catalogue
1. 恶意程序概述 2. 模块分解 3. 通信协议 4. 木马清理
1. 恶意程序概述
Trojan.Chikdos.A是一个木马,它允许远程攻击者利用受感染计算机发动DDoS攻击
1. 木马执行时,它创建下列文件 %ProgramFiles%\DbProtectSupport\fake.cfg %ProgramFiles%\DbProtectSupport\svchost.exe 2. 木马创建以下属性的服务 Display Name: LocalSystem Image Path: %ProgramFiles%\DbProtectSupport\svchost.exe 3. 木马为上述服务创建以下注册表项 HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\Security\"Security" = "[HEXADECIMAL VALUE]" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"Type" = "dword:00000010" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"Start" = "dword:00000002" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"ObjectName" = "LocalSystem" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"ImagePath" = "expand:"%PROGRAMfILES%\DbProtectSupport\svchost.exe" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\DbProtectSupport\"ErrorControl" = "dword:00000001" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"Service" = "DbProtectSupport" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"Legacy" = "dword:00000001" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"DeviceDesc" = "DbProtectSupport" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"ConfigFlags" = "dword:00000000" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\0000\"Class" = "LegacyDriver" HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_DBPROTECTSUPPORT\"NextInstance" = "dword:00000001" 4. 木马利用TCP上的59870端口连接到以下域 xxx.xxx.com //生成的时候动态配置的 5. 将CPU和网络信息发送给远程攻击者 6. 接收C&C端指令,并根据指令进行DDoS攻击
0x1: 传播方式
原则上恶意程序的传播方式是不固定的,这里仅列出目前所知道的一种
1. 攻击目标为存在SQL注入、弱口令的Mysql服务器 1) The MySQL server has poor network isolation 2. 用于感染的恶意木马是windows平台的,所以UDF POC中的二进制数据流是dll数据流、指令也是windows下指令 3. 被攻击的Mysql服务器常常使用高权限(例如root)运行Mysql 1) The MySQL user has poor (read: overly permissive) grants e.g. :GRANT ALL" 2) The MySQL @@GLOBAL.plugin_dir is writeable (likely poor file ACL & no D.A.C such as SELinux / AppArmor) 4. 生成的UDF为dll文件
Relevant Link:
http://www.sercis.cn/html/935214756.html http://www.oschina.net/news/67509/mysql-server-malicious-software https://www.percona.com/blog/2015/10/29/mysql-trojan-chikdos/ http://www.symantec.com/security_response/writeup.jsp?docid=2015-102607-4508-99
2. 模块分解
Relevant Link:
http://www.vdisk.cn/down/index/19240453
3. 通信协议
1. login上线包 2. C&C指令包 3. 心跳存活包
4. 木马清理
Copyright (c) 2016 LittleHann All rights reserved
Linux.BackDoor.Chikdos Attack And Defense Analysis
原文:http://www.cnblogs.com/LittleHann/p/5204121.html