{"id":60735,"date":"2019-05-29T09:00:38","date_gmt":"2019-05-29T01:00:38","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=60735"},"modified":"2019-05-28T12:12:16","modified_gmt":"2019-05-28T04:12:16","slug":"mirai-%e8%ae%8a%e7%a8%ae%e5%88%a9%e7%94%a813%e7%a8%ae%e6%bc%8f%e6%b4%9e%e6%94%bb%e6%93%8a%e8%b7%af%e7%94%b1%e5%99%a8%e7%ad%89%e8%a3%9d%e7%bd%ae","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=60735","title":{"rendered":"\u300aIOT \u300bMirai \u8b8a\u7a2e\u5229\u752813\u7a2e\u6f0f\u6d1e\u653b\u64ca\u8def\u7531\u5668\u7b49\u88dd\u7f6e"},"content":{"rendered":"\n<div class=\"wp-block-image\"><figure class=\"alignleft is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2016\/07\/IoT-feature-image-200x200.jpg\" alt=\"\u00e9\u0080\u0099\u00e5\u00bc\u00b5\u00e5\u009c\u0096\u00e7\u0089\u0087\u00e7\u009a\u0084 alt \u00e5\u00b1\u00ac\u00e6\u0080\u00a7\u00e5\u0080\u00bc\u00e7\u0082\u00ba\u00e7\u00a9\u00ba\u00ef\u00bc\u008c\u00e5\u00ae\u0083\u00e7\u009a\u0084\u00e6\u00aa\u0094\u00e6\u00a1\u0088\u00e5\u0090\u008d\u00e7\u00a8\u00b1\u00e7\u0082\u00ba IoT-feature-image-200x200.jpg\" width=\"216\" height=\"216\"\/><\/figure><\/div>\n\n\n\n<p><a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u767c\u73fe\u4e86\u4e00\u96bb\u4f7f\u7528\u4e8613\u7a2e\u4e0d\u540c\u6f0f\u6d1e\u7684\u65b0Mirai\u8b8a\u7a2e\uff08\u5075\u6e2c\u70ba<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/Backdoor.Linux.MIRAI.VWIPT\">Backdoor.Linux.MIRAI.VWIPT<\/a>\uff09\uff0c\u9019\u4e9b\u6f0f\u6d1e\u5e7e\u4e4e\u90fd\u5728\u4e4b\u524d\u7684Mirai\u653b\u64ca\u51fa\u73fe\u904e\u3002\u9019\u662f\u96bb\u5178\u578b\u7684Mirai\u8b8a\u7a2e\uff0c\u5177\u6709\u5f8c\u9580\u53ca\u5206\u6563\u5f0f\u963b\u65b7\u670d\u52d9\uff08DDoS\uff09\u529f\u80fd\u3002\u4f46\u9019\u662f\u7b2c\u4e00\u6b21\u4f7f\u7528\u6240\u670913\u500b\u6f0f\u6d1e\u7684\u6848\u4f8b\u3002<\/p>\n\n\n\n<p style=\"text-align:left\"><\/p>\n\n\n\n<p>\u9019\u8d77\u653b\u64ca\u767c\u751f\u5728\u6211\u5011\u4e0a\u6b21<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/internet-of-things\/mirai-variant-spotted-using-multiple-exploits-targets-various-routers\">\u5831\u5c0e<\/a>Mirai\u653b\u64ca\u6d3b\u52d5\u5f8c\u5e7e\u9031\uff0c\u91dd\u5c0d\u4e86\u5404\u7a2e\u8def\u7531\u5668\u3002\u4e0a\u6b21\u5831\u5c0e\u4e2d\u6240\u63d0\u5230\u7684\u4e00\u4e9b\u6f0f\u6d1e\u4e5f\u88ab\u7528\u65bc\u6b64\u8b8a\u7a2e\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"> <br>\u524d\u4e09\u500b\u6f0f\u6d1e\u653b\u64ca\u91dd\u5c0d\u7db2\u9801\u958b\u767c\u6846\u67b6ThinkPHP\u53ca\u67d0\u4e9b\u83ef\u70ba\u548cLinksys\u8def\u7531\u5668\u6f0f\u6d1e\u7684\u6383\u63cf\u7a0b\u5f0f <\/h3>\n\n\n\n<p><a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u4e00\u958b\u59cb\u767c\u73fe\u6b64\u65b0\u8b8a\u7a2e\u662f\u4f86\u81ea\u65bc\u6211\u5011\u4e00\u500b\u6536\u96c6<ins><a href=\"https:\/\/blog.trendmicro.com.tw\/?p=8802\">\u7269\u806f\u7db2\uff08IoT\n,Internet of Thing<\/a><a href=\"https:\/\/blog.trendmicro.com.tw\/?p=8802\">\uff09<\/a><\/ins>\u76f8\u95dc\u653b\u64ca\u7684\u871c\u7f50\u7cfb\u7d71\u3002\u53ef\u4ee5\u770b\u51fa\u6b64\u60e1\u610f\u8edf\u9ad4\u4f7f\u7528\u4e86\u5404\u7a2e\u4e0d\u540c\u7684\u6563\u64ad\u65b9\u5f0f\uff0c\u9084\u767c\u73fe\u5b83\u6703\u7528\u4e09\u500bXOR\u5bc6\u9470\u4f86\u52a0\u5bc6\u8cc7\u6599\u3002\u7528XOR\u89e3\u5bc6\u60e1\u610f\u8edf\u9ad4\u5b57\u4e32\u5f8c\u767c\u73fe\u4e86Mirai\u8b8a\u7a2e\u7684\u6307\u6a19\u3002\u53ef\u4ee5\u5f9e\u57161\u4e2d\u770b\u5230\u89e3\u5bc6\u5b57\u4e32\u3002<\/p>\n\n\n\n<!--more-->\n\n\n\n<ul><li>0x22\uff08\u6a19\u6e96Mirai\u5b57\u4e32\uff09<\/li><li>0x37\uff08\u5e36\u6709watchdog\u7684\u5b57\u4e32\uff09<\/li><li>0xea\uff08\u66b4\u529b\u7834\u89e3\u7528\u5bc6\u78bc\uff1a\u201ctelecomadmin\u201d\u3001\u201cadmintelecom\u201d\u7b49\uff09<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/figure-1-decrypted-string-showing-mirai-connection.jpg\" alt=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/figure-1-decrypted-string-showing-mirai-connection.jpg\"\/><\/figure>\n\n\n\n<p><em>\u57161. <\/em><em>\u986f\u793aMirai<\/em><em>\u9023\u7dda\u7684\u89e3\u5bc6\u5b57\u4e32<\/em><\/p>\n\n\n\n<p>\u6211\u5011\u9084\u767c\u73fe\u4e86\u6b64\u8b8a\u7a2e\u6240\u7528\u7684\u5176\u4ed6\u7db2\u5740\u3002\u4e0b\u9762\u5217\u8868\u5167\u7684\u7b2c\u4e00\u500b\u7db2\u5740\u662f\u547d\u4ee4\u548c\u63a7\u5236\uff08C&amp;C\uff09\u9023\u7d50\uff0c\u5176\u9918\u662f\u4e0b\u8f09\u548c\u690d\u5165\u7a0b\u5f0f\u9023\u7d50\u3002\u4e0b\u8f09\u548c\u690d\u5165\u7a0b\u5f0f\u9023\u7d50\u503c\u5f97\u6ce8\u610f\u7684\u662f\u4f7f\u7528\u4e86hopTo\uff0c\u4e00\u500b\u514d\u8cbb\u7684\u52d5\u614bDNS\uff08\u7db2\u57df\u540d\u7a31\u4f3a\u670d\u5668\uff09\u670d\u52d9\u3002<\/p>\n\n\n\n<ul><li>hxxp:\/\/32[.]235[.]102[.]123:1337<\/li><li>hxxp:\/\/ililililililililil[.]hopto[.]org\/shiina\/tmp.arm7<\/li><li>hxxp:\/\/ililililililililil[.]hopto[.]org\/shiina\/tmp.mips<\/li><li>hxxp:\/\/ililililililililil[.]hopto[.]org\/love.sh<\/li><\/ul>\n\n\n\n<p>\u6aa2\u8996\u65b0\u8b8a\u7a2e\u7a0b\u5f0f\u78bc\u5f8c\u53ef\u4ee5\u770b\u51fa\u66f4\u591a\u5b83\u5982\u4f55\u6563\u64ad\u7684\u6280\u8853\u7d30\u7bc0\uff0c\u7279\u5225\u662f\u5b83\u6240\u4f7f\u7528\u768413\u7a2e\u4e0d\u540c\u6f0f\u6d1e\u3002\u524d\u4e09\u500b\u6f0f\u6d1e\u653b\u64ca\uff08\u5982\u57162\u6240\u793a\uff09\u662f\u91dd\u5c0d\u7db2\u9801\u958b\u767c\u6846\u67b6ThinkPHP\u53ca\u67d0\u4e9b\u83ef\u70ba\u548cLinksys\u8def\u7531\u5668\u6f0f\u6d1e\u7684\u6383\u63cf\u7a0b\u5f0f\u3002\u5176\u991810\u500b\u6f0f\u6d1e\u7684\u6383\u63cf\u7a0b\u5f0f\u53ef\u4ee5\u5f9eexploit_worker()\u627e\u5230\uff08\u5982\u57163\u6240\u793a\uff09\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/figure-2-snapshot-of-mirai-variant-code-showing-the-scanner-function-for-three.jpg\" alt=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/figure-2-snapshot-of-mirai-variant-code-showing-the-scanner-function-for-three.jpg\"\/><\/figure>\n\n\n\n<p><em>\u57162. <\/em><em>\u986f\u793a\u5176\u4e2d3<\/em><em>\u500b\u6f0f\u6d1e\u6383\u63cf\u7a0b\u5f0f\u7684Mirai<\/em><em>\u8b8a\u7a2e\u7a0b\u5f0f\u78bc<\/em><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/figure-3-snapshot-of-the-mirai-variant-code-showing-the-remaining-10.jpg\" alt=\"Figure 3. Snapshot of the Mirai variant code showing the remaining 10 exploits\"\/><\/figure><\/div>\n\n\n\n<p><em>\u57163. <\/em><em>\u986f\u793a\u5269\u991810<\/em><em>\u500b\u6f0f\u6d1e\u7684Mirai<\/em><em>\u8b8a\u7a2e\u7a0b\u5f0f\u78bc<\/em><\/p>\n\n\n\n<p>\u6211\u5011\u767c\u73fe\u9664\u4e86\u900f\u904e\u9019\u4e9b\u6f0f\u6d1e\u6563\u64ad\u5916\uff0c\u9019\u96bbMirai\u8b8a\u7a2e\u9084\u5177\u5099\u4e86\u66b4\u529b\u7834\u89e3\u529f\u80fd\uff0c\u5e95\u4e0b\u7684\u5165\u4fb5\u6307\u6a19\uff08IoC\uff09\u5167\u5305\u542b\u4e86\u6240\u4f7f\u7528\u7684\u5e38\u898b\u5bc6\u78bc\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"> 13\u500b\u6f0f\u6d1e\u653b\u64ca\u53ca\u5176\u4ed6\u4f7f\u7528\u9019\u4e9b\u6f0f\u6d1e\u7684\u653b\u64ca <\/h3>\n\n\n\n<p>\u5982\u524d\u6240\u8ff0\uff0c\u6b64\u8b8a\u7a2e\u662f\u7b2c\u4e00\u96bb\u5728\u55ae\u4e00\u653b\u64ca\u88e1\u4f7f\u752813\u500b\u6f0f\u6d1e\u7684Mirai\u8b8a\u7a2e\u3002\u9019\u4e9b\u6f0f\u6d1e\u653b\u64ca\u4e86\u8def\u7531\u5668\u3001\u76e3\u63a7\u88dd\u7f6e\u53ca\u5176\u4ed6\u88dd\u7f6e\u3002\u4f46\u9019\u4e26\u975e\u6211\u5011\u7b2c\u4e00\u6b21\u770b\u5230\u7db2\u8def\u72af\u7f6a\u5206\u5b50\u4f7f\u7528\u901913\u500b\u6f0f\u6d1e\u3002\u88681\u5217\u51fa\u6240\u670913\u500b\u6f0f\u6d1e\u653b\u64ca\u53ca\u5176\u4ed6\u4f7f\u7528\u9019\u4e9b\u6f0f\u6d1e\u7684\u653b\u64ca\u3002<\/p>\n\n\n\n<style>\n   table {border-collapse:collapse; table-layout:fixed; width:310px;}\n   table td {border:solid 1px ; width:100px; word-wrap:break-word;}\n   <\/style>\n\n<table  class=\"wp-block-table table table-hover\" ><tbody><tr><td>\n  <strong>\u6f0f\u6d1e\u653b\u64ca<\/strong>\n  <\/td><td>\n  <strong>\u6f0f\u6d1e\u548c\u53d7\u5f71\u97ff\u88dd\u7f6e<\/strong>\n  <\/td><td>\n  <strong>\u76f8\u95dc\u653b\u64ca<\/strong>\n  <\/td><\/tr><tr><td>\n  1\n  <\/td><td>\n  <a href=\"https:\/\/vulners.com\/openvas\/OPENVAS:1361412562310107187\" target=\"_blank\" rel=\"noreferrer noopener\">Vacron\n  NVR CVE<\/a>\n  <\/td><td>\n  Vacron\u7db2\u8def\u9304\u5f71\u6a5f\uff08NVR\uff09\u8a2d\u5099\u7684\u9060\u7aef\u7a0b\u5f0f\u78bc\u57f7\u884c\uff08RCE\uff09\u6f0f\u6d1e\n  <\/td><td>\n  <a href=\"https:\/\/unit42.paloaltonetworks.com\/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns\/\" target=\"_blank\" rel=\"noreferrer noopener\">Omni<\/a>\n  <\/td><\/tr><tr><td>\n  2\n  <\/td><td>\n  <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-10561\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2018-10561,\n  CVE-2018-10562<\/a>\n  <\/td><td>\n  \u91dd\u5c0dDasan\u88ab\u52d5\u5f0f\u5149\u7e96\u7db2\u8def\uff08GPON\uff09\u8def\u7531\u5668\u7684\u8a8d\u8b49\u7e5e\u904e\u548c\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\n  <\/td><td>\n  Omni<br>\n  <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/gpon-vulnerabilities-exploited-for-mexico-based-mirai-like-scanning-activities\/\" target=\"_blank\" rel=\"noreferrer noopener\">Mirai\u5f0f\u6383\u63cf<\/a>\n  <\/td><\/tr><tr><td>\n  3\n  <\/td><td>\n  <a href=\"https:\/\/www.exploit-db.com\/exploits\/37171\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2015-2051<\/a>\n  <\/td><td>\n  \u7279\u5b9aD-Link\u88dd\u7f6e\u7684\u5bb6\u5ead\u7db2\u8def\u7ba1\u7406\u5354\u5b9a\uff08HNAP\uff09SOAPAction-header\u547d\u4ee4\u57f7\u884c\u6f0f\u6d1e\n  <\/td><td>\n  Omni<br>\n  <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/thinkphp-vulnerability-abused-by-botnets-hakai-and-yowai\/\" target=\"_blank\" rel=\"noreferrer noopener\">Hakai<\/a>\n  <\/td><\/tr><tr><td>\n  4\n  <\/td><td>\n  <a href=\"https:\/\/www.exploit-db.com\/exploits\/39596\" target=\"_blank\" rel=\"noreferrer noopener\">CCTV-DVR\n  RCE<\/a>\n  <\/td><td>\n  \u591a\u5bb6CCTV-DVR\u5ee0\u5546\u7684RCE\u6f0f\u6d1e\n  <\/td><td>\n  Omni<br>\n  <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/thinkphp-vulnerability-abused-by-botnets-hakai-and-yowai\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yowai<\/a>\n  <\/td><\/tr><tr><td>\n  5\n  <\/td><td>\n  <a href=\"https:\/\/www.exploit-db.com\/exploits\/37169\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2014-8361<\/a>\n  <\/td><td>\n  \u5f71\u97ff\u6578\u6b3e\u4f7f\u7528Realtek SDK\u53caminiigd\u88dd\u7f6e\u7684\u901a\u7528\u96a8\u63d2\u5373\u7528\uff08UPnP\uff09SOAP\u547d\u4ee4\u57f7\u884c\u6f0f\u6d1e\n  <\/td><td>\n  Omni\n  <\/td><\/tr><tr><td>\n  6\n  <\/td><td>\n  <a href=\"https:\/\/www.exploit-db.com\/exploits\/28333\/\" target=\"_blank\" rel=\"noreferrer noopener\">UPnP\n  SOAP TelnetD command execution<\/a>\n  <\/td><td>\n  D-Link\u88dd\u7f6e\u7684UPnP SOAP\u547d\u4ee4\u57f7\u884c\u6f0f\u6d1e\n  <\/td><td>\n  Omni\n  <\/td><\/tr><tr><td>\n  7\n  <\/td><td>\n  <a href=\"https:\/\/www.exploit-db.com\/exploits\/40740\/\" target=\"_blank\" rel=\"noreferrer noopener\">Eir WAN\n  side remote command injection<\/a>\n  <\/td><td>\n  Eir\n  D1000\u7121\u7dda\u8def\u7531\u5668\u7684WAN\u7aef\u9060\u7aef\u547d\u4ee4\u6ce8\u5165\n  <\/td><td>\n  Omni\n  <\/td><\/tr><tr><td>\n  8\n  <\/td><td>\n  <a href=\"https:\/\/www.exploit-db.com\/exploits\/43055\/\" target=\"_blank\" rel=\"noreferrer noopener\">Netgear\n  Setup.cgi RCE<\/a>\n  <\/td><td>\n  \u91dd\u5c0dNetgear DGN1000\u7684RCE\u6f0f\u6d1e\n  <\/td><td>\n  Omni\n  <\/td><\/tr><tr><td>\n  9\n  <\/td><td>\n  <a href=\"https:\/\/www.exploit-db.com\/exploits\/41598\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2016-6277<\/a>\n  <\/td><td>\n  Netgear\n  R7000\u548cR6400\u7684\u9060\u7aef\u57f7\u884c\u4efb\u610f\u547d\u4ee4\u6f0f\u6d1e\n  <\/td><td>\n  Omni<br>\n  <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/internet-of-things\/reboot-your-routers-vpnfilter-infected-over-500-000-routers-worldwide\" target=\"_blank\" rel=\"noreferrer noopener\">VPNFilter\u611f\u67d3<\/a>\n  <\/td><\/tr><tr><td>\n  10\n  <\/td><td>\n  <a href=\"https:\/\/www.exploit-db.com\/exploits\/41471\" target=\"_blank\" rel=\"noreferrer noopener\">MVPower\n  DVR shell command execution<\/a>\n  <\/td><td>\n  MVPower\u6578\u4f4d\u9304\u5f71\u6a5f\uff08DVR\uff09\u7684\u7121\u8a8d\u8b49RCE\u6f0f\u6d1e\n  <\/td><td>\n  Omni\n  <\/td><\/tr><tr><td>\n  11\n  <\/td><td>\n  <a href=\"https:\/\/www.exploit-db.com\/exploits\/43414\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2017-17215<\/a>\n  <\/td><td>\n  \u83ef\u70baHG532\u8def\u7531\u5668\u7684\u4efb\u610f\u547d\u4ee4\u57f7\u884c\u6f0f\u6d1e\n  <\/td><td>\n  Omni<br>\n  <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/internet-of-things\/source-code-of-iot-botnet-satori-publicly-released-on-pastebin\" target=\"_blank\" rel=\"noreferrer noopener\">Satori<\/a><br>\n  <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit\/\" target=\"_blank\" rel=\"noreferrer noopener\">Miori<\/a>\n  <\/td><\/tr><tr><td>\n  12\n  <\/td><td>\n  <a href=\"https:\/\/www.exploit-db.com\/exploits\/31683\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linksys\n  RCE<\/a>\n  <\/td><td>\n  Linksys\n  E\u7cfb\u5217\u8def\u7531\u5668\u7684RCE\u6f0f\u6d1e\n  <\/td><td>\n  <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/reigning-king-ip-camera-botnets-challengers\/\" target=\"_blank\" rel=\"noreferrer noopener\">TheMoon<\/a>\n  <\/td><\/tr><tr><td>\n  13\n  <\/td><td>\n  <a href=\"https:\/\/www.exploit-db.com\/exploits\/45978\" target=\"_blank\" rel=\"noreferrer noopener\">ThinkPHP\n  5.0.23\/5.1.31 RCE<\/a>\n  <\/td><td>\n  \u958b\u653e\u539f\u59cb\u78bc\u7db2\u9801\u958b\u767c\u6846\u67b6ThinkPHP 5.0.23\/5.1.31\u7684RCE\u6f0f\u6d1e\n  <\/td><td>\n  <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/thinkphp-vulnerability-abused-by-botnets-hakai-and-yowai\/\" target=\"_blank\" rel=\"noreferrer noopener\">Hakai<br>\n  Yowai<\/a>\n  <\/td><\/tr><\/tbody><\/table>\n\n\n\n<p><em>\u88681. <\/em><em>\u6240\u4f7f\u7528\u6f0f\u6d1e\u53ca\u5176\u4ed6\u76f8\u95dc\u653b\u64ca<\/em><\/p>\n\n\n\n<p>\u6839\u64daUnit 42\u7684\u4e00\u4efd<a href=\"https:\/\/unit42.paloaltonetworks.com\/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns\/\">\u5831\u544a<\/a>\uff0c2018\u5e74\u7684Mirai\u8b8a\u7a2eOmni\u66fe\u7d93\u4f7f\u7528\u4e86\u5176\u4e2d11\u500b\u6f0f\u6d1e\u3002\u5269\u4e0b\u5169\u500b\u4e0d\u5c6c\u65bc\u4e4b\u524dMirai\u6d3b\u52d5\u7684\u6f0f\u6d1e\u653b\u64ca\u4e86Linksys\u548cThinkPHP RCE\u3002\u4f46\u9019\u5169\u500b\u6f0f\u6d1e\u4e5f\u51fa\u73fe\u5728\u6700\u8fd1\u7684<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/internet-of-things\/mirai-variant-spotted-using-multiple-exploits-targets-various-routers\">\u653b\u64ca<\/a>\u4e2d\uff0c\u524d\u8ff0\u653b\u64ca\u9084\u4f7f\u7528\u4e86\u53e6\u5916\u56db\u500b\u5217\u8868\u4e0a\u7684\u6f0f\u6d1e\uff1aCVE-2018-10561\u3001CVE-2014-8361\u3001UPnP SOAP TelnetD\u547d\u4ee4\u57f7\u884c\u548cCVE-2017-17215\u6f0f\u6d1e\u653b\u64ca\u3002<\/p>\n\n\n\n<p>\u6211\u5011\u4e5f<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/thinkphp-vulnerability-abused-by-botnets-hakai-and-yowai\/\">\u5831\u544a<\/a>\u904eGafgyt\u8b8a\u7a2eHakai\u548cMirai\u8b8a\u7a2eYowai\u5229\u7528\u4e86CVE-2015-2051\u548cCCTV-DVR RCE\u6f0f\u6d1e\uff0c\u4e26\u8a73\u7d30\u4ecb\u7d39\u4e86\u9019\u5169\u96bb\u60e1\u610f\u8edf\u9ad4\u8b8a\u7a2e\u5982\u4f55\u5229\u7528ThinkPHP RCE\u6f0f\u6d1e\u653b\u64ca\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u7d50\u8ad6\u548c\u5b89\u5168\u5efa\u8b70<\/strong><\/h3>\n\n\n\n<p>\u9019\u96bb\u65b0\u8b8a\u7a2e\u7684\u5e55\u5f8c\u653b\u64ca\u8005\u53ef\u80fd\u53ea\u662f\u5f9e\u5176\u4ed6\u653b\u64ca\u8907\u88fd\u4e86\u4e4b\u524d\u6848\u4f8b\u6240\u7528\u6f0f\u6d1e\u653b\u64ca\u7684\u7a0b\u5f0f\u78bc\u3002\u800c\u653b\u64ca\u8005\u9078\u64c7\u9019\u4e9b\u6f0f\u6d1e\u653b\u64ca\u53ef\u80fd\u662f\u56e0\u70ba\u8a31\u591a\u53d7\u5f71\u97ff\u88dd\u7f6e\u90fd\u6709\u5ee3\u6cdb\u7684\u4f7f\u7528\u91cf\uff0c\u4e14\u8a31\u591a\u4f7f\u7528\u8005\u5c1a\u672a\u66f4\u65b0\u4fee\u88dc\u7a0b\u5f0f\u4f86\u5c01\u5835\u88ab\u5229\u7528\u7684\u6f0f\u6d1e\u3002\u6211\u5011\u5728\u6b64\u53ea\u80fd\u63a8\u6e2c\u653b\u64ca\u80cc\u5f8c\u7684\u52d5\u6a5f\u3002<\/p>\n\n\n\n<p>\u4f46\u4f7f\u7528\u8005\u5df2\u7d93\u6709\u9810\u9632\u63aa\u65bd\u53ef\u4ee5\u9632\u6b62Mirai\u8b8a\u7a2e\u64f4\u6563\u53ca\u653b\u64ca\u6210\u529f\u3002\u5305\u62ec\u66f4\u65b0\u6b63\u78ba\u7684\u4fee\u88dc\u7a0b\u5f0f\u53ca\u66f4\u65b0\u4f86\u62b5\u79a6\u6b64\u985e\u60e1\u610f\u8edf\u9ad4\u6240\u7528\u7684\u6f0f\u6d1e\u653b\u64ca\u3002\u4f7f\u7528\u8005\u9084\u61c9\u8a72\u8981\u7279\u5225\u6ce8\u610f\u9078\u64c7\u9023\u63a5\u7db2\u8def\u7684\u7522\u54c1\uff0c\u5c07\u88fd\u9020\u5ee0\u5546\u5c0d\u8cc7\u5b89\u7684\u614b\u5ea6\u53ca\u6703\u5426\u5118\u901f\u767c\u5e03\u4fee\u88dc\u66f4\u65b0\u7b49\u8003\u616e\u5728\u5167\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u8da8\u52e2\u79d1\u6280\u89e3\u6c7a\u65b9\u6848<\/strong><\/h3>\n\n\n\n<p>\u8da8\u52e2\u79d1\u6280Smart Home Network\u63d0\u4f9b\u5d4c\u5165\u5bb6\u5ead\u7db2\u8def\u7684\u5b89\u5168\u89e3\u6c7a\u65b9\u6848\uff0c\u4fdd\u8b77\u9023\u63a5\u5bb6\u5ead\u7db2\u8def\u7684\u6240\u6709\u8a2d\u5099\u62b5\u79a6\u7db2\u8def\u653b\u64ca\u3002\u8da8\u52e2\u79d1\u6280Smart Home Network\u57fa\u65bc\u8da8\u52e2\u79d1\u6280\u8c50\u5bcc\u7684\u5a01\u8105\u7814\u7a76\u7d93\u9a57\u4ee5\u53ca\u696d\u754c\u9818\u5148\u7684\u6df1\u5ea6\u5c01\u5305\u6aa2\u6e2c\uff08DPI\uff09\u6280\u8853\uff0c\u80fd\u5920\u63d0\u4f9biQoS\u3001\u5bb6\u9577\u63a7\u5236\u53ca\u7db2\u8def\u5b89\u5168\u9632\u8b77\u7b49\u529f\u80fd\u3002<\/p>\n\n\n\n<p>\u8da8\u52e2\u79d1\u6280<a href=\"https:\/\/www.trendmicro.com\/us\/iot-security\/content\/main\/document\/Smart%20Home%20Network%20Whitepaper.pdf\">Smart\nHome Network<\/a>\u900f\u904e\u4e0b\u5217\u898f\u5247\u4f86\u4fdd\u8b77\u5ba2\u6236\u62b5\u79a6\u6b64\u653b\u64ca\uff1a<\/p>\n\n\n\n<ul><li>1057889: WEB D-Link Devices\nUPnP SOAP Command Execution (BID-61005)<\/li><li>1058632: EXPLOIT Linksys\nE-series Unauthenticated Remote Code Execution Exploit (EDB-31683)<\/li><li>1059669: WEB D-Link Multiple\nRouters HNAP Protocol Security Bypass Vulnerability (BID-37690)<\/li><li>1133255: WEB Remote Command\nExecution in XML -1<\/li><li>1133310: WEB Netgear R7000\nCommand Injection -1.1 (CVE-2016-6277)<\/li><li>1133419: WEB Netgear R7000\nCommand Injection -1.2 (CVE-2016-6277)\u201d<\/li><li>1133498: WEB Remote Command\nExecution via Shell Script -1.u<\/li><li>1133650: WEB Multiple CCTV-DVR\nVendors Remote Code Execution<\/li><li>1134286: WEB Realtek SDK\nMiniigd UPnP SOAP Command Execution (CVE-2014-8361)<\/li><li>1134287: WEB Huawei Home\nGateway SOAP Command Execution (CVE-2017-17215)<\/li><li>1134610: WEB Dasan GPON Routers\nCommand Injection -1.1 (CVE-2018-10561)<\/li><li>1134611: WEB Dasan GPON Routers\nCommand Injection -1.2 (CVE-2018-10561)<\/li><li>1134687: WEB Netgear DGN1000\nAnd Netgear DGN2200 Unauthenticated Command Execution<\/li><li>1134812: WEB GPON Routers\nCommand Injection (CVE-2018-10562)<\/li><li>1134891: WEB Dasan GPON Routers\nCommand Injection -1.3 (CVE-2018-10561)<\/li><li>1134892: WEB Dasan GPON Routers\nCommand Injection -1.4 (CVE-2018-10561)<\/li><li>1135215: WEB ThinkPHP Remote\nCode Execution<\/li><li>1135617: WEB VACRON NVR\nboard.cgi cmd Remote Command Execution<\/li><\/ul>\n\n\n\n<p><a href=\"https:\/\/t.rend.tw\/?i=NDIwMw==\">\u8da8\u52e2\u79d1\u6280HYPERLINK &#8220;https:\/\/t.rend.tw\/?i=NDIwMw==&#8221;Deep\nDiscoveryHYPERLINK\n&#8220;https:\/\/t.rend.tw\/?i=NDIwMw==&#8221;\u9032\u968e\u7db2\u8def\u5b89\u5168\u9632\u8b77<\/a> \u900f\u904e\u7279\u88fd\u5f15\u64ce\u3001\u5ba2\u88fd\u5316<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/deploying-a-smart-sandbox-for-unknown-threats-and-zero-day-attacks\/\">\u6c99\u7bb1<\/a>\u548c\u8de8\u8d8a\u6574\u500b\u653b\u64ca\u751f\u547d\u9031\u671f\u7684\u7121\u7e2b\u95dc\u806f\u6280\u8853\u4f86\u5c0d\u6f0f\u6d1e\u653b\u64ca\u53ca\u5176\u4ed6\u985e\u4f3c\u5a01\u8105\u9032\u884c\u5075\u6e2c\u3001\u6df1\u5165\u5206\u6790\u548c\u4e3b\u52d5\u56de\u61c9\uff0c\u5f9e\u800c\u53ef\u4ee5\u7121\u9700\u66f4\u65b0\u5f15\u64ce\u548c\u7279\u5fb5\u78bc\u5c31\u80fd\u5920\u5075\u6e2c\u9019\u4e9b\u985e\u578b\u7684\u653b\u64ca\u3002\u9019\u4e9b\u89e3\u6c7a\u65b9\u6848\u7531<a href=\"https:\/\/www.trendmicro.tw\/business\/xgen-security.html\">\u8da8\u52e2\u79d1\u6280\u7684XGen\u5b89\u5168\u9632\u8b77\u6280\u8853<\/a>\u6240\u9a45\u52d5\uff0c\u5b83\u63d0\u4f9b\u8de8\u4e16\u4ee3\u7684\u6df7\u5408\u5a01\u8105\u9632\u79a6\u6280\u8853\uff0c\u53ef\u4ee5\u62b5\u79a6<br>\n<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/hybrid-cloud\/deep-security-data-center.html\">\u8cc7\u6599\u4e2d\u5fc3<\/a>\u3001<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/hybrid-cloud\/deep-security-for-cloud.html\">\u96f2\u7aef\u74b0\u5883<\/a>\u3001<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/network.html\">\u7db2\u8def<\/a>\u548c<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection.html\">\u7aef\u9ede<\/a>\u6240\u9762\u81e8\u7684\u5404\u7a2e\u5a01\u8105\u3002\u7cbe\u6e96\u3001\u6700\u4f73\u5316\u3001\u74b0\u74b0\u76f8\u6263\u7684XGen\u9632\u8b77\u6280\u8853\u9a45\u52d5\u8457\u8da8\u52e2\u79d1\u6280\u7684\u9632\u8b77\u89e3\u6c7a\u65b9\u6848\uff1aHybrid&nbsp;Cloud Security\uff08\u6df7\u5408\u5f0f\u96f2\u7aef\u9632\u8b77\uff09\uff0cUser\nProtection\uff08\u4f7f\u7528\u8005\u9632\u8b77\uff09\u548cNetwork Defense\uff08\u5167\u7db2\u9632\u8b77\uff09\u3002&nbsp;<br>\n<br>\n<\/p>\n\n\n\n<p>\u8da8\u52e2\u79d1\u6280Deep Discovery Inspector\u900f\u904e\u4ee5\u4e0b\u898f\u5247\u4fdd\u8b77\u5ba2\u6236\u62b5\u79a6\u4e0a\u8ff0\u653b\u64ca\uff1a<\/p>\n\n\n\n<ul><li>2385: SOAP RCE EXPLOIT \u2013 HTTP\n(Request)<\/li><li>2485: CCTV-DVR Remote Code\nExecution \u2013 HTTP (Request)<\/li><li>2543: VACRON Remote Code\nExecution Exploit \u2013 HTTP (Request)<\/li><li>2547: NETGEAR DGN1000\/DGN2200\nRemote Code Execution \u2013 HTTP (Request)<\/li><li>2548: LINKSYS Remote Code Execution\n\u2013 HTTP (Request)<\/li><li>2575: Command Injection via\nUPnP SOAP Interface \u2013 HTTP (Request)<\/li><li>2630: HNAP1 Remote Code\nExecution Exploit \u2013 HTTP (Request)<\/li><li>2639: CVE-2018-10562 \u2013 GPON\nRemote Code Execution \u2013 HTTP (Request)<\/li><li>2786: ThinkPHP 5x Remote Code\nExecution \u2013 HTTP (Request)<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u5165\u4fb5\u6307\u6a19\uff08IoC<\/strong><strong>\uff09<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/Backdoor.Linux.MIRAI.VWIPT\">Backdoor.Linux.MIRAI.VWIPT<\/a>\u7684\u76f8\u95dcSHA-256\u96dc\u6e4a\u503c\uff1a<\/p>\n\n\n\n<ul><li>c15382bc81e1bff4cf03d769275b7c4d2d586a21e81ad4138464d808e3bb464c<\/li><\/ul>\n\n\n\n<p>\u76f8\u95dc\u60e1\u610f\u7db2\u5740\uff1a<\/p>\n\n\n\n<table  class=\"wp-block-table table table-hover\" ><tbody><tr><td>\n  <strong>\u7db2\u5740<\/strong>\n  <\/td><td>\n  <strong>\u6558\u8ff0<\/strong>\n  <\/td><\/tr><tr><td>\n  hxxp:\/\/32[.]235[.]102[.]123:1337\n  <\/td><td>\n  C&amp;C\n  <\/td><\/tr><tr><td>\n  hxxp:\/\/ililililililililil[.]hopto[.]org\/shiina\/tmp.arm7\n  <\/td><td>\n  \u4e0b\u8f09\u9023\u7d50\u53ca\u690d\u5165\u7a0b\u5f0f\n  <\/td><\/tr><tr><td>\n  hxxp:\/\/ililililililililil[.]hopto[.]org\/shiina\/tmp.mips\n  <\/td><\/tr><tr><td>\n  hxxp:\/\/ililililililililil[.]hopto[.]org\/love.sh\n  <\/td><\/tr><\/tbody><\/table>\n\n\n\n<h3 class=\"wp-block-heading\">\u4f7f\u7528\u7684\u5bc6\u78bc<\/h3>\n\n\n\n<ul><li>2345<\/li><li>666666<\/li><li>888888<\/li><li>20080826<\/li><li>\/ADMIN\/<\/li><li>1q2w3e4r5<\/li><li>3ep5w2u<\/li><li>admintelecom<\/li><li>anko<\/li><li>cisco<\/li><li>default<\/li><li>e8ehome<\/li><li>e8telnet<\/li><li>guest<\/li><li>hi3518<\/li><li>hi3518<\/li><li>hunt5759<\/li><li>IPCam@sw<\/li><li>ipcam_rt5350<\/li><li>juantech<\/li><li>juantech<\/li><li>jvbzd<\/li><li>jvbzd<\/li><li>klv123<\/li><li>klv1234<\/li><li>klv1234<\/li><li>password<\/li><li>qwerty<\/li><li>QwestM0dem<\/li><li>service<\/li><li>service<\/li><li>smcadmin<\/li><li>supervisor<\/li><li>support<\/li><li>svgodie<\/li><li>system<\/li><li>telecomadmin<\/li><li>ubnt<\/li><li>xc3511<\/li><li>xmhdipc<\/li><li>xmhdpic<\/li><li>zsun1188<\/li><li>Zte521<\/li><\/ul>\n\n\n\n<p>@\u539f\u6587\u51fa\u8655\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/new-mirai-variant-uses-multiple-exploits-to-target-routers-and-other-devices\/\">New\nMirai Variant Uses Multiple Exploits to Target Routers and Other Devices<\/a><br>\n\u4f5c\u8005\uff1aAugusto Remillano II\u548cJakub Urbanec<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u8da8\u52e2\u79d1\u6280\u767c\u73fe\u4e86\u4e00\u96bb\u4f7f\u7528\u4e8613\u7a2e\u4e0d\u540c\u6f0f\u6d1e\u7684\u65b0Mirai\u8b8a\u7a2e\uff08\u5075\u6e2c\u70baBackdoor.Linux.MIRAI.VW [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":60739,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[1335,11,1,3654,156],"tags":[1599,3088,23,2292,1593,2981],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/60735"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=60735"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/60735\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/media\/60739"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=60735"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=60735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=60735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}