返回上一页  首页 | cnbeta报时: 16:04:02
Flame恶意软件被设计为可窃取图纸等文件
发布日期:2012-06-05 17:39:28  稿源:

新闻来源:solidot
在Flame恶意程序上周曝光之后,幕后攻击者立即关闭了80多个命令控制服务器。服务器域名是采用化名注册,每个化名最多注册4个域名。上传到服务器的数据包括了计算机辅助软件绘制图纸、电子邮件和PDF文档。
域名最早注册时间是在2008年,使用至少22个不同IP地址,服务器运行Ubuntu Linux发行版。卡巴斯基与GoDaddy和OpenDNS合作,将域名重定向到其控制的服务器上,收集到了恶意程序上传的数据。

https://www.securelist.com/en/images/pictures/klblog/208193544.png

安全研究人员发现,Flame和Duqu有许多共同特征,都对受感染机器上的AutoCAD绘图文件感兴趣。为了限制窃取的文件数量和避免上传无关的文件,Flame会从PDF、电子表格和Word文档中提取1KB样本,压缩和上传样本到命令控制服务器,然后攻击者发出指令抓取他们感兴趣的特定文档。

https://www.securelist.com/en/images/pictures/klblog/208193542.png

https://www.securelist.com/en/images/pictures/klblog/208193547.png

https://www.securelist.com/en/images/pictures/klblog/208193557.png

https://www.securelist.com/en/images/pictures/klblog/208193556.png

与Duqu不同之处是,Duqu会利用SSH端口转发伪装攻击者的真实身份,而Flame则是直接上传到服务器,换句话说,它的幕后攻击者没有Duqu的操作者谨慎。


 Duqu Flame
Server OS CentOS Linux Ubuntu Linux
Control scripts Running on remote server, shielded through SSH port forwarding Running on servers
Number of victims per server 2-3 50+
Encryption of connections to server SSL + proprietary AES-based encryption SSL
Compression of connections No Yes, Zlib and modified PPMD
Number of known C&C’s domains n/a 80+
Number of known C&C IPs 5 15+
Number of proxies used to hide identity 10+ Unknown
Time zone of C&C operator GMT+2 / GMT+3 Unknown
Infrastructure programming .NET Unknown
Locations of servers India, Vietnam, Belgium, UK, Netherlands, Switzerland, Korea, etc... Germany, Netherlands, UK, Switzerland, Hong Kong, Turkey, etc...
Number of built-in C&C IPs/domain in malware 1 5, can update list
SSL certificate self-signed self-signed
Servers status Most likely hacked Most likely bought
SSH connections no yes
我们在FebBox(https://www.febbox.com/cnbeta) 开通了新的频道,更好阅读体验,更及时更新提醒,欢迎前来阅览和打赏。
查看网友评论   返回完整版观看
最新资讯
今日最热

返回上一页  首页 | cnbeta报时: 16:04:02

文字版  标准版  电脑端

© 2003-2025