I-National Security Agency kanye ne-US Federal Bureau of Investigation , ngokusho ukuthi isikhungo esiyinhloko sama-85 senkonzo ekhethekile (85 GCSS GRU) uhlelo olungayilungele ikhompuyutha olubizwa nge-“Drovorub” luyasetshenziswa. I-Drovorub ihlanganisa i-rootkit esesimweni semojula ye-Linux kernel, ithuluzi lokudlulisa amafayela nokuqondisa kabusha izimbobo zenethiwekhi, kanye neseva yokulawula. Ingxenye yeklayenti ingadawuniloda futhi ilayishe amafayela, ikhiphe imiyalo engafanele njengomsebenzisi wempande, futhi iqondise kabusha izimbobo zenethiwekhi kwamanye amanodi enethiwekhi.
Isikhungo sokulawula i-Drovorub sithola indlela eya kufayela lokumisa ngefomethi ye-JSON njengengxabano yomugqa womyalo:
{
"db_host" : " ",
"db_port" : " ",
"db_db" : " ",
"db_user" : " ",
"db_password" : " ",
"lport" : " ",
"lhost": " ",
"ping_sec" : " ",
"priv_key_file" : " ",
"ibinzana" : " »
}
I-MySQL DBMS isetshenziswa njenge-backend. Iphrothokholi yeWebSocket isetshenziselwa ukuxhuma amaklayenti.
Iklayenti linomumo owakhelwe ngaphakathi, okuhlanganisa i-URL yeseva, ukhiye wayo wasesidlangalaleni we-RSA, igama lomsebenzisi nephasiwedi. Ngemva kokufaka i-rootkit, ukucushwa kugcinwa njengefayela lombhalo ngefomethi ye-JSON, efihliwe ohlelweni nge-module ye-Drovoruba kernel:
{
«id» : «cbcf6abc-466b-11e9-853b-000c29cb9f6f»,
"key": "Y2xpZW50a2V5"
}
Lapha u-"id" yisihlonzi esiyingqayizivele esikhishwe iseva, lapho amabhithi wokugcina angu-48 ahambisana nekheli le-MAC lesixhumi esibonakalayo senethiwekhi yeseva. Ipharamitha "yokhiye" ezenzakalelayo iyiyunithi yezinhlamvu engu-base64 enekhodi ethi "clientkey" esetshenziswa iseva ngesikhathi sokuqala ukuxhawula. Ngaphezu kwalokho, ifayela lokucushwa lingaqukatha ulwazi mayelana namafayela afihliwe, amamojula nezimbobo zenethiwekhi:
{
«id» : «6fa41616-aff1-11ea-acd5-000c29283bbc»,
"key": "Y2xpZW50a2V5",
"monitha" : {
"ifayela" : [
{
"active" : "iqiniso"
«id» : «d9dc492b-5a32-8e5f-0724-845aa13fff98»,
"mask" : "testfile1"
}
],
"module" : [
{
"active" : "iqiniso"
«id» : «48a5e9d0-74c7-cc17-2966-0ea17a1d997a»,
"mask" : "testmodule1"
}
],
"net": [
{
"active" : "iqiniso"
«id» : «4f355d5d-9753-76c7-161e-7ef051654a2b»,
"port" : "12345",
"protocol" : "tcp"
}
] }
}
Enye ingxenye ye-Drovorub i-ejenti; ifayela layo lokucushwa liqukethe ulwazi lokuxhuma kuseva:
{
"client_login" : "user123",
"client_pass" : "pass4567",
"clientid" : "e391847c-bae7-11ea-b4bc-000c29130b71",
«clientkey_base64» : «Y2xpZW50a2V5»,
"pub_key_file" :"public_key",
"server_host" : "192.168.57.100",
"server_port" :45122″,
"server_uri" :"/ws"
}
Izinkambu ezithi “clientid” kanye ne-“clientkey_base64” azikho ekuqaleni; zengezwa ngemva kokubhaliswa kokuqala kuseva.
Ngemva kokufaka, kwenziwa le misebenzi elandelayo:
- imodyuli ye-kernel ilayishiwe, ebhalisa izingwegwe zezingcingo zesistimu;
- iklayenti libhalisa nge-kernel module;
- Imojuli ye-kernel ifihla inqubo yeklayenti esebenzayo kanye nefayela layo elisebenzisekayo kudiski.
I-pseudo-device, isibonelo /dev/zero, isetshenziselwa ukuxhumana phakathi kweklayenti nemojula ye-kernel. Imojuli ye-kernel idlulisa yonke idatha ebhalwe kudivayisi, futhi ukuze idluliselwe ohlangothini oluphambene ithumela isignali ye-SIGUSR1 kuklayenti, ngemva kwalokho ifunde idatha kusuka kudivayisi efanayo.
Ukuze uthole i-Lumberjack, ungasebenzisa ukuhlaziywa kwethrafikhi yenethiwekhi usebenzisa i-NIDS (umsebenzi wenethiwekhi enonya ohlelweni oluthelelekile ngokwalo awukwazi ukutholwa, njengoba imojula ye-kernel ifihla amasokhethi enethiwekhi eyisebenzisayo, imithetho yesihlungi se-netfilter, namaphakethe angavinjwa amasokhethi aluhlaza) . Kusistimu lapho i-Drovorub ifakiwe khona, ungathola imojuli ye-kernel ngokuyithumela umyalo wokufihla ifayela:
thinta ifayela lokuhlola
echo "ASDFZXCV:hf:testfile"> /dev/zero
ls
Ifayela elithi “testfile” elidaliwe liba lingabonakali.
Ezinye izindlela zokuhlonza zihlanganisa inkumbulo nokuhlaziywa kokuqukethwe kwediski. Ukuze uvimbele ukutheleleka, kunconywa ukusebenzisa ukuqinisekiswa kwesiginesha okuyisibopho kwe-kernel namamojula, atholakala kusukela ku-Linux kernel version 3.7.
Umbiko uqukethe imithetho ye-Snort yokuthola umsebenzi wenethiwekhi yemithetho ye-Drovorub ne-Yara yokuthola izingxenye zayo.
Masikhumbule ukuthi i-GTSSS GRU yama-85 (iyunithi yezempi 26165) ihlotshaniswa neqembu. , obhekene nokuhlasela kwe-inthanethi okuningi.
Source: opennet.ru