针对前独联体国家以及印度、中国的APT攻击案例

2011年9月22日,TrendMicro的研究人员公布了一起针对前独联体国家、印度、越南和中国等国家的政府部门、外交部门、航天部门,还有科研机构APT攻击——Lurid攻击。攻击首先是利用了adobe reader pdf浏览器的漏洞。并且,攻击者并未使用0day或者1day漏洞就搞定了,可见这些国家的受害者的安全防范水平是比较够呛的。

Dissecting the Attack

Advanced: This is a series of ongoing targeted attack campaigns that have made use of a variety of exploits for Adobe Reader including CVE-2009-4324, CVE-2010-2883 as well as compressed RAR files containing malicious screen savers.

Regardless of the attack vector, the “LURID” malware is executed on the victims system, causing it to connect to the same network of command-and-control (C&C) servers. Attackers do not always rely upon “zeroday” exploits but frequently use older, reliable exploits and save their zeroday exploits for hardened targets. While we still have to locate any samples used in these campaigns that contain zeroday exploits, the campaign identifiers used by the attackers do make reference to the use of such exploits.

Persistent: During our research, we found two different persistence mechanisms employed by the malware. While one version maintained persistence by installing itself as a Windows service, the other version copies itself to the system folder and ensures persistence by changing the common start up folder of Windows to a special one it creates. It then copies all the usual auto-start items there, as well as itself. Also we’ve been able to organize the malware & victims by “campaigns” (the malware communicates back a “marker” much like someone would include in an advertising campaign) to keep track of who was infected by which malware.

Threat: The malware collects information from compromised computers and sends it to the C&C server via HTTP POST. Through communication with the command and control servers, the attackers are able to issue a variety of commands to the compromised computers. These commands allow the attackers to send and receive files as well as activate an interactive remote shell on compromised systems. The attackers typically retrieve directory listings from the compromised computers and steal data (such as specific .XLS files). Trend Micro researchers have some of the commands, but not the actual files.

In numbers, based on the information recovered from the C&C servers, we can confirm that there were:

1465 Unique hosts (hostname+mac address as stored by the C&C)
2272 Unique External IP addresses

The top 10 countries of victims (based on the 2272 IP addresses):

RUSSIA 1063
KAZAKHSTAN 325
UKRAINE 102
VIETNAM 93
UZBEKISTAN 88
BELARUS 67
INDIA 66
KYRGYSTAN 49
MONGOLIA 42
CN 39

As is frequently the case, it is difficult to ascertain who is behind this series of attacks because it is easy to manipulate artifacts, e.g. IP addresses and domain name registration, in order to mislead researchers into believing that a particular entity is responsible.——这句话说的在理。

你可能感兴趣的:(apt,休闲,网络攻击,高级持续性威胁,高级持续性威胁)