$30 off During Our Annual Pro Sale. View Details »

WebLogic の脆弱性(CVE-2017-10271)を狙う攻撃者たちの手法

WebLogic の脆弱性(CVE-2017-10271)を狙う攻撃者たちの手法

2018年2月24日 第3回ハニーポッター技術交流会発表資料 @morihi_soc #hanipo_tech
https://hanipo-tech.connpass.com/event/78002/

Kazuaki Morihisa

February 24, 2018
Tweet

More Decks by Kazuaki Morihisa

Other Decks in Technology

Transcript

  1. 2018೥2݄24೔ ୈ3ճϋχʔϙολʔٕज़ަྲྀձൃදࢿྉ
    WebLogic ͷ੬ऑੑ(CVE-2017-10271)Λ
    ૂ͏߈ܸऀͨͪͷख๏
    @morihi_soc

    View Slide

  2. XIPBNJ
    w ৿ٱ࿨ত !NPSJIJ@TPD

    w ຊۀ͸ηΩϡϦςΟΤϯδχΞɾΞφϦετ
    w झຯͰϋχʔϙοτͷӡ༻Λ͢Δϋχʔϙολʔ
    w ϒϩάˠIUUQXXXNPSJIJTPDOFU
    w ϋχʔϙολʔٕज़ަྲྀձओ࠵ऀ
    w άϧʔϓˠIUUQTIBOJQPUFDIDPOOQBTTDPN

    ˡϒϩάͷʮϋχʔϙοτ؍࡯ه࿥ʯ͕
    ຊʹͳΓ·ͨ͠
    ೥݄೔ൃച
    ిࢠॻ੶൛ແྉࢼಡ൛͋Γ·͢

    ʮαΠόʔ߈ܸͷ଍੻Λ෼ੳ͢Δ
    ϋχʔϙοτ؍࡯ه࿥ʯ
    ஶऀɿ৿ٱ࿨ত
    ग़൛ɿल࿨γεςϜ
    ࠓ·Ͱʹ͓ੈ࿩ʹͳͬͨΠϕϯτ
    ɾ*5,FZT ݱ4FD$BQ

    ɾωοτϫʔΫύέοτΛಡΉձ Ծ

    ɾ/*4$αΠόʔϋϩ΢Οϯ
    ɾ*OUFSOFU8FFL
    ɾ)BSEFOJOH 7BMVF$IBJO༏উ

    ɾTTNKQ
    ɾ"*4FD
    ɾULULηΩϡϦςΟษڧձ

    View Slide

  3. ͓඼ॻ͖
    w 8FC-PHJDͷ੬ऑੑ $7&
    ͱ͸
    w ࠃ͝ͱͷ߈ܸݕ஌ճ਺ͷूܭ
    w ߈ܸස౓ͷ෼ੳ
    w ߈ܸର৅ͷௐࠪͱ߈ܸ
    w Ͳͷϙʔτ͕ૂΘΕͨͷ͔
    w ߈ܸऀͷ؀ڥΛਪଌ͢Δ
    w ߈ܸࣄྫ঺հ
    w ·ͱΊ
    3

    View Slide

  4. 8FC-PHJDͷ੬ऑੑ $7&
    ͱ͸
    w +7/J1FEJBΑΓ
    l0SBDMF'VTJPO.JEEMFXBSFͷ0SBDMF8FC-PHJD
    4FSWFSʹ͸ɺ8-44FDVSJUZʹؔ͢Δॲཧʹෆඋ͕͋
    ΔͨΊɺػີੑɺ׬શੑɺ͓ΑͼՄ༻ੑʹӨڹͷ͋Δ੬
    ऑੑ͕ଘࡏ͠·͢ɻl
    lϦϞʔτͷ߈ܸऀʹΑΓɺ৘ใΛऔಘ͞ΕΔɺ৘ใΛվ
    ͟Μ͞ΕΔɺ͓ΑͼαʔϏεӡ༻๦֐ %P4
    ߈ܸ͕ߦΘ
    ΕΔՄೳੑ͕͋Γ·͢ɻl
    4
    JVNDB-2017-008734
    Oracle Fusion Middleware ͷ Oracle WebLogic Server ʹ͓͚Δ WLS Security ʹؔ͢Δ੬ऑੑ
    http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-008734.html
    →ϦϞʔτ͔Β೚ҙͷίʔυΛ࣮ߦ(RCE)Մೳͳ
    ެ։͞Εͨ߈ܸπʔϧ͕ެ։͞Εͨ

    View Slide

  5. ߈ܸϦΫΤεταϯϓϧ
    5

    View Slide

  6. λΠϜϥΠϯ
    w ೥݄ɿ0SBDMF͔Βमਖ਼ϓϩάϥϜ͕ެ։
    w ೥݄Լ०ɿ߈ܸίʔυ͕ެ։
    w ೥݄೔ɿϋχʔϙοτͰ߈ܸΛݕ஌
    w ೥݄೔ɿϒϩάهࣄެ։
    w ೥݄೔࣌఺ɿ߈ܸܧଓதʜ
    6
    ϋχʔϙοτ؍࡯ه࿥(38)ʮWebLogic ͷ WLS Security ʹର͢ΔίϚϯυ࣮ߦͷࢼΈ(CVE-2017-10271)ʯ
    http://www.morihi-soc.net/?p=910

    View Slide

  7. ϋχʔϙολʔͷ೰Έ ϩάެ։ج४

    w ͳ݄ͥ೔࣌఺Ͱ͸πΠʔτͷΈ
    7
    w ໌֬ʹ߈ܸίʔυ͕ެ։͞Ε͍ͯΔͱ͍͏৘ใ͕
    ಘΒΕͳ͔ͬͨɻϩάΛެ։͢Δ͜ͱͰɺ໛฿͠
    ͨ߈ܸʹΑΔೋ࣍ඃ֐ͷ๷ࢭΛ༏ઌɻ
    w ߈ܸΛݕ஌͍ͯ͠Δࣄ࣮͸఻͔͑ͨͬͨɻ
    w ͦͷޙɺ(JU)VC౳Ͱ߈ܸπʔϧ͕ެ։͞Ε͍ͯΔ
    ͜ͱΛ֬ೝɻϒϩάެ։ʹࢸΔɻ
    w ߈ܸϩάΛެ։͢Δ͜ͱͰɺύονద༻ͷۓٸੑɺ
    ͓Αͼ߈ܸੑͷߴ͞Λ఻͔͑ͨͬͨɻ

    View Slide

  8. ηΩϡϦςΟͷ৘ใڞ༗͸೉͍͠
    w ηΩϡϦςΟͷ৘ใڞ༗ͱ͍͑͹ɺ*1"΍+1$&35
    $$ɺηΩϡϦςΟϕϯμʔΛ͸͡ΊɺॏཁΠϯϑϥ
    Ͱ͋Ε͹/*4$ͷηϓλʔɺ*1"ͷαΠόʔ৘ใڞ
    ༗ΠχγΞςΟϒ +$4*1
    ͳͲɺଟ਺ଘࡏ͢Δɻ
    w ͨͩ͠߈ܸͷ࣮ମ͕Ұൠެ։͞ΕΔ͜ͱ͸كɻ
    w ߈ܸऀ͸Ξϯμʔάϥ΢ϯυͳͱ͜ΖͰɺ߈ܸ৘ใ
    Λڞ༗͍ͯ͠Δʹ΋ؔΘΒͣɺηΩϡϦςΟʹܞΘ
    Δਓͨͪͷ৘ใڞ༗ʹ͸λΠϜϥά͕͋Δɻ
    8
    ˠϋχʔϙοτͩͱ৘ใެ։͠΍͍͢ͷͰɺ

    ݸਓతͳ׆ಈͱͯ͠ϒϩάΛॻ͍͍ͯ·͢ɻ

    View Slide

  9. ࢀߟ
    ੬ऑੑ৘ใ͓͍ͬͯ͘Β
    w ࠓճͷ੬ऑੑ৘ใ ߈ܸίʔυ
    ͷ஋ஈ͸ɾɾɾ
    9
    Oracle WebLogic Server 10.3.6.0.0/12.1.3.0.0/12.2.1.1.0/12.2.1.2.0 WLS Security unknown vulnerability
    https://vuldb.com/?id.108063
    →0day ͷؒ͸ɺ໿1100ສԁ-5300ສԁͩͬͨ

    View Slide

  10. ࠃ͝ͱͷ߈ܸݕ஌ճ਺ͷूܭ
    w ੈք֤஍͔Β߈ܸͷϩά͕࢒͍ͬͯͨɻ
    10
    352 தࠃ
    331 ΞΠϧϥϯυ
    324 ΞϝϦΧ߹ऺࠃ
    168 ηΠγΣϧ
    100 Χβϑελϯڞ࿨ࠃ
    89 ೔ຊ
    53 Χφμ
    47 ߳ߓ
    46 ΢ΫϥΠφڞ࿨ࠃ
    44 υΠπ࿈๜ڞ࿨ࠃ
    24 ϋϯΨϦʔڞ࿨ࠃ
    20 γϯΨϙʔϧ
    12 ίϩϯϏΞڞ࿨ࠃ
    11 ΢ϧάΞΠڞ࿨ࠃ
    3 େؖຽࠃ
    3 ϒϧΨϦΞڞ࿨ࠃ
    2 ϧʔϚχΞ
    2 ΦϥϯμԦࠃ
    1 ϩγΞ
    1 ε΢ΣʔσϯԦࠃ
    ࢖༻ͨ͠ GeoIP σʔλϕʔε(GeoLite2 Country: 2018೥2݄ʹμ΢ϯϩʔυͨ͠ϑΝΠϧΛར༻)
    https://dev.maxmind.com/ja/geolite2/

    View Slide

  11. 0
    20
    40
    60
    80
    100
    120
    140
    160
    180
    2017/12/24
    2017/12/25
    2017/12/26
    2017/12/27
    2017/12/28
    2017/12/29
    2017/12/30
    2017/12/31
    2018/1/1
    2018/1/2
    2018/1/3
    2018/1/4
    2018/1/5
    2018/1/6
    2018/1/7
    2018/1/8
    2018/1/9
    2018/1/10
    2018/1/11
    2018/1/12
    2018/1/13
    2018/1/14
    2018/1/15
    2018/1/16
    2018/1/17
    2018/1/18
    2018/1/19
    2018/1/20
    2018/1/21
    2018/1/22
    2018/1/23
    2018/1/24
    2018/1/25
    2018/1/26
    2018/1/27
    2018/1/28
    2018/1/29
    2018/1/30
    2018/1/31
    2018/2/1
    2018/2/2
    2018/2/3
    2018/2/4
    2018/2/5
    2018/2/6
    2018/2/7
    2018/2/8
    2018/2/9
    2018/2/10
    2018/2/11
    2018/2/12
    2018/2/13
    2018/2/14
    2018/2/15
    2018/2/16
    2018/2/17
    WebLogic (2017 12 24 -2018 2 17 )
    ߈ܸස౓Λ෼ੳ
    w ϋχʔϙοτͰݕ஌ͨ͠߈ܸΛ೔͝ͱʹूܭ
    w 8FC-PHJDͷௐࠪͱ߈ܸͷ྆ํΛؚΉ
    11
    156݅ͷ߈ܸ/೔͕࠷ଟ
    શମͰ1,633݅

    View Slide

  12. ߈ܸର৅ͷௐࠪͱ߈ܸ
    w ߈ܸπʔϧʹΑͬͯ͸ɺ߈ܸର৅Ͱ8FC-PHJD͕

    ಈ࡞͍ͯ͠Δ͔ௐࠪ͢Δ৔߹͕͋Γ·͢ɻ
    12
    ᶄWebLogic ͷِ૷Ԡ౴
    ᶃGET/HEAD ϦΫΤετ
    WebLogic ͷՔಇঢ়گͷௐࠪ
    ᶅPOST ϦΫΤετ
    ੬ऑੑΛૂͬͨ߈ܸ
    ߈ܸऀ
    WOWHoneypot

    View Slide

  13. ߈ܸର৅ͷௐࠪͱ߈ܸ
    w ϦΫΤετຖʹूܭ
    w ਪଌ
    w (&5ϝιου͸ɺίϯςϯπ಺༰Λௐࠪ
    w )&"%ϝιου͸ɺ4FSWFSϔομΛௐࠪ
    w 1045ϝιου͸ɺର৅ͷ؀ڥʹؔ܎ͳ͘߈ܸ
    13
    ϝιουͷछྨ ߈ܸݕ஌݅਺
    (&5
    )&"%
    1045

    View Slide

  14. Ͳͷϙʔτ͕ૂΘΕͨͷ͔
    w ߈ܸऀ͸ɺ߈ܸର৅ͷ؀ڥΛඞͣ͠΋ߟྀ͍ͯ͠ͳ
    ͍ɻແࠩผʹ߈ܸ͍ͯ͠ΔՄೳੑ͕ߴ͍ɻ
    w 8FC-PHJDͷ؅ཧ༻ϙʔτͱͦΕҎ֎ͷϙʔτ΋

    ߈ܸ͕͖͍ͯͨͷ͔
    14
    Oracle® Fusion Middleware Oracle Fusion Middlewareͷ؅ཧ 12c (12.1.2)
    https://docs.oracle.com/cd/E50629_01/core/ASADM/portnums.htm#CHDIACEF
    ※WebLogic ͷ؅ཧ༻ϙʔτͷ෦෼ʹ੺Լઢ

    View Slide

  15. Ͳͷϙʔτ͕ૂΘΕͨͷ͔
    w ߈ܸର৅ͷϙʔτ൪߸Λूܭͨ͠ͱ͜Ζɺ߈ܸͷ

    େଟ਺͸൪ϙʔτͩͬͨɻ
    w 8FC-PHJDͷඪ४؅ཧ༻ϙʔτΛूதతʹ߈ܸͯ͠
    ͍ͨ͜ͱ͕Θ͔ͬͨɻ߈ܸπʔϧ͕)5514ʹରԠ
    ͓ͯ͠Βͣɺ݅਺͕গͳ͍Մೳੑ͕͋Δɻ
    15
    ϙʔτ൪߸ ߈ܸݕ஌݅਺





    ͦͷଞ
    ※Host ϔομʹه࿥͞Ε͍ͯͳ͍΋ͷ͸ूܭ͔Βআ֎

    View Slide

  16. ߈ܸऀͷ؀ڥΛਪଌ͢Δ
    w ߈ܸϦΫΤετͷ6TFS"HFOUΛूܭͯ͠Έͨɻ
    w ໌Β͔ʹෆ৹ͳ΋ͷͱɺ௨ৗൃੜ͠͏Δ΋ͷ͕ࠞࡏɻ
    16
    6TFS"HFOU ݅਺
    .P[JMMB 8JOEPXT/5
    "QQMF8FC,JU ,)5.- MJLF(FDLP
    $ISPNF4BGBSJ
    .P[JMMB 8JOEPXT/58JOYSW
    (FDLP'JSFGPY
    .FNFT
    .P[JMMB
    QZUIPOSFRVFTUT
    .P[JMMB .BDJOUPTI*OUFM.BD049@@
    "QQMF8FC,JU ,)5.- MJLF(FDLP
    $ISPNF4BGBSJ
    QZUIPOSFRVFTUT
    .P[JMMB 8JOEPXT/5808
    "QQMF8FC,JU ,)5.- MJLF(FDLP
    $ISPNF4BGBSJ$PSF
    22#SPXTFS

    .P[JMMB DPNQBUJCMF#BJEVTQJEFSIUUQXXXCBJEVDPNTFBSDITQJEFSIUNM
    .P[JMMB 8JOEPXT/5SW
    (FDLP'JSFGPY
    .P[JMMB 8JOEPXT/5
    "QQMF8FC,JU ,)5.- MJLF(FDLP
    $ISPNF4BGBSJ
    .P[JMMB DPNQBUJCMF.4*&8JOEPXT/58085SJEFOU

    .P[JMMB 8JOEPXT/5808SW
    (FDLP'JSFGPY
    ͦͷଞ




    View Slide

  17. ߈ܸऀͷ؀ڥΛਪଌ͢Δ
    w ߈ܸͷ1045σʔλ෦෼ΛΑ͘ݟΔͱɺ+BWBͷ

    όʔδϣϯ͕ࢦఆ͞Ε͍ͯΔ͜ͱ͕෼͔Δɻ
    w ߈ܸπʔϧʹґଘ͢Δ͕ɺ߈ܸऀ͕࢖ͬͨ߈ܸ

    πʔϧͷಛఆ΍+BWBͷόʔδϣϯ͕೺ѲͰ͖Δ͔΋ɻ
    w ඞͣೖΔΘ͚Ͱ͸ͳ͍఺ʹ஫ҙɻ
    17

    View Slide

  18. ߈ܸऀͷ؀ڥΛਪଌ͢Δ
    w ͪΐͬͱݹ͍͕ɺ+%,ܥͷόʔδϣϯ͕ଟ͍ɻ
    w ߈ܸπʔϧʹϋʔυίʔυ͞Ε͍ͯΔՄೳੑ΋͋Γɻ
    18
    +BWBόʔδϣϯ ݅਺
    @
    @


    @

    Java™ SE Development Kit 8, Update 151 (JDK 8u151)
    October 17, 2017
    http://www.oracle.com/technetwork/java/javase/8u151-relnotes-3850493.html
    ←2017೥10݄ʹެ։
    ͞Εͨόʔδϣϯ
    w 8FC-PHJDͷ੬ऑੑ৘ใ͸೥݄ʹެ։͞Ε

    ͍ͯͯɺπʔϧ͕࡞੒͞Εͨ࣌ظͱҰக͢Δɻ

    View Slide

  19. ౰೔ࢀՃऀͷΈʹެ։
    19
    ࡟আ

    View Slide

  20. ߈ܸࣄྫ঺հ
    w 1045ͷσʔλ෦෼ͷΈΛநग़ͨ͠ͱ͜Ζɺશ෦Ͱ
    छྨͷ߈ܸύλʔϯ͕͋Γ·ͨ͠ɻ
    w ͦͷத͔Βಛ௃తͳ߈ܸΛϐοΫΞοϓͯ͠঺հ͠
    ·͢ɻ
    w ߈ܸπʔϧ͕ެ։͞Ε͓ͯΓɺϋχʔϙοτͰݕ஌
    ͨ͜͠ͱ͕͋ΔͨΊɺҰൠͷެ։αʔόʹରͯ͠΋
    ಉ༷ͷ߈ܸΛड͚͍ͯΔՄೳੑ͕͋Γ·͢ɻ
    20

    View Slide

  21. ߈ܸϦΫΤετ
    w -JOVY؀ڥΛૂͬͨ߈ܸɻ
    w XHFUίϚϯυΛ࣮ߦ͠ɺKJCBϑΝΠϧͷμ΢ϯ
    ϩʔυΛࢼΈ͍ͯΔɻ
    21

    View Slide

  22. ߈ܸϦΫΤετ
    w ߈ܸϦΫΤετͷଓ͖ɻ
    w DINPEίϚϯυͰ࣮ߦݖݶΛ෇༩ͨ͠ͷͪɺ

    ϑΝΠϧͷ࣮ߦΛࢼΈ͍ͯΔɻ
    22

    View Slide

  23. μ΢ϯϩʔυ͞ΕͨϑΝΠϧ
    w 7JSVT5PUBMͷ݁Ռ͔ΒɺԾ૝௨՟ΛϚΠχϯά͢Δ
    ϓϩάϥϜͱݟड͚ΒΕΔɻ
    w 4)"BE⒎EEDFFDFCBGBCGEF⒎CGCFFECEGCB
    23

    View Slide

  24. ߈ܸϦΫΤετ
    w +BWBͷ1SJOU8SJUFSΫϥεΛར༻ͨ͠ɺ8FC4IFMM
    ࡞੒ͷࢼΈɻ
    w KTQܗࣜͰɺΫΤϦύϥϝʔλʹ04ίϚϯυΛࢦ
    ఆ࣮ͯ͠ߦ͢Δ͜ͱ͕Ͱ͖ΔػೳΛ࣋ͭɻ
    24

    View Slide

  25. ߈ܸϦΫΤετ
    w 8JOEPXT؀ڥΛૂͬͨ߈ܸɻ
    w DNEFYFͰɺ߈ܸऀ͕༻ҙͨ͠*1ΞυϨεʹ

    ରͯ͠QJOHίϚϯυΛ࣮ߦ͍ͯ͠Δ DBMMCBDL
    ɻ
    w ߈ܸऀ͕DBMMCBDLͷ༗ແΛௐ΂Ε͹ɺ੬ऑͳαʔ
    όͷଘࡏΛ஌Δ͜ͱ͕Ͱ͖Δɻ
    25

    View Slide

  26. ߈ܸϦΫΤετ
    w +BWBͷOFU63-ΫϥεͰɺ߈ܸऀ͕༻ҙͨ͠*1
    ΞυϨεʹରͯ͠)551ϦΫΤετΛൃੜͤ͞Δ
    DBMMCBDL
    ɻ
    w HPPEύϥϝʔλʹ߈ܸର৅ͷάϩʔόϧ*1ΞυϨ
    εΛࢦఆ͍ͯͨͨ͠Ίɺ߈ܸऀ͕ΞΫηεϩάΛݟ
    Δͱ੬ऑͳαʔόͷଘࡏΛ֬ೝͰ͖Δɻ
    26

    View Slide

  27. ߈ܸϦΫΤετ
    w ߈ܸϦΫΤετͷଓ͖ɻ1ZUIPOͷVSMMJCΛར༻͠
    ͯ߈ܸऀ͕༻ҙͨ͠*1ΞυϨεʹରͯ͠)551Ϧ
    ΫΤετΛൃੜͤ͞Δ DBMMCBDL
    ɻ
    27

    View Slide

  28. ߈ܸϦΫΤετ
    w ߈ܸϦΫΤετͷଓ͖ɻ1PXFSTIFMMͷXFCDMJFOU
    Λར༻ͯ͠߈ܸऀ͕༻ҙͨ͠*1ΞυϨεʹରͯ͠
    )551ϦΫΤετΛൃੜͤ͞Δ DBMMCBDL
    ɻ
    28

    View Slide

  29. ߈ܸϦΫΤετ
    w 8JOEPXT؀ڥΛૂͬͨ߈ܸɻ
    w 1PXFSTIFMMͷXFCDMJFOUΛར༻ͯ͠ɺϑΝΠϧΛ
    μ΢ϯϩʔυ͓Αͼ࣮ߦͤ͞Α͏ͱ͍ͯ͠Δɻ
    29
    SHA256: e080ee13da7371d1cbed9825540c19e94d8b2874adbe4c2d19c4d31a00c56ff8

    View Slide

  30. ߈ܸϦΫΤετ
    w -JOVY؀ڥΛૂͬͨ߈ܸɻ
    w DVSMίϚϯυͰɺQBTUFCJO͔ΒεΫϦϓτϑΝΠ
    ϧΛμ΢ϯϩʔυ͓Αͼ࣮ߦΛࢼΈΔɻ
    30

    View Slide

  31. QBTUFCJO͔Βμ΢ϯϩʔυ͢ΔϑΝΠϧ
    w CBTIͷεΫϦϓτϑΝΠϧɻ
    w 3FE)BUܥͷ04Λର৅ʹ͓ͯ͠ΓɺZVNίϚϯ
    υͰෳ਺ͷπʔϧΛΠϯετʔϧޙɺDQVNJOFSΛ

    μ΢ϯϩʔυɺίϯύΠϧɺ࣮ߦ͍ͯ͠Δɻ
    w Ծ૝௨՟ͷ.POFSPΛϚΠχϯά͍ͯ͠ΔΑ͏ͩɻ
    31

    View Slide

  32. ߈ܸϦΫΤετ
    w 8JOEPXT؀ڥΛૂͬͨ߈ܸ
    w 1PXFSTIFMMͰ%PXOMPBE4USJOHΛ࢖͍CBUϑΝΠ
    ϧΛμ΢ϯϩʔυɾ࣮ߦΛࢼΈΔɻ
    w ϩάൃݟ࣌ʹɺ͢ͰʹCBU͸μ΢ϯϩʔυͰ͖ͣɻ
    32

    View Slide

  33. ߈ܸϦΫΤετ
    w 8JOEPXT؀ڥΛૂͬͨ߈ܸ
    w CBUϑΝΠϧΛ࡞੒࣮ͯ͠ߦ͠Α͏ͱ͍ͯ͠Δɻ
    w GUQʹΞΫηε͢ΔͨΊͷΞΧ΢ϯτ໊ɾύεϫʔ
    υؚ͕·Ε͓ͯΓɺϑΝΠϧͷऔಘɾௐࠪ͸ෆՄɻ
    33

    View Slide

  34. ࡞੒͞ΕΔCBUϑΝΠϧ
    w Λվߦʹஔ׵ͯ͠ՄಡੑΛ্͛ͨ΋ͷɻ
    w '51αʔό͔ΒɺY[FYFΛμ΢ϯϩʔυ͢Δɻ
    w Y[FYFΛ࣮ߦͨ͠ޙɺ͢΂ͯͷϑΝΠϧΛ࡟আ͢Δɻ
    34

    View Slide

  35. ߈ܸϦΫΤετ
    w -JOVY؀ڥΛૂͬͨ߈ܸɻ
    w QZUIPOΛ࢖ͬͯ߈ܸऀͷ༻ҙͨ͠αʔό΁ίωΫ
    τόοΫ͢Δίʔυؚ͕·Ε͍ͯΔɻ
    w QZUIPO΁ͷύε͕௨͍ͬͯΕ͹ɺDNEFYFܦ༝Ͱ
    8JOEPXT؀ڥ΋߈ܸͰ͖Δͱߟ͑ΒΕΔɻ
    35

    View Slide

  36. ߈ܸϦΫΤετ
    w 8JOEPXT؀ڥΛૂͬͨ߈ܸ
    w CJUTBENJOίϚϯυΛ࢖ͬͯϑΝΠϧΛμ΢ϯϩʔ
    υ͢Δɻ
    w μ΢ϯϩʔυͨ͠ϑΝΠϧͷ࣮ߦ͸ผͷϦΫΤετɻ
    36

    View Slide

  37. ߈ܸϦΫΤετ
    w ߈ܸϦΫΤετͷ௥ܸɻ
    w TUBSUίϚϯυͰμ΢ϯϩʔυ͓͍ͯͨ͠ϑΝΠϧΛ
    ࣮ߦ͢Δ͚ͩɻܺΛੜ͡͵ೋஈߏ͑

    w ϩάൃݟ࣌ʹɺEJTDV[FYF͸μ΢ϯϩʔυͰ͖ͣɻ
    37

    View Slide

  38. ߈ܸϦΫΤετ
    w 8JOEPXT؀ڥΛૂͬͨ߈ܸ
    w FYQMPSFSίϚϯυͰ8FCϖʔδΛ։͘ɻ
    w DOIWDP͸ɺϒϥ΢βϚΠχϯάʹؔ͢ΔυϝΠϯ
    ͰɺΞΫηε͍ͯ͠ΔϑΝΠϧʹ͸+BWB4DSJQU͕
    ؚ·Ε͍ͯͨɻ
    38

    View Slide

  39. উखʹ։͔ΕΔ8FCϖʔδͷιʔε Ұ෦

    39

    View Slide

  40. ߈ܸϦΫΤετ
    w 8JOEPXT؀ڥΛૂͬͨ߈ܸ
    w DFSUVUJMίϚϯυͰϑΝΠϧΛμ΢ϯϩʔυ͢Δɻ
    w อଘ͢ΔϑΝΠϧͷ֦ுࢠ͸ʮWCTʯ
    w ϩάൃݟ࣌ʹɺVQUYU͸μ΢ϯϩʔυͰ͖ͣɻ
    40

    View Slide

  41. ߈ܸϦΫΤετ
    w ߈ܸϦΫΤετͷ௥ܸ
    w DTDSJQUίϚϯυͰɺμ΢ϯϩʔυͨ͠εΫϦϓτ
    ϑΝΠϧΛ࣮ߦ͢Δ͚ͩɻ
    w ߈ܸϦΫΤετ͸ඇৗʹ௝͍͠૊Έ߹Θͤɻ
    41
    (certutil ࢀߟ)๷Ӵؔ࿈ͷϑΝΠϧΛ૷͏ϚΫϩϚϧ΢ΣΞͷ৽͍͠खޱ

    (ϚΫχΧωοτϫʔΫε ηΩϡϦςΟݚڀηϯλʔϒϩά)
    http://blog.macnica.net/blog/2017/12/post-8c22.html

    View Slide

  42. ߈ܸϦΫΤετ
    w -JOVY؀ڥΛૂͬͨ߈ܸɻ
    w DVSMίϚϯυͰɺIUUQTͰγΣϧεΫϦϓτΛμ΢
    ϯϩʔυ͠ɺ࣮ߦ͠Α͏ͱ͍ͯ͠Δɻ
    w ߈ܸऀͷૂ͍͕ɺ͔ͳΓΤά͍ɻ
    42

    View Slide

  43. USBOTGFSTIͷத਎
    43
    linuxsyn→DoS πʔϧ
    minerd→ϚΠχϯάπʔϧ
    crontab ΁ొ࿥ͯ͠ɺ

    ఆظతʹ࣮ߦ
    ߈ܸऀͷ ssh ͷ伴ొ࿥
    ෆਖ਼ૢ࡞ͷࠟ੻ͷফڈ

    View Slide

  44. ߈ܸ͕੒ޭ͢Δͱ
    w %P4πʔϧͷར༻ʹΑΓɺωοτϫʔΫϦιʔεΛ

    ࢖͍௵͞ΕΔՄೳੑ͕ߴ͍ɻ
    w ϚΠχϯάπʔϧͷར༻ʹΑΓɺ$16ϦιʔεΛ࢖
    ͍௵͞ΕΔՄೳੑ͕ߴ͍ɻ
    w ఆظతʹ࣮ߦ͞Εɺͳ͓͔ͭ44)ʹΑΔϦϞʔτ
    ϩάΠϯ΋ڐͯ͠͠·͏ɻ͔͠΋ࠟ੻͸ফ͞ΕΔɻ
    w ৵ೖ͞Ε͕ͨ࠷ޙɺࠎͷ਷·Ͱ͠ΌͿΓͭ͘͞ΕΔ
    44

    View Slide

  45. ·ͱΊ
    w 0SBDMF8FC-PHJDͷ੬ऑੑ $7&
    ʹ
    ͍ͭͯ঺հ͠·ͨ͠ɻ
    w ೥݄຤͔Β೥݄·ͰͷϩάΛ෼ੳ͠
    ͨ݁Ռɺແࠩผʹ߈ܸ͍ͯ͠Δͱߟ͑ΒΕΔ௨৴͕
    େଟ਺Ͱͨ͠ɻ
    w ੬ऑੑ৘ใͱ߈ܸπʔϧͷ࡞੒࣌ظΛਪଌ͢Δͱɺ
    ೥݄຤ΑΓલʹ߈ܸ͞Ε͍ͯͨՄೳੑ༗ɻ
    w ੬ऑͳ؀ڥͩͬͨ৔߹ɺ$16Ϧιʔε΍ωοτϫʔ
    ΫϦιʔεͷෆਖ਼࢖༻͚ͩͰͳ͘ɺෆਖ਼ϩάΠϯͳ
    Ͳ༷ʑͳӨڹΛड͚ΔՄೳੑ͕ߴ͍ɻ
    w ࠓճ঺հͨ͠߈ܸϩά͸શମͷׂʹ΋ຬͨͳ͍ɻ
    45

    View Slide

  46. *P$
    01ebeaf06f5a2fcbf14025a8e683293d cat.php
    036b34853622f38c285babf1a8670b62 svchosx.exe
    0a6f3934f53966e2bdd4721ba512bd1c weblogic.hta
    0b156ec492ea45d282cf823415ecaf12 IPsecSrv.dll
    0d91bd78bfb6eab168ebb697bd5d31a4 transfer-etn.sh
    26198be2276b9d7a4cbf4dad4155995d kworker.sh
    2874b491c166d3b3949b2f94182e1759 svvchost.exe
    38535ff9e16902305e3d938a5f429879 mssql.exe
    3acdb039179e120da05aa2c53542f944 paSmuRYy
    3af4c8196fbb3ae1744291bfdeaa6f98 pool.zip
    3fb41234895102be5c439132f85c0ef9 payload.py
    5aeb79a353888fd552dc7cc129e696a6 dada.x86_64
    5c53d65c44e5e7c05c743811487eecdb x32.exe
    5ff51056a25c8b9a20842ea9d05c0495 minerd
    8327245a8feb3290de39df5ceefd58bf start_xmr.ps1
    8c8a30372e4fdba50cb2e6ffdb5af883 mssql.exe
    929c9eeff262e198fd29f8c75edfc5fd xrun.exe
    9ad4bd564978c1b5a8540b6b6f021bdb x64.exe
    9cde0af2caa9fab7cb042487dfd9ab08 eblue.exe
    9f0d6dce1e043858f3d239b101d0b19d 7001.exe
    a2ac17c2bb6148b7e22c610964e398d2 rZhqDVLP
    a2ce07681d158a13557928457c950ebe ex32.exe
    a4f2b45c832257b5fd662b9eee2f82f1 linuxsyn
    b29e0910573f96d8447801814dd2b73e xrun-etn.exe
    b6657f348f5915ae6052e5f9c56343e8 loveby.exe
    b8a107d8b0f1e582c86a6def628ab1f3 jiba
    bf4ba4b0450a5a436a9ec9dc4b504d72 kefarbo.exe
    c357a4ad84dd7c3d4de5f7ab3942a121 minerxmr.exe
    c97b69f1bbf36ca94aaa664ea78e16dc pri.sh
    d5aa5b2a023893460b9ef2584d0fa7a8 niao.exe
    dbdac5198ffde5c15710176cbd79095c transfer.sh
    df980ebae2a9a83409a3ccd03a5e3603 cross.exe
    f50298bbe7226587bd641410849174df cloud
    fdac6a6d0c98e45c3b93d478cd4d0042 18r4m
    46
    ෆ৹ͳϑΝΠϧͷϋογϡ஋ɾϑΝΠϧ໊
    107.181.174.248
    111.67.198.104
    111.67.198.246
    112.30.132.138:2323
    120.132.17.180:66
    123.249.24.175:8088
    132.148.150.15:8080
    133.242.163.81:4444
    137.59.18.173
    18.217.195.175:132
    182.18.8.69:8088
    185.216.117.85:11152
    185.227.152.132:2124
    190.60.206.11
    190.60.206.11:8443
    199.188.104.73:32135
    199.188.104.75:32135
    204.152.209.251:2114
    204.152.209.251:21145
    204.152.209.251:221
    205.209.177.18
    221.9.251.236
    222.184.79.11:5317
    222.184.79.11:5318
    222.184.79.11:5319
    222.184.79.11:5320
    222.184.79.11:5329
    222.186.150.175:8080
    222.186.150.175:81
    223.68.209.7:65510
    27.148.157.89:8899
    35.189.171.208:55555
    43.226.35.42:2323
    46.4.26.204
    58.218.201.20:8088
    67.218.135.178
    80.82.70.234:6969
    97.64.19.115
    bbc.servehalflife.com
    cnhv.co
    get.fu2k.net:66
    ipfs.fu2k.net
    qwer.world
    usa.neozju.com
    www.kangnajiang.top:132
    ϑΝΠϧμ΢ϯϩʔυݩɾcallback ͷ௨৴ઌ
    ※ίϩϯ(:)Ҏ߱͸ϙʔτ൪߸

    View Slide

  47. *P$
    w ߈ܸऀͷ44)ͷެ։ݤ
    ˞SPPUϢʔβͷTTIBVUIPSJ[FE@LFZTϑΝΠϧ΁௥ه
    ΛࢼΈ͍ͯ·ͨ͠ɻ
    w 1BTUFCJOͷϑΝΠϧ IUUQˠI99Q IUUQTˠI99QT

    w I99QQBTUFCJODPNSBXS;IR%7-1
    w I99QTQBTUFCJODPNSBXQB4NV3:Z
    47
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDV1VxPVZFUOOWZwMFVBwP/904lhAZNj2U5DPsZyIWw33jHeFRElM++XnUYmkMDiu
    8KuJXnFDJMkyXxsq77fOpDhVGOoexll3+P6SmZWViWwnhOgvxhccgT72J+LPZEIwPqPZQVHR4ksdVSnMVreyZs+rQ7O+L2xychpqze
    Irk4Q/08f5XreOnq4Rgxp9oKwSlf7vKmQ7tUWUxfMHHL1wQYZPmdKpgSi/JmokLpp5cKAT7r0gGOj1jV8ZAJc+z45Ts2JBH9JYscHB
    ssh7MBWWymcjXANd9a6XaQnbnl6nOFFNyYm8dBuLkGpEUNCdMq/jc5YLfnAnbGVbBMhuWzaWUp root@host-10-10-10-26

    View Slide

  48. )BQQZ)POFZQPU
    48
    ←ϔϦΞϯϑΥϥͷ஥ؒ(৯஬২෺)
    2017೥10݄27೔ ເͷౡ ೤ଳ২෺ؗͰࡱӨ
    ೆΞϝϦΧͷΪΞφߴ஍ʹ͚ͩੜଉ͢Δɻ
    ͓͠·͍

    View Slide