安全威胁早期预警:新的mirai僵尸网络变种正在端口23和2323上积极传播
【2017-11-28 更新】
- 原文中提到的两个C2均已被安全社区sinkhole。
- 原文中的 admin/CentryL1nk 是 admin/CenturyL1nk 的笔误。
大约60个小时以前,从2017-11-22 11:00开始,360网络安全研究院注意到在端口2323和23上的扫描流量有一个暴涨现象。其中主要扫描者,大约10万个扫描IP地址位于阿根廷,同时360网络安全研究院也注意到大约有5千个IP地址来自国内。分析以后,目前比较确定这是一个新的mirai变种。
根因分析
在我们蜜罐中,最近有两个新的用户名密码被频繁使用到,分别是 admin/CentryL1nk 和 admin/QwestM0dem 。值得一提,admin/CentryL1nk 这对用户名密码是针对ZyXEL PK5001Z 调制解调器的,在一份上月底的利用 中被批露。
上述两个用户名密码对,被滥用的初始时间在2017-11-22 11:00附近,在2017-11-23 日间达到顶峰。这个时间曲线与我们在Scanmon上观察到2323/23端口的扫描曲线比较一致。
另外,蜜罐看到的滥用两个用户名密码对的IP地址,与ScanMon上看到的IP来源地址,也有较大重合:
- admin/CentryL1nk : 748 (66.5%) 对 1125
- admin/QwestM0dem : 1175 (69.4%) 对 1694
基于以上IP范围重合程度和时间曲线重合程度,我们认为这就是根本原因。
图1 两个正在被滥用的用户名密码对
图2 端口2323上的扫描暴涨
恶意代码和C2
对应的恶意代码样本如下:
- 0ee0fc76a8d8ad37374f4ac3553d8937
- 018a9569f559bfafbc433dc81caf3ec0
- be6165a3e131cc92d3f7d51284cf70bb
样本中的C2 如下:
- bigboatreps.pw:23
- blacklister.nl:23
目前为止大约10万台感染机器位于阿根廷,国内也有超过5千个IP感染
我们注意到,扫描者IP绝大多数来自阿根廷,过去24小时内有6万5千个,60小时内接近10万个。国内的感染IP也有超过5千个。
图3 绝大多数的感染机器来自阿根廷
我们据此猜测,这次攻击针对某些特定类型的IoT设备,而这些IoT设备在阿根廷被大量部署,这次的情况跟去年德国电信相关事件的情况比较类似。
IoC
C2
bigboatreps.pw:23
blacklister.nl:23
样本md5和下载URL列表
http://80.211.173.20:80/amnyu.arm 0255c6d7b88947c7bc82c9b06169e69d
http://80.211.173.20:80/amnyu.arm 3e72bbab07516010ab537d7236c48a2c
http://80.211.173.20:80/amnyu.arm 6c5cadcc9dbcac55b42d1347f4b51df1
http://80.211.173.20:80/amnyu.arm7 2e5ec99ef2cf8878dc588edd8031b249
http://80.211.173.20:80/amnyu.arm7 359527251c09f4ec8b0ad65ab202f1bb
http://80.211.173.20:80/amnyu.arm7 4c21d1f6acfb0155eb877418bb15001d
http://80.211.173.20:80/amnyu.arm7 5cd69f7c5cd6aef4f4b8e08181028314
http://80.211.173.20:80/amnyu.arm7 794f01740878252e8df257b0511c65df
http://80.211.173.20:80/amnyu.arm7 b0791270cc6b180ff798440f416f6271
http://80.211.173.20:80/amnyu.arm7 eee4ff0e2c9482acea3251c9c2ce6daf
http://80.211.173.20:80/amnyu.arm a6f11eba76debd49ee248b6539c4d83c
http://80.211.173.20:80/amnyu.arm ccc8761335b2d829dff739aece435eac
http://80.211.173.20:80/amnyu.arm dd10fb3ed22a05e27bca3008c0558001
http://80.211.173.20:80/amnyu.arm e090660bbc7c673bf81680648718e39e
http://80.211.173.20:80/amnyu.m68k 1782f07f02d746c13ede8388329921e4
http://80.211.173.20:80/amnyu.m68k 4ccd3036cadcbe2a0c4b28ce4ad77b7b
http://80.211.173.20:80/amnyu.m68k 84d737bc5a1821c2f21489695c2c3a71
http://80.211.173.20:80/amnyu.m68k 8f347206f06b05ea8d2e8ea03f4f92d4
http://80.211.173.20:80/amnyu.m68k 94353157ddcd3cb40a75a5ecc1044115
http://80.211.173.20:80/amnyu.m68k b1c66e2a2ed68087df706262b12ca059
http://80.211.173.20:80/amnyu.m68k b8aedf6ee75e4d6b6beeafc51b809732
http://80.211.173.20:80/amnyu.mips 0ee0fc76a8d8ad37374f4ac3553d8937
http://80.211.173.20:80/amnyu.mips 2aa0c53d7d405fa6ffb7ccb895fb895f
http://80.211.173.20:80/amnyu.mips 56b74e34ddf0111700a89592b5a8b010
http://80.211.173.20:80/amnyu.mips 62fa57f007a32f857a7e1d9fb5e064eb
http://80.211.173.20:80/amnyu.mips 633df071ac6f1d55193fc4c5c8747f2a
http://80.211.173.20:80/amnyu.mips 6eed6b55c5cd893aa584894a07eec32f
http://80.211.173.20:80/amnyu.mips 97c314a2a100ea4987e73e008225d3be
http://80.211.173.20:80/amnyu.mpsl 09d98cbaa9794184841450221d410f15
http://80.211.173.20:80/amnyu.mpsl 21f1ab847a9b27f8aaabcafd9cf59756
http://80.211.173.20:80/amnyu.mpsl 33e1e2803bb70cd0d66911175782c6a1
http://80.211.173.20:80/amnyu.mpsl 4e63eccca00b01b66162fa5258d03956
http://80.211.173.20:80/amnyu.mpsl 7d2c1f3d81a2df7beea99552d0704c2d
http://80.211.173.20:80/amnyu.mpsl 7e0f883f239c922a151aab2500400880
http://80.211.173.20:80/amnyu.mpsl e46cbc10309e970ec267afee496832c9
http://80.211.173.20:80/amnyu.ppc 3dadafe1cc9639a7d374682dafab954c
http://80.211.173.20:80/amnyu.ppc 49e4b3e5d7302c2faf08c1ed585a89ca
http://80.211.173.20:80/amnyu.ppc 80bcea07b752ae4306da5f24f6693bea
http://80.211.173.20:80/amnyu.ppc 9e4caeada13676ddc5b7be44e03fe396
http://80.211.173.20:80/amnyu.ppc a40852f9895d956fe198cb2f2f702ebf
http://80.211.173.20:80/amnyu.ppc a8bde89d2fe98268801b58f42214cdca
http://80.211.173.20:80/amnyu.ppc e968bf902db104c91d3aaa0bb363f1bd
http://80.211.173.20:80/amnyu.sh4 141930ed206ef5f076b2a233b390ea65
http://80.211.173.20:80/amnyu.sh4 1bdaf4cd21fb9cb42d971a25fb183d04
http://80.211.173.20:80/amnyu.sh4 25d3ddb85bf392c273dd93922199628c
http://80.211.173.20:80/amnyu.sh4 39eddba755333e22841b2627a2a19e59
http://80.211.173.20:80/amnyu.sh4 485f2b2a684865ead274bba6931c95c9
http://80.211.173.20:80/amnyu.sh4 56afda94860e8d1ca8a7b9960769020d
http://80.211.173.20:80/amnyu.sh4 9dc0c166e30922d1ea8da06ba46996dc
http://80.211.173.20:80/amnyu.spc 3f0322c0b7379e492a17d3cb4fa2c82e
http://80.211.173.20:80/amnyu.spc 53c60f58ce576071c71ede7df656e823
http://80.211.173.20:80/amnyu.spc 5db44876c3acc0b589c8d696c41b6413
http://80.211.173.20:80/amnyu.spc 651b186b04583f0067d4cc2d95565a95
http://80.211.173.20:80/amnyu.spc a18b4a6250f51c1f350b37e1187292fb
http://80.211.173.20:80/amnyu.spc c5e1a57671dab607b8fa7363ab6582ab
http://80.211.173.20:80/amnyu.spc e6cd9197d443fb9fa79ab103232e2b67
http://80.211.173.20:80/amnyu.x86 018a9569f559bfafbc433dc81caf3ec0
http://80.211.173.20:80/amnyu.x86 1663952daca0c49326fb8fa5585d8eec
http://80.211.173.20:80/amnyu.x86 243d2c8ba1c30fa81043a82eaa7756e7
http://80.211.173.20:80/amnyu.x86 4b375509896e111ef4c3eb003d38077f
http://80.211.173.20:80/amnyu.x86 6371b6b1d030ac7d2cb1b0011230f97f
http://80.211.173.20:80/amnyu.x86 64bda230a3b31a115a29e0afd8df5d8a
http://80.211.173.20:80/amnyu.x86 ed825b8aadee560e5c70ffaa5b441438
http://80.211.173.20/amnyu.arm7 b0791270cc6b180ff798440f416f6271
http://80.211.173.20/amnyu.arm e090660bbc7c673bf81680648718e39e
http://80.211.173.20/amnyu.m68k 4ccd3036cadcbe2a0c4b28ce4ad77b7b
http://80.211.173.20/amnyu.mips 97c314a2a100ea4987e73e008225d3be
http://80.211.173.20/amnyu.mpsl 7d2c1f3d81a2df7beea99552d0704c2d
http://80.211.173.20/amnyu.ppc e968bf902db104c91d3aaa0bb363f1bd
http://80.211.173.20/amnyu.sh4 485f2b2a684865ead274bba6931c95c9
http://80.211.173.20/amnyu.spc 5db44876c3acc0b589c8d696c41b6413
http://80.211.173.20/amnyu.x86 4b375509896e111ef4c3eb003d38077f
http://blacklister.nl/bins/mirai.arm be6165a3e131cc92d3f7d51284cf70bb
http://blacklister.nl/bins/mirai.arm5n c639bc6b50ab0be250147572956a9d6b
http://blacklister.nl/bins/mirai.arm6 8f9c5099e3749d0199262289c9deaa3d
http://blacklister.nl/bins/mirai.arm7 e508956188f2cb71605ae0e8fbdf4a64
http://blacklister.nl/bins/mirai.i486 25846ce769f0bd5b204f440127d51f21
http://blacklister.nl/bins/mirai.i686 d3c82dd5d512304efc6a42018f0bf2a7
http://blacklister.nl/bins/mirai.m68k 3ef657efcfe16ad869a587d30480306f
http://blacklister.nl/bins/mirai.mips b4af22c2b3b1af68f323528ee0bc6637
http://blacklister.nl/bins/mirai.mips64 1e1d6b41a13c97ad3754815021dd0891
http://blacklister.nl/bins/mirai.mpsl 6adb31781db797712d759f564b9761b6
http://blacklister.nl/bins/mirai.ppc 7936cc1d021664892c48408ec1c9143c
http://blacklister.nl/bins/mirai.ppc440fp fd6235e4e1cf4a0f6c2d609a7b1ffc55
http://blacklister.nl/bins/mirai.sh4 5c8ef7f23f26e0e48ab527ef83874213
http://blacklister.nl/bins/mirai.spc 7ce73df7fb50beda2f549f9695a23538
http://blacklister.nl/bins/mirai.x86 539e9bf8c81bd3e9ae520fd74218a6b8
http://blacklister.nl/bins/mirai.x86_64 d69e501480f03f06e4579fa13e47d04a