{"id":444,"date":"2020-08-14T13:54:14","date_gmt":"2020-08-14T05:54:14","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=444"},"modified":"2020-08-14T13:54:14","modified_gmt":"2020-08-14T05:54:14","slug":"%e7%be%8e%e5%9c%8b%e5%9c%8b%e5%ae%b6%e5%ae%89%e5%85%a8%e5%b1%80-nsa-%e5%92%8c%e8%81%af%e9%82%a6%e8%aa%bf%e6%9f%a5%e5%b1%80-fbi-%e7%9a%84%e8%81%af%e5%90%88%e8%b3%87%e5%ae%89%e8%ad%a6%e5%a0%b1","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=444","title":{"rendered":"\u7f8e\u570b\u570b\u5bb6\u5b89\u5168\u5c40 (NSA) \u548c\u806f\u90a6\u8abf\u67e5\u5c40 (FBI) \u7684\u806f\u5408\u8cc7\u5b89\u8b66\u5831\uff0c\u8b66\u544a\u8aaa\u4fc4\u7f85\u65af\u9593\u8adc\u6b63\u5728\u4f7f\u7528\u65b0\u578b\u60e1\u610f\u8edf\u9ad4\u5165\u4fb5 Linux \u4f5c\u696d\u7cfb\u7d71…"},"content":{"rendered":"\n

\u7f8e\u570b\u570b\u5bb6\u5b89\u5168\u5c40 (NSA) \u548c\u806f\u90a6\u8abf\u67e5\u5c40 (FBI) \u5728 8\u6708 13\u65e5\u767c\u5e03\u7684\u806f\u5408\u8cc7\u5b89\u8b66\u5831\uff0c\u8b66\u544a\u8aaa\u4fc4\u7f85\u65af\u9593\u8adc\u6b63\u5728\u4f7f\u7528\u65b0\u578b\u60e1\u610f\u8edf\u9ad4\u5165\u4fb5 Linux \u4f5c\u696d\u7cfb\u7d71\u3002<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u7f8e\u570b\u570b\u5bb6\u5b89\u5168\u5c40\u548c\u806f\u90a6\u8abf\u67e5\u5c40\u8868\u793a\uff0c\u9019\u662f\u4e00\u500b\u521d\u6b21\u516c\u4f48\u7684\u60e1\u610f\u8edf\u9ad4\u201c Drovorub\u201d\uff0c\u64da\u4e86\u89e3\u8a72\u60e1\u610f\u8edf\u9ad4\u662f\u7531\u8207\u4fc4\u7f85\u65af\u8ecd\u968a\u76f8\u95dc\u7684\u570b\u5bb6\u8d0a\u52a9\u99ed\u5ba2\u7d44\u7e54 APT 28\uff0c\u53c8\u7a31\u70ba Fancy Bear \u6240\u90e8\u7f72\u7684\uff0c\u800c APT 28 \u96b8\u5c6c\u65bc\u4fc4\u7f85\u65af\u7e3d\u53c3\u8b00\u90e8\u60c5\u5831\u7e3d\u5c40 (GRU) \u7b2c 85 \u4e3b\u8981\u4e3b\u8981\u7279\u52e4\u4e2d\u5fc3\u3002<\/p>\n\n\n\n

\u5728\u4e00\u4efd\u9577\u9054 45\u9801\u7684\u8a73\u7d30\u5831\u544a\u4e2d\uff0c\u9019\u4e9b\u6a5f\u69cb\u6307\u8cac\u99ed\u5ba2\u5c07 Drovorub \u4f5c\u70ba\u4fc4\u7f85\u65af\u9593\u8adc\u6d3b\u52d5\u7684\u4e00\u90e8\u5206\uff0c\u4e26\u63d0\u4f9b\u4e86\u6aa2\u6e2c\u548c\u6e1b\u8f15\u611f\u67d3\u7684\u5efa\u8b70\u3002<\/p>\n\n\n\n

Drovorub \u53ef\u8b93\u570b\u5bb6\u8d0a\u52a9\u7684\u99ed\u5ba2\u958b\u5c55\u5404\u7a2e\u6d3b\u52d5\uff0c\u4f8b\u5982\u7aca\u53d6\u6587\u4ef6\u3001\u5efa\u7acb\u5f8c\u9580\u8a2a\u554f\u6b0a\u9650\u3001\u9060\u7aef\u63a7\u5236\u76ee\u6a19\u96fb\u8166\u3002Drovorub \u60e1\u610f\u8edf\u9ad4\u5be6\u4f5c\u4e86\u4e00\u7a2e\u5148\u9032\u7684\u5075\u6e2c\u8eb2\u907f\u6280\u8853\uff0c\u5b83\u5229\u7528\u9032\u968e\u7684 \u201crootkit\u201d \u529f\u80fd\u8eb2\u907f\u5075\u6e2c\u3002<\/p>\n\n\n\n

\u60e1\u610f\u8edf\u9ad4\u7684\u5ba2\u6236\u7aef\u53ef\u4ee5\u76f4\u63a5\u8207\u5a01\u8105\u53c3\u8207\u8005\u7684 C2 \u57fa\u790e\u7d50\u69cb\u901a\u4fe1\uff0c\u5177\u6709\u6587\u4ef6\u4e0a\u50b3\/\u4e0b\u8f09\u529f\u80fd\uff0c\u5177\u6709 \u201croot\u201d \u7279\u6b0a\u7684\u7528\u6236\u53ef\u4ee5\u57f7\u884c\u4efb\u610f\u547d\u4ee4\uff0c\u4e26\u4e14\u53ef\u4ee5\u5c07\u7db2\u8def\u6d41\u91cf\u8f49\u767c\u5230\u7db2\u8def\u4e0a\u7684\u5176\u4ed6\u96fb\u8166\u3002<\/p>\n\n\n\n

\"\u4e00\u5f35\u542b\u6709<\/figure>\n\n\n\n

\u6839\u64da\u8a72\u5831\u544a\uff0crootkit \u975e\u5e38\u6210\u529f\u7684\u96b1\u85cf\u5728\u53d7\u611f\u67d3\u7684\u96fb\u8166\u4e0a\uff0c\u4e26\u4e14\u53ef\u4ee5\u5728\u91cd\u65b0\u555f\u52d5\u5f8c\u4fdd\u7559\u4e0b\u4f86\uff0c\u9664\u975e\u5728 UEFI \u555f\u52d5\u6642\u9078\u7528 \u201cFull boot\u201d \u6216 \u201cThorough boot\u201d \u6a21\u5f0f\u4e0b\u4ee5\u5b89\u5168\u555f\u52d5\u3002<\/p>\n\n\n\n

\u5831\u544a\u63cf\u8ff0\u4e86\u6bcf\u500b Drovorub \u5143\u4ef6\u7684\u6280\u8853\u7d30\u7bc0\uff0c\u9019\u4e9b\u5143\u4ef6\u900f\u904e WebSockets \u4ee5 JSON \u683c\u5f0f\u76f8\u4e92\u901a\u4fe1\uff0c\u4e26\u4f7f\u7528 RSA \u7b97\u6cd5\u5c0d\u5f80\u8fd4\u65bc\u4f3a\u670d\u5668\u7684\u6d41\u91cf\u9032\u884c\u52a0\u5bc6\u3002<\/p>\n\n\n\n

\u7f8e\u570b\u570b\u5bb6\u5b89\u5168\u5c40\u548c\u806f\u90a6\u8abf\u67e5\u5c40\u5efa\u8b70\u7d44\u7e54\u5c07\u4efb\u4f55 Linux \u7cfb\u7d71\u66f4\u65b0\u70ba\u6838\u5fc3\u7248\u672c 3.7 \u6216\u66f4\u9ad8\u7684\u7248\u672c\uff0c\u4ee5\u907f\u514d\u53d7 Drovorub \u60e1\u610f\u8edf\u9ad4\u7684 rootkit \u611f\u67d3\u3002<\/p>\n\n\n\n

\u8a72\u806f\u5408\u8b66\u5831\u5efa\u8b70\u904b\u884c\u8a18\u61b6\u9ad4\u53d6\u8b49\uff0c\u63a2\u6e2c\u6587\u4ef6\u96b1\u85cf\u884c\u70ba\uff0c\u540c\u6642\u5305\u542b snort \u898f\u5247\u548c Yara \u898f\u5247\u4ee5\u6aa2\u6e2c\u5a01\u8105\u3002<\/p>\n\n\n\n

\u5c08\u5bb6\u9084\u5efa\u8b70\uff0c\u7db2\u8def\u908a\u754c\u7684\u5c01\u5305\u6578\u64da\u6aa2\u6e2c\u53ef\u7528\u65bc\u767c\u73fe\u7db2\u8def\u4e0a\u7684 Drovorub \u60e1\u610f\u8edf\u9ad4\uff0c\u800c\u57fa\u65bc\u4e3b\u6a5f\u7684\u5a01\u8105\u6aa2\u6e2c\u65b9\u6cd5\u5305\u62ec\u6383\u7784\u3001\u8cc7\u5b89\u7522\u54c1\u3001\u5373\u6642\u56de\u61c9\u3001\u8a18\u61b6\u9ad4\u5206\u6790\u548c\u5a92\u9ad4\uff08\u78c1\u789f\u6620\u50cf\uff09\u5206\u6790\uff0c\u5c08\u5bb6\u9084\u5efa\u8b70\u7cfb\u7d71\u64c1\u6709\u8005\u4f7f\u7528\u6709\u6548\u4e14\u5df2\u7c3d\u7ae0\u7684\u6a21\u7d44\u9032\u884c\u767b\u5165\u3002<\/p>\n\n\n\n

\u6b32\u4e86\u89e3\u66f4\u591a\u95dc\u65bc Drovorub \u60e1\u610f\u8edf\u9ad4\u7684\u76f8\u95dc\u60c5\u8cc7\uff0c\u53ef\u81f3 OTX \u793e\u7fa4:<\/p>\n\n\n\n

https:\/\/otx.alienvault.com\/pulse\/5f3581cc4138be1d82c183b8<\/a><\/p>\n\n\n\n

Source:https:\/\/media.defense.gov\/2020\/Aug\/13\/2002476465\/-1\/-1\/0\/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF<\/a><\/p>\n\n\n\n

\u7ae3\u76df\u79d1\u6280\u5b98\u7db2:<\/p>\n\n\n\n

https:\/\/www.billows.com.tw\/<\/a><\/p>\n\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

\u7f8e\u570b\u570b\u5bb6\u5b89\u5168\u5c40 (NSA) \u548c\u806f\u90a6\u8abf\u67e5\u5c40 (FBI) \u5728 8\u6708 13\u65e5\u767c\u5e03\u7684\u806f\u5408\u8cc7\u5b89\u8b66\u5831\uff0c\u8b66\u544a\u8aaa\u4fc4\u7f85\u65af\u9593\u8adc\u6b63\u5728 READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-444","post","type-post","status-publish","format-standard","hentry","category-6"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/444","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=444"}],"version-history":[{"count":3,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/444\/revisions"}],"predecessor-version":[{"id":451,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/444\/revisions\/451"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=444"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=444"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=444"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}