您的位置:首页 > 运维架构 > Linux

Linux.BackDoor.Chikdos/Elknot Attack And Defense Analysis

2016-02-20 22:05 549 查看
catalogue

1. 恶意程序概述
2. 模块分解
3. 通信协议
4. 木马清理


1. 恶意程序概述

Trojan.Chikdos.A是一个木马,它允许远程攻击者利用受感染计算机发动DDoS攻击

1. 木马执行时,它创建下列文件
%ProgramFiles%\DbProtectSupport\fake.cfg
%ProgramFiles%\DbProtectSupport\svchost.exe

2. 木马创建以下属性的服务
Display Name: LocalSystem
Image Path: %ProgramFiles%\DbProtectSupport\svchost.exe

3. 木马为上述服务创建以下注册表项
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\Security\"Security" = "[HEXADECIMAL VALUE]"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"Type" = "dword:00000010"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"Start" = "dword:00000002"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"ObjectName" = "LocalSystem"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"ImagePath" = "expand:"%PROGRAMfILES%\DbProtectSupport\svchost.exe"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"ErrorControl" = "dword:00000001"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"Service" = "DbProtectSupport"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"Legacy" = "dword:00000001"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"DeviceDesc" = "DbProtectSupport"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"ConfigFlags" = "dword:00000000"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"Class" = "LegacyDriver"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\"NextInstance" = "dword:00000001"

4. 木马利用TCP上的59870端口连接到以下域
xxx.xxx.com
//生成的时候动态配置的

5. 将CPU和网络信息发送给远程攻击者
6. 接收C&C端指令,并根据指令进行DDoS攻击


0x1: 传播方式

原则上恶意程序的传播方式是不固定的,这里仅列出目前所知道的一种

1. 攻击目标为存在SQL注入、弱口令的Mysql服务器
1) The MySQL server has poor network isolation
2. 用于感染的恶意木马是windows平台的,所以UDF POC中的二进制数据流是dll数据流、指令也是windows下指令
3. 被攻击的Mysql服务器常常使用高权限(例如root)运行Mysql
1) The MySQL user has poor (read: overly permissive) grants e.g. :GRANT ALL"
2) The MySQL @@GLOBAL.plugin_dir is writeable (likely poor file ACL & no D.A.C such as SELinux / AppArmor)
4. 生成的UDF为dll文件


[b][b][b][b][b][b][b][b][b][b]Relevant Link:[/b][/b][/b][/b][/b][/b][/b][/b][/b][/b]

http://www.sercis.cn/html/935214756.html http://www.oschina.net/news/67509/mysql-server-malicious-software https://www.percona.com/blog/2015/10/29/mysql-trojan-chikdos/ http://www.symantec.com/security_response/writeup.jsp?docid=2015-102607-4508-99 https://www.botconf.eu/wp-content/uploads/2014/12/2014-2.10-Chinese-Chicken-Multiplatform-DDoS-Botnets.pdf


2. 模块分解

与Chikdos同家族的是Elknot

[b][b][b][b][b][b][b][b][b][b][b]Relevant Link:[/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b]

http://www.vdisk.cn/down/index/19240453 https://www.novetta.com/2015/06/the-trouble-with-elasticsearch-elknot-and-her-big-brother-billgates-malware/ http://phenomite.com/sorting-out-a-linux-virus/


3. 通信协议

1. login上线包
2. C&C指令包
3. 心跳存活包


4. 木马清理

[b][b][b][b][b][b][b][b][b][b][b][b][b]Copyright (c) 2016 LittleHann All rights reserved[/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b]
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航