분류 전체보기
- [기타] 두바퀴로 가는 자동차 2014.12.11
- Sony = Destover 2014.12.08
- Lightaidra 2014.12.04
- [기타] 이렇게 좋은날 2014.12.01
[기타] 두바퀴로 가는 자동차
2014. 12. 11. 08:24
Sony = Destover
2014. 12. 8. 16:25
http://www.cyphort.com/labs/blog/
http://kizzmyanthia.com/?p=104969
http://securelist.com/blog/incidents/57784/shamoon-the-wiper-further-details-part-ii/
인증서 도난 - 8DF46B5FDAC2EB3B4757F99866C199FF2B13427A
The Destover droppers install and run EldoS RawDisk drivers to evade NTFS security permissions and overwrite disk data and the MBR itself.
The driver is a signed component of RawDisk, a product from Eldos. In short, this software allows user-mode applications to operate with the file system in such cases when the operating system restricts the application. You can integrate your project with RawDisk in such a way that your software installs the driver that provides an access to the file system out from kernel-mode via created service ?ElRawDisk.
The Eldos driver
The fact that the Shamoon creators used legitimate signed drivers of Eldos-software RawDisk is rather confusiong
Shamoon 제작자가 합법적으로 서명된 Eldos 소프트웨어의 RawDisk를 사용하는 것은 다소 혼란 스럽게 만든다.
First, we thought that it was done for the purpose of getting the ability to rewrite MBR generally, for example, in Windows7, but it turned out that Windows7 gives access to that disk area even to user-mode applications running on behalf of the administrator.
첫 번째로, 우리는 MBR에 다시 쓸 수 있는 능력을 목적으로 사용한 것으로 생각했다. 예를 들어, Windows7은 Administrator 권한에서 user-mode의 동작하고 있는 application들의 디스크 영역에 접근할 수 있는 권한을 준다. 그래서 Shamoon은 무조건 administrator 권한으로 실행되어야 하고, 따라서 Shamoon을 만든 사람이 왜 합법적인 드라이버를 사용했는지에 대해서는 Open Question으로 남아 잇다.
You can download trial a package of Eldos- RawDisk which consists of header files, lib/dll-files and compiled in release/debug-modes x86 and x64 drivers. You can integrate that RawDisk blank with your project which could then use kernel-mode access to the file system via RawDisk driver. Nevertheless, the driver has an authenticating mechanism.
If we take a look at RawDisk API function ?Open:
HANDLE Open(IN LPCWSTR DeviceName, IN DWORD DesiredAccess, IN LPCWSTR LicenseKey)
...We-ll notice a parameter ?LicenseKey. Such a key has showed up in Shamoon. When the destructive module tries opening file descriptor on the ElRawDisk device, it adds to device name the string exactly looking like some key, for example:
\\?\ElRawDisk\Device\Harddisk0\Partition0#8F71FF7E2831A05D0B88FDAACFAC818E936FCAAA453404180419662BED76E9D70384F056F03ADF3C917CB8C3EE12832F7A7EC3E234BC7FBD0476CFC9F58AC1A1C248DA06E531D133A071
Such a key is easily obtained by making an order at Eldos- site during RawDisk installation routine:
You fill out a form to get an evaluation key and receive your code in the e-mail used during registration. Certainly you can use that key for a limited period of time. And the driver verifies whether the date of end of trial usage has already passed or not. This is why each time we see a date changing routine before opening an ElRawDisk device in Shamoon malware: the date is being set at any (random) day from 1st to 20th of August of 2012.
We also noticed that the Eldos driver exploited by Shamoon checks for the following values being passed in device name parameter and which could be located at the very start of the device name string:
\#{9A6DB7D2-FECF-41ff-9A92-6EDA696613DF}#
\#{8A6DB7D2-FECF-41ff-9A92-6EDA696613DE}#
These are control codes for the driver to define how to handle a request. But the Shamoon malware does not use these codes calling RawDisk open function.
In addition, the driver checks if the file name of program that works with the file system via driver is corresponding ?RawDiskSample.exe then driver ?considers that the call has been made from a trusted application and the check is gone successfully. This ruins all other verification attempts to block easy using the driver functionality by those who does not have permissions. For sure, it-s better to remove such a condition out from driver.
Lightaidra
2014. 12. 4. 14:42
http://www.fitsec.com/blog/index.php/2012/02/19/new-piece-of-malicious-code-infecting-routers-and-iptvs/
http://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2014-120115-3009-99
http://www.exploit-db.com/wp-content/themes/exploit/docs/26472.pdf
http://www.theregister.co.uk/2014/09/09/linux_modem_bot/
http://protectyournet.blogspot.kr/2013_08_01_archive.html
http://vierko.org/tech/lightaidra-0x2012/
Lightaidra는 2012년부터 시작됐나 보다. IRC 통신을 토대로 취약한 장비들을 스캔하고, 직접 IRC 명령을 받아 공격 수행도 한다. 그 대상 Platform이 다양 하기 때문에 (mips, mipse, arm,ppc, x86/x86-64, superh) 다양한 리눅스 기반 디바이스들이 타겟이 될 수 잇다. AP, Model, VOIP Device, IPTV, IP Camera, 스마트 폰 등이 그 대상이다.
위 링크에서는 주로 Linux 장비 중 Telnet + 기본 패스워드 / 패스워드 없는 장비를 대상으로 한다고 한다. Telnet 이용을 하지만, D-Link, Netgear의 오래된 firmware를 대상으로는 /cgi-bin/firmwarecfg의 버그를 이용하여 장비의 계정을 탈취하기도 한다. (http://yae.prv.pl/adam-cou14/access-d-link-router.html)
현재까지 확인된 악성 코드에도 취약 firmwarecfg 이용하여 HTTP Request 관련 로직이 보이는 것으로 봐서는 아직까지도 이용되고 있는 듯 하며, 그러나 주 공격 루틴은 대상 호스트의 Telnet 취약 계정을 이용할 것으로 예상된다.
으흠..
[기타] 이렇게 좋은날
2014. 12. 1. 12:58