yabhalwa kusetshenziswa isengezo sangaphambi kokucubungula esikuvumela ukuthi ubhale ikhodi C ngesitayela sento.
Imojula eyinhloko inesibopho senqubo yokuthola imiyalo evela kubaqhubi. I-Duqu inikeza izindlela ezimbalwa zokuxhumana: ukusebenzisa izivumelwano ze-HTTP ne-HTTPS, kanye nokusebenzisa amapayipi aqanjwe igama. Ku-HTTP(S), amagama esizinda sezikhungo zomyalo acacisiwe, nekhono lokusebenza ngeseva elibamba lanikezwa - igama lomsebenzisi nephasiwedi zazicaciswe. Ikheli lasesizindeni se-inthanethi kanye negama laso licaciswe esiteshini. Idatha eshiwo igcinwa kubhulokhi yedatha yokumisa yemojuli eyinhloko (ngefomu elibethelwe).
Ukuze sisebenzise amapayipi anamagama, sethule ukuqaliswa kweseva yethu ye-RPC. Isekele imisebenzi eyisikhombisa elandelayo:
- buyisela inguqulo efakiwe;
- faka i-dll kunqubo ecacisiwe bese ubiza umsebenzi oshiwo;
- layisha dll;
- qala inqubo ngokubiza i-CreateProcess();
- funda okuqukethwe kwefayela elinikeziwe;
- bhala idatha efayeleni elishiwo;
- susa ifayela elishiwo.
Amapayipi aqanjwe amagama angasetshenziswa ngaphakathi kwenethiwekhi yendawo ukuze kusatshalaliswe amamojula abuyekeziwe kanye nedatha yokumisa phakathi kwamakhompyutha angenwe yi-Duqu. Ngaphezu kwalokho, i-Duqu ingasebenza njengeseva elibamba kwamanye amakhompyutha anegciwane (angazange abe nokufinyelela ku-inthanethi ngenxa yezilungiselelo zohlelo lokuvikela esangweni). Ezinye izinguqulo ze-Duqu bezingenakho ukusebenza kwe-RPC.
Kwaziwa "imithwalo yokukhokha"
I-Symantec ithole okungenani izinhlobo ezine zokulayisha okukhokhelwayo ezilandwe ngaphansi komyalo ovela esikhungweni sokulawula i-Duqu.
Ngaphezu kwalokho, munye kuphela wabo owahlala futhi wahlanganiswa njengefayela elisebenzisekayo (exe), elagcinwa kudiski. Ezintathu ezisele zasetshenziswa njengemitapo yolwazi ye-dll. Alayishwe ngokuguquguqukayo futhi abulawa kumemori ngaphandle kokugcinwa kudiski.
"Umthwalo wokukhokha" womhlali kwakuyimojula yenhloli (infostealer) ngemisebenzi ye-keylogger. Kwaba ngokuyithumela kwa-VirusTotal lapho umsebenzi wocwaningo lwe-Duqu waqala khona. Umsebenzi oyinhloko wobunhloli ubusesisetshenziswa, amakhilobhayithi okuqala angu-8 aqukethe ingxenye yesithombe somthala i-NGC 6745 (wokufihla). Kufanele kukhunjulwe lapha ukuthi ngo-April 2012, eminye imithombo yezindaba yashicilela ulwazi (http://www.mehrnews.com/en/newsdetail.aspx?NewsID=1297506) ukuthi i-Iran yavezwa isofthiwe enonya ethi "Stars", kuyilapho imininingwane isigameko asidalulwanga. Mhlawumbe kwakuyisampula enjalo nje ye-Duqu "payload" eyatholwa ngaleso sikhathi e-Iran, yingakho igama elithi "Stars".
Imojula yenhloli iqoqe ulwazi olulandelayo:
- uhlu lwezinqubo ezisebenzayo, ulwazi mayelana nomsebenzisi wamanje nesizinda;
- uhlu lwamadrayivu anengqondo, kufaka phakathi amadrayivu enethiwekhi;
- izithombe-skrini;
- amakheli esixhumi esibonakalayo senethiwekhi, amatafula omzila;
- ifayela lokungena lezinkinobho zekhibhodi;
- amagama amafasitela ezicelo avuliwe;
- uhlu lwezinsiza zenethiwekhi ezitholakalayo (izinsiza zokwabelana);
- uhlu oluphelele lwamafayela kuwo wonke amadiski, kuhlanganise nalawo akhiphekayo;
- uhlu lwamakhompyutha "kwindawo yenethiwekhi".
Enye imojula yenhloli (infostealer) kwakuwukuhluka kwalokho osekuchaziwe kakade, kodwa okwahlanganiswa njengomtapo wezincwadi we-dll; imisebenzi ye-keylogger, ukuhlanganisa uhlu lwamafayela nokufakwa kuhlu lwamakhompyutha afakwe esizindeni kwasuswa kuyo.
Imojuli elandelayo (ukuhlonishwa) ulwazi lwesistimu oluqoqiwe:
- noma ngabe ikhompuyutha iyingxenye yesizinda;
- izindlela eziya kunkhombandlela yesistimu ye-Windows;
- inguqulo yesistimu yokusebenza;
- igama lomsebenzisi lamanje;
- uhlu lwama-adaptha enethiwekhi;
- uhlelo nesikhathi sendawo, kanye nendawo yesikhathi.
Imojuli yokugcina (ubude besikhathi sokuphila) yenze umsebenzi wokukhulisa inani (eligcinwe efayelini ledatha yokumisa imojuli eyinhloko) lenani lezinsuku ezisele kuze kuqedwe umsebenzi. Ngokuzenzakalelayo, leli nani lalimiswe ezinsukwini ezingu-30 noma ezingu-36 kuye ngokuguqulwa kwe-Duqu, futhi lehla ngosuku olulodwa.
Izikhungo zokulawula
Ngo-Okthoba 20, 2011 (izinsuku ezintathu ngemuva kokusakazwa kolwazi mayelana nokutholakala), opharetha baseDuqu benza inqubo yokubhubhisa iminonjana yokusebenza kwezikhungo zokuyala. Izikhungo zokulawula zazitholakala kumaseva antshontshiwe emhlabeni jikelele - eVietnam, e-India, eJalimane, eSingapore, eSwitzerland, e-Great Britain, e-Holland naseNingizimu Korea. Kuyathakazelisa ukuthi wonke amaseva akhonjiwe abesebenzisa izinguqulo ze-CentOS 5.2, 5.4 noma 5.5. Ama-OS abengamabhithi angama-32 kanye namabhithi angama-64. Naphezu kweqiniso lokuthi wonke amafayela ahlobene nokusebenza kwezikhungo zokuyala asusiwe, ochwepheshe be-Kaspersky Lab bakwazile ukubuyisela olunye ulwazi kumafayela e-LOG esikhaleni esincane. Iqiniso elithakazelisa kakhulu ukuthi abahlaseli kumaseva bahlale beshintsha iphakheji ye-OpenSSH 4.3 ezenzakalelayo ngenguqulo 5.8. Lokhu kungase kubonise ukuthi ukuba sengozini okungaziwa ku-OpenSSH 4.3 kusetshenziswe ukugebenga amaseva. Akuwona wonke amasistimu ayesetshenziswa njengezikhungo zokuyala. Abanye, uma kubhekwa amaphutha kulogi ye-sshd lapho bezama ukuqondisa kabusha ithrafikhi yamachweba angu-80 no-443, basetshenziswe njengeseva elibamba ukuze kuxhunywe ezikhungweni zomyalo wokugcina.
Izinsuku namamojula
Idokhumenti ye-Word esatshalaliswa ngo-Ephreli 2011, eyahlolwa yi-Kaspersky Lab, iqukethe umshayeli wokulanda isifaki onosuku lokuhlanganisa lwango-Agasti 31, 2007. Umshayeli ofanayo (usayizi - 20608 bytes, MD5 - EEDCA45BD613E0D9A9E5C69122007F17) kudokhumenti etholwe kumalabhorethri e-CrySys unosuku lokuhlanganiswa lwangoFebruwari 21, 2008. Ngaphezu kwalokho, ochwepheshe beKaspersky Lab bathole umshayeli we-autorun rndismpc.sys (usayizi - 19968 bytes, MD5 - 9AEC6E10C5EE9C05BED93221544C783E) nosuku lwangoJanuwari 20, 2008. Azikho izingxenye ezimakwe ngo-2009 ezitholakele. Ngokusekelwe kuzitembu zesikhathi zokuhlanganiswa kwezingxenye ngazinye ze-Duqu, ukuthuthukiswa kwayo kungase kuqale emuva ekuqaleni kuka-2007. Ukubonakaliswa kwayo kwasekuqaleni kuhlotshaniswa nokutholwa kwamafayela esikhashana ohlobo lwe-~DO (cishe adalwe enye yamamojula e-spyware), usuku lokudalwa kwawo okunguNovemba 28, 2008 ( "I-Duqu & Stuxnet: Umugqa Wesikhathi Wemicimbi Ethakazelisayo"). Idethi yakamuva ehlotshaniswa ne-Duqu bekunguFebruwari 23, 2012, equkethwe kumshayeli wokulanda isifaki owatholwa yi-Symantec ngoMashi 2012.
Imithombo yolwazi esetshenzisiwe:
mayelana noDuqu waseKaspersky Lab;
Umbiko wokuhlaziya we-Symantec , inguqulo 1.4, November 2011 (pdf).
Source: www.habr.com