Hacking Team老巢被端,0XID教你如何應對
責編:admin |2015-07-13 11:22:51近日,黑客組織Hacking Team被攻擊,超過400G的內部郵件,文檔以及工具包曝露于大眾視野。有人形容這是安全界的一次災難并不為過,而且破壞力MAX。為了保護我們的移動端用戶,OXID非常重視,經過研究發現大部分的工具是利用操作系統一些應用漏洞達到權限提升,任意代碼執行的目的。受波及的系統有OSX, iOS, Android, Window Phone 8, Blackberry,Windows 和Linux。除此之外,攻擊里面的亮點還有Windows Font 0day和 Flash 0day。舉個栗子,在這些工具中廣泛地利用了2個Flash 0 day 漏洞,而且截止到目前,這兩個0 day 漏洞還沒有被修復。
針對手機端的安全保護,0XID實驗室為我們的首批客戶開發了一個清除工具(0xIDHT Removal Tool)。現在為了響應廣大人民群眾的呼聲,我們把它放到網上供所有用戶使用,下載地址請猛戳:http://www.0xid.com/htrm/HTRemovalTool.apk.? (sha1: c3f154b9da0602cd1d514c0ac9e3f1d53f688098)
我們已經分析了所有已知的Android樣本,還在繼續揮汗如雨的解決大批其他的樣本和漏洞,接下來陸陸續續上傳我們的云。下面列了一些已知的樣本(如果你需要測試這些樣本,可以訪問www.virustotal.com,但是別怪我沒有提醒你,測試的時候一定要慎之又慎!)
0x59a86aa2679c4e9bc686d0df5f8cf5a1ee60983d
0x39ea19a0e82dd3eb441b31b25e7257cd23e7a20c
0xa2ce70e418b7d7ff908030f39466194e4689ab9c
0x74b80902bbe123cfd8fd6fb974aff0337adcbcf9
0x945c2f717d232be9890bb9d67cf0397e0aa551bb
0xf3a35f97c77ab8e51e0bd502b4e078365bb8921b
0x91dbddf3d443bdaff03c9b406a8f513bff8ac95b
根據Virustotal,大多數的AV廠商把這些樣本識別為InfoStealer。但是根據我們的行為分析,我們還沒有看到payloads或者C&C連接(這和去年那些個HT的舊樣本還不一樣)。
隨著研究的深入,我們會繼續分享更多的技術成果,雖然萬里長征才剛剛開始,但我還是要說精彩繼續,請別走開!
動態沙箱結果:
{“apkName”:”e:\\b7b944c57164498193886b83f1f40842a6333e4a.apk”,”recvnet”: {}, “servicestart”:{“150.12599992752075″: {“type”: “service”,”name”: “com.android.contacts.calllog.CallLogNotificationsService”},”150.1159999370575″: {“type”: “service”,”name”: “com.android.musicfx.Compatibility$Service”}},”sendsms”: {“150.12599992752075″: {“message”:”TESTEST”, “tag”: [“TAINT_SMS”],”type”: “sms”, “sink”: “SMS”,”number”: “1234”}}, “cryptousage”:{“150.12599992752075″: {“operation”: “keyalgo”,”type”: “crypto”, “algorithm”: “AES”,”key”: “-51, -81, -2, -54, 98, -70, 115, 5, -116, 65, 76, -125,-114, -47, -66, -104″}}, “sendnet”: {},”accessedfiles”: {“443896862″: “/proc/782/cmdline”,”1209266560″: “/proc/913/cmdline”, “799795249”:”/proc/951/cmdline”, “66796201”:”/data/data/com.android.mms/shared_prefs/com.android.mms_preferences.xml”,”1809861913″: “/proc/965/cmdline”, “605373437”:”/dev/urandom”, “384722164”:”/proc/1076/cmdline”, “1642268030”:”/proc/963/cmdline”, “1522895157”:”/proc/995/cmdline”, “1618477769”:”/data/data/com.android.mms/shared_prefs/com.android.mms_preferences.xml”,”390407281″: “/proc/1078/cmdline”, “2099454036”:”/data/data/com.android.gallery3d/shared_prefs/com.android.gallery3d_preferences.xml”,”1277933733″: “/proc/993/cmdline”, “1087005010”:”/proc/817/cmdline”, “309013678”:”/proc/1040/cmdline”, “1085450266”:”/data/data/com.android.gallery3d/shared_prefs/com.android.gallery3d_preferences.xml”,”1594159581″: “/proc/880/cmdline”, “909215464”:”/proc/834/cmdline”, “1066883498”: “/proc/979/cmdline”,”650387980″: “/proc/1053/cmdline”, “1560911452”:”/proc/836/cmdline”, “316528265”:”/data/data/com.android.contacts/shared_prefs/com.android.contacts_preferences.xml”,”1624132889″: “/proc/1031/cmdline”, “1651029506”:”/proc/meminfo”, “2022394307”:”/proc/1068/cmdline”, “300862952”:”/proc/911/cmdline”, “2143828922”:”/proc/909/cmdline”, “1098173206”:”/proc/754/cmdline”, “1650791196”: “/proc/meminfo”,”1470734761″: “/proc/977/cmdline”, “1231762052”:”/proc/911/cmdline”, “378569751”: “/proc/770/cmdline”,”2077627825″: “/proc/meminfo”, “1305828132”:”/proc/819/cmdline”, “1709322577”:”/data/data/com.android.musicfx/shared_prefs/musicfx.xml”,”315578657″: “/data/data/com.android.providers.contacts/shared_prefs/com.android.providers.contacts_preferences.xml”,”2141085376″: “/proc/meminfo”, “1694377132”:”/proc/878/cmdline”, “1657820936”:”/proc/1029/cmdline”, “832733529”:”/proc/1066/cmdline”, “934472004”:”/proc/1042/cmdline”, “1717394796”:”/proc/1055/cmdline”, “1061260896”:”/proc/953/cmdline”, “1838999328”:”/data/data/com.android.gallery3d/shared_prefs/com.android.gallery3d_preferences.xml”},”fdaccess”: {“150.12599992752075″: {“path”:”/proc/1078/cmdline”, “operation”: “read”,”data”:”73637265656e636170002d70002f7364636172642f50696374757265732f73637265656e3035302e706e67007265732f73637265656e3035302e706e67000000000000000000000000000000000000000000000000000000000000000000000000000000″,”id”: “390407281”, “type”: “fileread”}}, “dataleaks”: {“150.12599992752075″:{“message”: “TESTEST”, “tag”: [“TAINT_SMS”],”type”: “sms”, “sink”: “SMS”,”number”: “1234”}}, “opennet”:{“150.12599992752075″: {“desthost”: “8.8.8.8”,”fd”: “136”, “destport”: “7”}},”recvsaction”: [“com.android.dvci.BM”,”com.android.dvci.listener.AR”], “dexclass”:{“150.12599992752075″: {“path”:”/system/app/Contacts.apk”, “type”: “dexload”},”150.1159999370575″: {“path”:”/system/app/PicoTts.apk”, “type”: “dexload”}},”hashes”: [“fd94113164c8efbc976b2048ce7531ad”,”b7b944c57164498193886b83f1f40842a6333e4a”,”d18c6e62dd6261330abed321b9a4b042abde4ef264c87dc5a9581d5d3bb34164″],”closenet”: {}, “phonecalls”: {}}