感谢kushuku的投递 新闻来源:solidot 在Flame恶意程序上周曝光之后,幕后攻击者立即关闭了80多个命令控制服务器。服务器域名是采用化名注册,每个化名最多注册4个域名。上传到服务器的数据包括了计算机辅助软件绘制图纸、电子邮件和PDF文档。 域名最早注册时间是在2008年,使用至少22个不同IP地址,服务器运行Ubuntu Linux发行版。卡巴斯基与GoDaddy和OpenDNS合作,将域名重定向到其控制的服务器上,收集到了恶意程序上传的数据。 安全研究人员发现,Flame和Duqu有许多共同特征,都对受感染机器上的AutoCAD绘图文件感兴趣。为了限制窃取的文件数量和避免上传无关的文件,Flame会从PDF、电子表格和Word文档中提取1KB样本,压缩和上传样本到命令控制服务器,然后攻击者发出指令抓取他们感兴趣的特定文档。 与Duqu不同之处是,Duqu会利用SSH端口转发伪装攻击者的真实身份,而Flame则是直接上传到服务器,换句话说,它的幕后攻击者没有Duqu的操作者谨慎。 Duqu Flame Server OS CentOS Linux Ubuntu Linux Control scripts Running on remote server, shielded through SSH port forwarding Running on servers Number of victims per server 2-3 50+ Encryption of connections to server SSL + proprietary AES-based encryption SSL Compression of connections No Yes, Zlib and modified PPMD Number of known C&C’s domains n/a 80+ Number of known C&C IPs 5 15+ Number of proxies used to hide identity 10+ Unknown Time zone of C&C operator GMT+2 / GMT+3 Unknown Infrastructure programming .NET Unknown Locations of servers India, Vietnam, Belgium, UK, Netherlands, Switzerland, Korea, etc... Germany, Netherlands, UK, Switzerland, Hong Kong, Turkey, etc... Number of built-in C&C IPs/domain in malware 1 5, can update list SSL certificate self-signed self-signed Servers status Most likely hacked Most likely bought SSH connections no yes
