{"id":60149,"date":"2019-04-11T09:00:05","date_gmt":"2019-04-11T01:00:05","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=60149"},"modified":"2019-04-08T17:53:52","modified_gmt":"2019-04-08T09:53:52","slug":"bashlite-iot-%e6%83%a1%e6%84%8f%e7%a8%8b%e5%bc%8f%e6%96%b0%e5%a2%9e%e6%8c%96%e7%a4%a6%e8%88%87%e5%be%8c%e9%96%80%e5%8a%9f%e8%83%bd%ef%bc%8c%e5%b0%88%e9%96%80%e6%94%bb%e6%93%8a-wemo-%e5%93%81%e7%89%8c","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=60149","title":{"rendered":"Bashlite IoT \u60e1\u610f\u7a0b\u5f0f\u65b0\u589e\u6316\u7926\u8207\u5f8c\u9580\u529f\u80fd\uff0c\u5c08\u9580\u653b\u64ca WeMo \u54c1\u724c\u88dd\u7f6e"},"content":{"rendered":"\n
\"\"\/<\/figure><\/div>\n\n\n\n

\u6700\u8fd1\uff0c\u8da8\u52e2\u79d1\u6280<\/a>\u767c\u73fe Bashlite \u60e1\u610f\u7a0b\u5f0f\u51fa\u73fe\u65b0\u7684\u7248\u672c\uff0c\u6703\u5c07\u5176\u611f\u67d3\u7684\u7269\u806f\u7db2\uff08IoT ,Internet of Thing<\/a>\uff09<\/a><\/ins>\u88dd\u7f6e\u6536\u7de8\u5230\u67d0\u500b\u6bad\u5c4d\u7db2\u8def\u4f86\u767c\u52d5\u5206\u6563\u5f0f\u963b\u65b7\u670d\u52d9<\/a>\n(DDoS) \u653b\u64ca\u3002\u8da8\u52e2\u79d1\u6280\u5c07\u9019\u4e9b\u60e1\u610f\u7a0b\u5f0f\u547d\u540d\u70ba Backdoor.Linux.BASHLITE.SMJC4\u3001Backdoor.Linux.BASHLITE.AMF<\/a>\u3001Troj.ELF.TRX.XXELFC1DFF002\n\u4ee5\u53ca Trojan.SH.BASHDLOD.AMF<\/a>\u3002\u6839\u64da\u5176\u63a1\u7528\u7684\nMetasploit \u6a21\u7d44\u4f86\u770b\uff0c\u6b64\u60e1\u610f\u7a0b\u5f0f\u5c08\u9580\u9396\u5b9a\u63a1\u7528 WeMo Universal Plug and Play (UPnP) \u901a\u7528\u96a8\u63d2\u5373\u7528\u61c9\u7528\u7a0b\u5f0f\u958b\u767c\u4ecb\u9762\n(API) \u7684\u88dd\u7f6e\u4f86\u653b\u64ca\u3002<\/p>\n\n\n\n

Bashlite \u60e1\u610f\u7a0b\u5f0f\u4ea6\u7a31\u70ba Gafgyt\u3001Lizkebab\u3001Qbot\u3001Torlus \u6216 LizardStresser\uff0c\u5176\u6700\u70ba\u4eba\u77e5\u7684\u4e0d\u826f\u4e8b\u8e5f\u662f 2014 \u5e74\u66fe\u767c\u52d5\u5927\u898f\u6a21\u5206\u6563\u5f0f\u963b\u65b7\u670d\u52d9\u653b\u64ca (DDoS)<\/a>\uff0c\u5982\u4eca\u5b83\u751a\u81f3\u958b\u59cb\u8de8\u754c<\/a>\u611f\u67d3 IoT \u88dd\u7f6e\u3002\u5148\u524d\u7684 Bashlite \u7248\u672c\u6703\u5229\u7528<\/a> Shellshock <\/a>\u6f0f\u6d1e\u4f86\u5165\u4fb5\u88dd\u7f6e\uff0c\u7136\u5f8c\u518d\u900f\u904e\u9060\u7aef\u6307\u4ee4\u9059\u63a7\u88ab\u5165\u4fb5\u7684\u88dd\u7f6e\u767c\u52d5 DDoS \u653b\u64ca (\u5982 2016 \u5e74\u6240\u767c\u751f\u7684\u4e8b\u4ef6<\/a>)\uff0c\u6216\u8005\u518d\u4e0b\u8f09\u5176\u5b83\u60e1\u610f\u6a94\u6848\u5230\u88ab\u5165\u4fb5\u7684\u88dd\u7f6e\u3002<\/p>\n\n\n\n

\u9019\u6b21\u767c\u73fe\u7684\u65b0\u7248 Bashlite \u76f8\u7576\u503c\u5f97\u95dc\u6ce8\u3002\u9996\u5148\uff0c\u5176\u611f\u67d3\u65b9\u5f0f\u5df2\u4e0d\u518d\u4ef0\u8cf4\u7279\u5b9a\nCVE \u6f0f\u6d1e\uff0c\u800c\u662f\u4f7f\u7528\u53ef\u516c\u958b\u53d6\u5f97\u7684 Metasploit \u6f0f\u6d1e\u653b\u64ca\u6a21\u7d44<\/a>\u3002\u6b64\u5916\uff0c\u65b0\u7248\u4e5f\u652f\u63f4\u66f4\u591a DDoS \u9060\u7aef\u9059\u63a7\u6307\u4ee4\uff0c\u4ee5\u53ca\u4e00\u4e9b\u865b\u64ec\u8ca8\u5e63<\/a>\u548c\u5f8c\u9580\u529f\u80fd\u3002\u540c\u6642\uff0c\u9084\u6703\u5728\u88dd\u7f6e\u4e0a\u690d\u5165\u60e1\u610f\u7a0b\u5f0f\u4f86\u5c07\u7af6\u722d\u5c0d\u624b\u7684\u6bad\u5c4d\u75c5\u6bd2\u79fb\u9664\u3002<\/p>\n\n\n\n\n\n\n\n

\u5176\u6f0f\u6d1e\u653b\u64ca\u6a21\u7d44\u7576\u4e2d\u4e26\u7121\u9396\u5b9a\u7684 WeMo\n\u88dd\u7f6e\u6e05\u55ae\uff0c\u56e0\u70ba\u5b83\u6703\u6aa2\u67e5\u88dd\u7f6e\u662f\u5426\u652f\u63f4 WeMo UPnP API\uff0c\u6240\u4ee5\u5f71\u97ff\u7684\u7bc4\u570d\u76f8\u7576\u5ee3\u6cdb\uff0c\u6db5\u84cb WeMo \u7684\u6240\u6709\u5bb6\u5ead\u81ea\u52d5\u5316\u7522\u54c1<\/a>\uff0c\u5982\uff1a\u7db2\u8def\u651d\u5f71\u6a5f\u3001\u96fb\u6e90\u63d2\u5ea7\u3001\u7167\u660e\u958b\u95dc\u3001\u71c8\u6ce1\u3001\u52d5\u4f5c\u611f\u61c9\u5668\u7b49\u7b49\u3002\u8a72\u516c\u53f8\u9084\u958b\u767c\u4e86\u4e00\u500b\u884c\u52d5\u61c9\u7528\u7a0b\u5f0f\u8b93\u4f7f\u7528\u8005\u900f\u904e\nWi-Fi \u7121\u7dda\u7db2\u8def\u4f86\u64cd\u63a7\u5176 IoT \u88dd\u7f6e\u3002<\/p>\n\n\n\n

\u5118\u7ba1\u76ee\u524d\u6211\u5011\u5c1a\u672a\u5927\u91cf\u5075\u6e2c\u5230\u9019\u500b\u65b0\u7248\u7684 Bashlite\uff0c\u4f46\u503c\u5f97\u6ce8\u610f\u7684\u662f\u6839\u64da\u8da8\u52e2\u79d1\u6280 \u8da8\u52e2\u79d1\u6280Smart Protection Suites<\/a>™ \u5168\u7403\u5a01\u8105\u60c5\u5831\u7db2\u7684\u8cc7\u6599\uff0c\u5b83\u5df2\u7d93\u5728\u5916\u6d41\u50b3\u3002\u6839\u64da\u6211\u5011 3 \u6708 21 \u65e5\u7684\u8cc7\u6599\u767c\u73fe\u53f0\u7063\u3001\u7f8e\u570b\u3001\u6cf0\u570b\u3001\u99ac\u4f86\u897f\u4e9e\u3001\u65e5\u672c\u53ca\u52a0\u62ff\u5927\u90fd\u6709\u5b83\u7684\u8e64\u8de1\u3002<\/p>\n\n\n\n

\u6211\u5011\u5df2\u7d93\u5c07\u9019\u9805\u767c\u73fe\u901a\u5831\u7d66 Belkin\uff0c\u8a72\u516c\u53f8\u4e5f\u91dd\u5c0d\u6b64\u60e1\u610f\u7a0b\u5f0f\u6240\u653b\u64ca\u7684\u6f0f\u6d1e\u767c\u51fa\u4e86\u4e00\u4efd\u6b63\u5f0f\u8072\u660e\uff1a\u300cBelkin\n\u81f4\u529b\u7dad\u8b77\u7522\u54c1\u8207\u5ba2\u6236\u7684\u5b89\u5168\u3002\u672c\u6587\u6240\u8ff0\u4e4b\u6f0f\u6d1e\u5df2\u5728 2015 \u5e74\u767c\u73fe\u4e26\u91dd\u5c0d\u6240\u6709\u53d7\u5f71\u97ff\u7684\u88dd\u7f6e\u9032\u884c\u4fee\u88dc\u3002\u6211\u5011\u5f37\u70c8\u9f13\u52f5\u5ba2\u6236\u66f4\u65b0\u81ea\u5df1\u7684\u88dd\u7f6e\u548c\u884c\u52d5\u61c9\u7528\u7a0b\u5f0f\u4f86\u53d6\u5f97\u6700\u65b0\u7684\u5b89\u5168\u4fee\u6b63\u3002\u300d<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

<\/a>
\n\u5716 1\uff1aBashlite \u60e1\u610f\u7a0b\u5f0f\u611f\u67d3\u904e\u7a0b\u3002\n<\/em><\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

<\/a><\/p>\n\n\n\n

<\/a>
\n\u5716 2\uff1a\u6839\u64da\u8da8\u52e2\u79d1\u6280\u7684Deep\nDiscovery Inspector<\/a><\/em>™<\/em> <\/em>\u7684\u5206\u6790\u8cc7\u6599\u986f\u793a\u6b64\u60e1\u610f\u7a0b\u5f0f\u6703\u653b\u64ca\u5177\u5099 WeMo API\u7684\u88dd\u7f6e\n(\u4e0a)\u3002\u540c\u6a23\u5730\uff0cMetasploit \u6a21\u7d44\u4e5f\u5177\u5099\u6b64\u80fd\u529b (\u4e0b)\u3002<\/em><\/p>\n\n\n\n

\u611f\u67d3\u904e\u7a0b<\/strong><\/em>
\n\u5728\u6211\u5011\u5206\u6790\u5230\u7684 Bashlite \u6a23\u672c\u7576\u4e2d\uff0c\u6709\u4e9b\u6703\u6839\u64da\u5176\u611f\u67d3\u88dd\u7f6e\u7684\u67b6\u69cb\u800c\u6709\u4e0d\u540c\u884c\u70ba\u3002\u9019\u4e9b\u8f03\u65b0\u7684\nBashlite \u7248\u672c\u6703\u4f7f\u7528 Telnet \u6383\u7784\u7a0b\u5f0f\u4e26\u4ee5\u4e0b\u5217\u5e33\u865f\u5bc6\u78bc\u4f86\u8a66\u5716\u767b\u5165\u76ee\u6a19\u88dd\u7f6e\uff1aroot\u30019615-cdp\u3001admin\u3001admin123\u3001huigu309\u3001xc3511\u3001vizxv\n<\/em>\u53ca Dvrdvs\u3002<\/em><\/p>\n\n\n\n

Bashlite \u5148\u662f\u5229\u7528\u6383\u7784\u7a0b\u5f0f\u4f86\u641c\u5c0b\u53ef\u611f\u67d3\u7684\u88dd\u7f6e\uff0c\u63a5\u8457\u518d\u767c\u9001\u4e00\u500b\u4e8c\u9032\u4f4d\u6a94\u6848\n(XORred\uff0ckey=0x54) \u5230\u542b\u6709\u6f0f\u6d1e\u7684\u88dd\u7f6e\u3002\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0c\u4e8c\u9032\u4f4d\u6a94\u6848\u662f\u7528\u4f86\u64f7\u53d6\u548c\u690d\u5165 Hakai\n\u6bad\u5c4d\u75c5\u6bd2<\/a>\uff0c\u8a72\u75c5\u6bd2\u7684\u7a0b\u5f0f\u78bc\u662f\u5f9e Bashlite \u884d\u751f\u800c\u4f86\uff0c\u4e26\u4e14\u5728\u53bb\u5e74\u66fe\u7d93\u653b\u64ca\u8def\u7531\u5668<\/a>\u3002\u4e0d\u904e\uff0cHakai\n\u7684\u4e0b\u8f09\u7db2\u5740\u76ee\u524d\u5df2\u7121\u6cd5\u9023\u4e0a\u3002Bashlite \u7576\u4e2d\u5167\u5d4c\u4e86\u591a\u500b\u4e8c\u9032\u4f4d\u6a94\u6848\u4f86\u5c0d\u61c9\u4e0d\u540c\u7684\u67b6\u69cb\u3002\u5716 3 \u986f\u793a\u9019\u4e9b\u5167\u5d4c\u7684\u4e8c\u9032\u4f4d\u6a94\u6848\u5982\u4f55\u53d6\u51fa\u3002<\/p>\n\n\n\n

\u88ab\u690d\u5165\u7684\u4e8c\u9032\u4f4d\u6a94\u6848\u6703\u8207\u5176\u5e55\u5f8c\u64cd\u7e31\n(C&C) \u4f3a\u670d\u5668\u806f\u7e6b\uff0c\u9023\u7dda\u4f4d\u5740\u70ba\uff1a178.128.185.250\/hakai.x86\u3002\u6b64\u5916\uff0c\u9084\u6703\u9023\u7dda\u81f3 185.244.25.213:3437 \u4f86\u652f\u63f4\nBashlite \u7684\u5f8c\u9580\u529f\u80fd\u3002<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

<\/a>
\n\u5716 3\uff1a\u5f9e\u5716\u4e2d\u53ef\u770b\u51fa\u9084\u6709 Hakai\n\u60e1\u610f\u7a0b\u5f0f\u61c9\u8a72\u4e5f\u6703\u4e0b\u8f09\u81f3\u88dd\u7f6e\u4e0a\u57f7\u884c\u3002<\/em><\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

<\/a><\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

<\/a>
\n\u5716 4\uff1a\u4e0a\u4e0b\u5169\u5716\u5206\u5225\u986f\u793a\u7528\u4f86\u64f7\u53d6 (\u4e0a)\n\u4ee5\u53ca\u5728\u88dd\u7f6e\u690d\u5165 (\u4e0b) \u5167\u5d4c\u4e8c\u9032\u4f4d\u6a94\u6848\u7684\u7a0b\u5f0f\u78bc\u3002<\/em><\/p>\n\n\n\n

\u5f8c\u9580\u8207 DDoS \u529f\u80fd<\/strong><\/em>
\nBashlite \u6700\u503c\u5f97\u6ce8\u610f\u7684\u5f8c\u9580\u6307\u4ee4\u662f\u540c\u6642\u5c0d\u55ae\u4e00\u76ee\u6a19\u767c\u52d5\u591a\u9805\u4e0d\u540c\u985e\u578b\u7684\nDDoS \u653b\u64ca\uff0c\u4ee5\u53ca\u4e0b\u8f09\u4e26\u57f7\u884c\u865b\u64ec\u52a0\u5bc6\u8ca8\u5e63\u6316\u7926\u7a0b\u5f0f\u8207\u6c38\u4e45\u7834\u58de\u88dd\u7f6e\u7684\u60e1\u610f\u7a0b\u5f0f\u3002\u6b64\u5916\uff0c\u5176\u7a0b\u5f0f\u78bc\u9084\u6709\u907f\u958b DDoS \u9632\u7bc4\u670d\u52d9\u7684\u8a2d\u8a08\u3002<\/p>\n\n\n\n

\u4ee5\u4e0b\u662f\u4e00\u4e9b Bashlite \u652f\u63f4\u7684\u5f8c\u9580\u6307\u4ee4\uff1a<\/p>\n\n\n\n