catalogue
1. 惡意程式概述 2. 模組分解 3. 通訊協議 4. 木馬清理
1. 惡意程式概述
Trojan.Chikdos.A是一個木馬,它允許遠端攻擊者利用受感染計算機發動DDoS攻擊
1. 木馬執行時,它建立下列檔案 %ProgramFiles%\DbProtectSupport\fake.cfg %ProgramFiles%\DbProtectSupport\svchost.exe 2. 木馬建立以下屬性的服務 Display Name: LocalSystem Image Path: %ProgramFiles%\DbProtectSupport\svchost.exe 3. 木馬為上述服務建立以下注冊表項 HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\Security\"Security" = "[HEXADECIMAL VALUE]" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"Type" = "dword:00000010" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"Start" = "dword:00000002" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"ObjectName" = "LocalSystem" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"ImagePath" = "expand:"%PROGRAMfILES%\DbProtectSupport\svchost.exe" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"ErrorControl" = "dword:00000001" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"Service" = "DbProtectSupport" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"Legacy" = "dword:00000001" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"DeviceDesc" = "DbProtectSupport" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"ConfigFlags" = "dword:00000000" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"Class" = "LegacyDriver" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\"NextInstance" = "dword:00000001" 4. 木馬利用TCP上的59870埠連線到以下域 xxx.xxx.com //生成的時候動態配置的 5. 將CPU和網路資訊傳送給遠端攻擊者 6. 接收C&C端指令,並根據指令進行DDoS攻擊
0x1: 傳播方式
原則上惡意程式的傳播方式是不固定的,這裡僅列出目前所知道的一種
1. 攻擊目標為存在SQL隱碼攻擊、弱口令的Mysql伺服器 1) The MySQL server has poor network isolation 2. 用於感染的惡意木馬是windows平臺的,所以UDF POC中的二進位制資料流是dll資料流、指令也是windows下指令 3. 被攻擊的Mysql伺服器常常使用高許可權(例如root)執行Mysql 1) The MySQL user has poor (read: overly permissive) grants e.g. :GRANT ALL" 2) The MySQL @@GLOBAL.plugin_dir is writeable (likely poor file ACL & no D.A.C such as SELinux / AppArmor) 4. 生成的UDF為dll檔案
Relevant Link:
http://www.sercis.cn/html/935214756.html http://www.oschina.net/news/67509/mysql-server-malicious-software https://www.percona.com/blog/2015/10/29/mysql-trojan-chikdos/ http://www.symantec.com/security_response/writeup.jsp?docid=2015-102607-4508-99 https://www.botconf.eu/wp-content/uploads/2014/12/2014-2.10-Chinese-Chicken-Multiplatform-DDoS-Botnets.pdf
2. 模組分解
與Chikdos同家族的是Elknot
Relevant Link:
http://www.vdisk.cn/down/index/19240453 https://www.novetta.com/2015/06/the-trouble-with-elasticsearch-elknot-and-her-big-brother-billgates-malware/ http://phenomite.com/sorting-out-a-linux-virus/
3. 通訊協議
1. login上線包 2. C&C指令包 3. 心跳存活包
4. 木馬清理
Copyright (c) 2016 LittleHann All rights reserved