Vous utilisez un navigateur obsolète !
L'affichage de la page peut être incorrect.
L’analyse des technologies utilisées par les pirates nous permet de déterminer les axes potentiels d’évolution de l’industrie cybercriminelle et de résister aux futures menaces de manière plus efficace. Vous pouvez également en savoir plus sur le comportement des programmes malveillants dans les systèmes contaminés et sur les méthodes permettant de contrer les menaces.
A family of Linux Trojans. One of its representatives is described below.
A modified version of Linux.DDoS.87 and Linux.DDoS.89. Its main differences from Linux.DDoS.89 are as follows:
The Trojan’s configuration looks as follows:
Number | Value | Purpose |
---|---|---|
3 | listening tun0 | main output to stdin |
4 | Host | Command and control (C&C) server’s IP address |
5 | Port | C&C server’s port |
6 | "https://youtube.com/watch?v=dQw4w9WgXcQ" | |
7 | "/proc/" | runkiller |
8 | "/exe" | runkiller |
9 | " (deleted)" | |
10 | "/fd" | runkiller |
11 | ".anime" | runkiller |
12 | "REPORT %s:%s" | runkiller |
13 | "HTTPFLOOD" | runkiller |
14 | "LOLNOGTFO" | runkiller |
15 | "\x58\x4D\x4E\x4E\x43\x50\x46\x22" | runkiller |
16 | "zollard" | runkiller |
17 | "GETLOCALIP" | |
18 | Host | |
19 | Port | |
20 | "shell" | |
21 | "enable" | |
22 | "system" | |
23 | "sh" | |
24 | "/bin/busybox MIRAI" | |
25 | "MIRAI: applet not found" | |
26 | "ncorrect" | |
27 | "/bin/busybox ps" | |
28 | "/bin/busybox kill -9 " | |
29 | "TSource Engine Query" | |
30 | "/etc/resolv.conf" | |
31 | "nameserver" | |
32 | "Connection: keep-alive" | |
33 | "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" | |
34 | "Accept-Language: en-US,en;q=0.8" | |
35 | "Content-Type: application/x-www-form-urlencoded" | |
36 | "setCookie('" | |
37 | "refresh:" | |
38 | "location:" | |
39 | "set-cookie:" | |
40 | "content-length:" | |
41 | "transfer-encoding:" | |
42 | "chunked" | |
43 | "keep-alive" | |
44 | "connection:" | |
45 | "server: dosarrest" | |
46 | "server: cloudflare-nginx" | |
47 | "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" | User Agent |
48 | "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" | User Agent |
49 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" | User Agent |
50 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36" | User Agent |
51 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7" | User Agent |
All samples of the Trojan use a function that hides the following strings:
def decode(str_enc):
return "".join([chr(ord(x) ^ 0x22) for x in str_enc])
Once launched, the Trojan removes its executable file from the disk, blocks the SIGINT signal with the help of sigprocmask, and sets the parameter SIG_IGN for SIGCHLD and a handler for SIGTRAP.
Then the Trojan tries to open the /dev/watchdog file for reading/writing (/dev/misc/watchdog is also checked) and, if successful, disables the watchdog timer.
ioctl(fd, WDIOC_SETOPTION, WDIOS_DISABLECARD)
The Trojan subsequently opens a root folder and sends a request to the address 8.8.8.8:53 to get the IP address of its network traffic.
Next, the Trojan calculates a function taken from the argv[0] value:
def check(name):
print name
a = [ord(x) for x in name]
sum = (0 - 0x51) & 0xff
for i in [2,4,6,8,10,12]:
z = (~a[i % len(a)] & 0xff)
sum = (sum + z)&0xff
#print "%x %x %x" % (z, sum, sum % 9)
return sum % 9
This function returns a number from 0 to 8 that represents an index in a function array:
off_8055DC0 dd offset bind_socket ; DATA XREF: main+109o
.rodata:08055DC4 dd offset sub_80517E0
.rodata:08055DC8 dd offset sub_8051730
.rodata:08055DCC dd offset create_config
.rodata:08055DD0 dd offset sub_8051760
.rodata:08055DD4 dd offset sub_80523F0
.rodata:08055DD8 dd offset strcopy
.rodata:08055DDC dd offset runkiller
.rodata:08055DE0 dd offset sub_804E900
If argv[0] == “./dvrHelper”, a parental process receives the SIGTRAP signal (for which a handler was previously installed). The handler, in turn, modifies the IP address taken from the configuration and the C&C server’s port to which the Trojan will connect.
Then a listening socket is opened at the address 127.0.0.1:48101. If this port is busy with another process, the Trojan runs a function that finds the process and kills it.
The Trojan subsequently generates a name that looks like a random sequence containing the characters [a-z 0-9] and writes it to argv[0]. Using the prctl function, the process’s name is changed to a random one.
Next, the Trojan creates child processes and terminates the parental one. All further steps are performed in a child process—in particular, a structure containing handlers is filled in. Then a function responsible for scanning telnet nodes and a function that terminates the processes of other Trojans are launched. The Trojan then runs a handler for incoming instructions sent from the C&C server. If the Trojan detects that a connection to a local server is being established, it runs a child process to scan vulnerable telnet nodes and terminates the parental process.
The picture below shows a code fragment for Linux.DDoS.87 (left column) and Linux.Mirai (right column).
Linux.Mirai.3078
Linux.Mirai.3079
Linux.Mirai.3080
Linux.Mirai.3081
Linux.Mirai.3082
Linux.Mirai.3083
Linux.Mirai.3084
Linux.Mirai.3085
Linux.Mirai.3086
Linux.Mirai.3087
Linux.Mirai.3088
Linux.Mirai.3089
Linux.Mirai.3090
Linux.Mirai.3091
Linux.Mirai.3097
Linux.Mirai.3099
Linux.Mirai.3111
Linux.Mirai.3155
Linux.Mirai.3156
Linux.Mirai.3157
Linux.Mirai.3161
Linux.Mirai.3162
Linux.Mirai.3163
Linux.Mirai.3224
Linux.Mirai.3287
Linux.Mirai.3293
Linux.Mirai.3344
Linux.Mirai.3374
Linux.Mirai.3376
Linux.Mirai.3377
Linux.Mirai.3441
Linux.Mirai.3442
Linux.Mirai.3452
Linux.Mirai.3453
Linux.Mirai.3474
Linux.Mirai.3477
Linux.Mirai.3478
Linux.Mirai.3479
Linux.Mirai.3484
Linux.Mirai.3485
Linux.Mirai.3486
Linux.Mirai.3516
Linux.Mirai.3534
Linux.Mirai.3556
Linux.Mirai.3581
Linux.Mirai.3582
Linux.Mirai.3648
Linux.Mirai.3714
Linux.Mirai.3728
Linux.Mirai.3729
Selon les statistiques, un programme sur cinq créé pour Android comporte une vulnérabilité (ou autrement dit, un " trou "), ce qui permet aux pirates de contaminer les appareils.
Le Contrôleur de sécurité au sein de Dr.Web pour Android analyse le système afin de détecter les problèmes de sécurité et propose des solutions pour y remédier.