I-National Security Agency kanye ne-US Federal Bureau of Investigation
Isikhungo sokulawula i-Drovorub sithola indlela eya kufayela lokumisa ngefomethi ye-JSON njengengxabano yomugqa womyalo:
{
"db_host" : " ",
"db_port" : " ",
"db_db" : " ",
"db_user" : " ",
"db_password" : " ",
"lport" : " ",
"lhost": " ",
"ping_sec" : " ",
"priv_key_file" : " ",
"ibinzana" : " »
}
I-MySQL DBMS isetshenziswa njenge-backend. Iphrothokholi yeWebSocket isetshenziselwa ukuxhuma amaklayenti.
Iklayenti linomumo owakhelwe ngaphakathi, okuhlanganisa i-URL yeseva, ukhiye wayo wasesidlangalaleni we-RSA, igama lomsebenzisi nephasiwedi. Ngemva kokufaka i-rootkit, ukucushwa kugcinwa njengefayela lombhalo ngefomethi ye-JSON, efihliwe ohlelweni nge-module ye-Drovoruba kernel:
{
«id» : «cbcf6abc-466b-11e9-853b-000c29cb9f6f»,
"key": "Y2xpZW50a2V5"
}
Lapha u-"id" yisihlonzi esiyingqayizivele esikhishwe iseva, lapho amabhithi wokugcina angu-48 ahambisana nekheli le-MAC lesixhumi esibonakalayo senethiwekhi yeseva. Ipharamitha "yokhiye" ezenzakalelayo iyiyunithi yezinhlamvu engu-base64 enekhodi ethi "clientkey" esetshenziswa iseva ngesikhathi sokuqala ukuxhawula. Ngaphezu kwalokho, ifayela lokucushwa lingaqukatha ulwazi mayelana namafayela afihliwe, amamojula nezimbobo zenethiwekhi:
{
«id» : «6fa41616-aff1-11ea-acd5-000c29283bbc»,
"key": "Y2xpZW50a2V5",
"monitha" : {
"ifayela" : [
{
"active" : "iqiniso"
«id» : «d9dc492b-5a32-8e5f-0724-845aa13fff98»,
"mask" : "testfile1"
}
],
"module" : [
{
"active" : "iqiniso"
«id» : «48a5e9d0-74c7-cc17-2966-0ea17a1d997a»,
"mask" : "testmodule1"
}
],
"net": [
{
"active" : "iqiniso"
«id» : «4f355d5d-9753-76c7-161e-7ef051654a2b»,
"port" : "12345",
"protocol" : "tcp"
}
] }
}
Enye ingxenye ye-Drovorub i-ejenti; ifayela layo lokucushwa liqukethe ulwazi lokuxhuma kuseva:
{
"client_login" : "user123",
"client_pass" : "pass4567",
"clientid" : "e391847c-bae7-11ea-b4bc-000c29130b71",
«clientkey_base64» : «Y2xpZW50a2V5»,
"pub_key_file" :"public_key",
"server_host" : "192.168.57.100",
"server_port" :45122″,
"server_uri" :"/ws"
}
Izinkambu ezithi “clientid” kanye ne-“clientkey_base64” azikho ekuqaleni; zengezwa ngemva kokubhaliswa kokuqala kuseva.
Ngemva kokufaka, kwenziwa le misebenzi elandelayo:
- imodyuli ye-kernel ilayishiwe, ebhalisa izingwegwe zezingcingo zesistimu;
- iklayenti libhalisa nge-kernel module;
- Imojuli ye-kernel ifihla inqubo yeklayenti esebenzayo kanye nefayela layo elisebenzisekayo kudiski.
I-pseudo-device, isibonelo /dev/zero, isetshenziselwa ukuxhumana phakathi kweklayenti nemojula ye-kernel. Imojuli ye-kernel idlulisa yonke idatha ebhalwe kudivayisi, futhi ukuze idluliselwe ohlangothini oluphambene ithumela isignali ye-SIGUSR1 kuklayenti, ngemva kwalokho ifunde idatha kusuka kudivayisi efanayo.
Ukuze uthole i-Lumberjack, ungasebenzisa ukuhlaziywa kwethrafikhi yenethiwekhi usebenzisa i-NIDS (umsebenzi wenethiwekhi enonya ohlelweni oluthelelekile ngokwalo awukwazi ukutholwa, njengoba imojula ye-kernel ifihla amasokhethi enethiwekhi eyisebenzisayo, imithetho yesihlungi se-netfilter, namaphakethe angavinjwa amasokhethi aluhlaza) . Kusistimu lapho i-Drovorub ifakiwe khona, ungathola imojuli ye-kernel ngokuyithumela umyalo wokufihla ifayela:
thinta ifayela lokuhlola
echo "ASDFZXCV:hf:testfile"> /dev/zero
ls
Ifayela elithi “testfile” elidaliwe liba lingabonakali.
Ezinye izindlela zokuhlonza zihlanganisa inkumbulo nokuhlaziywa kokuqukethwe kwediski. Ukuze uvimbele ukutheleleka, kunconywa ukusebenzisa ukuqinisekiswa kwesiginesha okuyisibopho kwe-kernel namamojula, atholakala kusukela ku-Linux kernel version 3.7.
Umbiko uqukethe imithetho ye-Snort yokuthola umsebenzi wenethiwekhi yemithetho ye-Drovorub ne-Yara yokuthola izingxenye zayo.
Masikhumbule ukuthi i-GTSSS GRU yama-85 (iyunithi yezempi 26165) ihlotshaniswa neqembu.
Source: opennet.ru