Check Pointが例示したマルウェア感染カメラ(兵庫県芦屋市)
出展: https://japan.zdnet.com/article/35109216/
【概要】
■マルウェア
- IoTroop (CheckPoint)
- IoT_reaper (Qihoo 360)
■利用脆弱性
- CVE-2017-8225
■観戦規模
- 数百万台
【ニュース】
◆IoTボットネット攻撃の台風が接近中 - Check Pointが警告 (マイナビニュース, 2017/10/23)
http://news.mynavi.jp/news/2017/10/23/178/
◆新たなIoTボットネット出現、「Mirai」級のDDoS攻撃発生の懸念も (ZDNet, 2017/10/23 18:13)
https://japan.zdnet.com/article/35109216/
【ブログ】
◆A New IoT Botnet Storm is Coming (Check Point, 2017/10/19)
https://blog.checkpoint.com/2017/10/19/new-iot-botnet-storm-coming/
◆New rapidly-growing IoT Botnet - REAPER (Trendmicro, 2018/01/14)
https://success.trendmicro.com/solution/1118928-new-rapidly-growing-iot-botnet-reaper
【公開情報】
◆A New IoT Botnet Storm is Coming (Check Point, 2017/10/19)
https://research.checkpoint.com/new-iot-botnet-storm-coming/
◆IoT_reaper: A Rappid Spreading New IoT Botnet (Qihoo 360)
http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/
【インディケータ情報】
■ハッシュ情報(MD5)
- 3182a132ee9ed2280ce02144e974220a
- 3d680273377b67e6491051abe17759db
- 41ef6a5c5b2fde1b367685c7b8b3c154
- 4406bace3030446371df53ebbdc17785
- 4e2f58ba9a8a2bf47bdc24ee74956c73
- 596b3167fe0d13e3a0cfea6a53209be4
- 6587173d571d2a587c144525195daec9
- 6f91694106bb6d5aaa7a7eac841141d9
- 704098c8a8a6641a04d25af7406088e1
- 726d0626f66d5cacfeff36ed954dad70
- 76be3db77c7eb56825fe60009de2a8f2
- 95b448bdf6b6c97a33e1d1dbe41678eb
- 9ad8473148e994981454b3b04370d1ec
- 9f8e8b62b5adaf9c4b5bdbce6b2b95d1
- a3401685d8d9c7977180a5c6df2f646a
- abe79b8e66c623c771acf9e21c162f44
- b2d4a77244cd4f704b65037baf82d897
- ca92a3b74a65ce06035fcc280740daf6
- e9a03dbde09c6b0a83eefc9c295711d7
- f9ec2427377cbc6afb4a7ff011e0de77
- fb7c00afe00eeefb5d8a24d524f99370
■ハッシュ情報(SHA1)
- 94444086dcf63a13f82823e157a581f02b746cc8
- 8ced1523990e6c885ac5153b95600c0e8da05a38
- f141fe827d53150d98910201275f64ba7cd852a5
- bccdbe601b0b12183d55d8622c806f6dff181078
- 955dd87b3eee817f87df2a0cac654746f40329c0
- 694ab441edcd6da67312df7f006a9ab1951a5c24
■URL情報
- hxxp://cbk99.com:8080/run.lua
- hxxp://bbk80.com/api/api.php
- hxxp://103.1.221.40/63ae01/39xjsda.php
- hxxp://162.211.183.192/down/server.armel
- hxxp://162.211.183.192/sa
- hxxp://162.211.183.192/sa5
- hxxp://162.211.183.192/server.armel
- hxxp://162.211.183.192/sm
- hxxp://162.211.183.192/xget
- hxxp://198.44.241.220:8080/run.lua
- hxxp://23.234.51.91/control-ARM-LSB
- hxxp://23.234.51.91/control-MIPS32-MSB
- hxxp://23.234.51.91/htam5le
- hxxp://23.234.51.91/htmpbe
- hxxp://27.102.101.121/down/1506753086
- hxxp://27.102.101.121/down/1506851514
- hxxp://27.102.101.121/rx/hx.php
■マルウェア情報
MD5 | 4406bace3030446371df53ebbdc17785 |
SHA1 | bccdbe601b0b12183d55d8622c806f6dff181078 |
SHA256 | c2978651935f9d2af532605509493c4f588fc332a458eaef3b01199eae1f1897 |
SHA512 | |
SSDEEP | 12288:/+v/o0Biif5aanGE2DG9h/8Ou1wdKX52uyzQR74x5g8JWY22XbbmKf2fhG+mwW+l:aaanG49hUO8B2uyzQR0yYIfw+m |
authentihash | |
imphash | |
File Size | 842.47 KB |
File Type | ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, stripped |
コンパイル日時 | |
Debug Path | |
File Name | |
File Path | |
生成ファイル | |
特徴 | |
参考情報 | https://www.virustotal.com/#/file/c2978651935f9d2af532605509493c4f588fc332a458eaef3b01199eae1f1897/details |
■マルウェア情報
MD5 | 6f91694106bb6d5aaa7a7eac841141d9 |
SHA1 | 8756fc70cf05d558d086c669e449ca007f2b2f05 |
SHA256 | e2ed207461032f4bf96cfd36e54cd883186592860056bd96df94e73f5b7db035 |
SHA512 | |
SSDEEP | 96:RhoztHkm0LX9JdOQAcKu8c/SApOoZ3O+3/37+KklJMGNCsD4gvb+14mwhZx4ekUj:/ukm0LX9DOrO8khL7EJMGoWkEZx4eK1 |
authentihash | |
imphash | |
File Size | 8.07 KB |
File Type | ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped |
コンパイル日時 | |
Debug Path | |
File Name | xget |
File Path | |
生成ファイル | |
特徴 | |
参考情報 | https://www.virustotal.com/#/file/e2ed207461032f4bf96cfd36e54cd883186592860056bd96df94e73f5b7db035/details |