如何有效地检测和阻止SunBurst恶意软件?

本月初,披露了一种名为SunBurst的新的高度规避的恶意软件攻击者。也立即公开了一些应对措施,特别是公布了一些Snort / Suricata规则。我们对这些规则进行了分析,试图找出ntop工具是否可以检测和阻止Sunburst,而答案是肯定的,可以。让我们来看看一些规则。您可以观察到的第一件事是,这些规则是any/any,这意味着IDS必须调查每个连接,因为大多数IDS都不像ntop工具那样使用DPI,因此它们需要在到处搜索而不是精确定位字段:这意味着整体工具性能会降低,因为即使是不相关的流量也必须进行分析,你可能会遇到假阳性。

以下规则基本上是TLS SNI(服务器名称指示)匹配项。

alert tcp any any <> any 443 (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"|16 03|"; depth:2; content:"avsvmcloud.com"; distance:0; sid:77600845; rev:1;) 
alert tcp any any <> any 443 (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"digitalcollege.org"; within:50; sid:77600846; rev:1;) 
alert tcp any any <> any 443 (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"freescanonline.com"; within:50; sid:77600847; rev:1;) 

这些你可以通过nDPI检测到。

请注意,由于这些规则是在使用加密流量之前设计的,因此不是最优的,因此它们非常原始,范围有限。 例如查看DPI针对此类TLS流量报告的内容:

TCP 192.168.1.102:51293 <-> 20.140.0.1:443 [proto: 91/TLS][cat: Web/5][7 pkts/998 bytes <-> 6 pkts/1553 bytes][Goodput ratio: 52/74][1.74 sec][ALPN: h2;http/1.1][bytes ratio: -0.218 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/109 253/420 1142/1033 447/434][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 143/259 583/1215 180/428][Risk: ** Self-signed Certificate **][TLSv1.2][Client: avsvmcloud.com][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA3S: 364ff14b04ef93c3b4cfa429d729c0d9][Issuer: CN=localhost][Subject: CN=localhost][Certificate SHA-1: D2:D1:B8:2B:15:FB:C9:51:B7:24:FF:56:B4:EF:9D:82:E2:E5:EA:B3][Validity: 2020-10-14 21:20:12 – 2022-12-17 11:32:25][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0]

如您所见,这是一个自签名TLS证书,也不是一个好东西。

其他像下面这些规则虽然不同,但也差不多:

alert tcp any any -> any any (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"freescanonline.com"; within:100; sid:77600852; rev:1;) 
alert tcp any any -> any any (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"deftsecurity.com"; within:100; sid:77600853; rev:1;) 
alert tcp any any -> any any (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"thedoccloud.com"; within:100; sid:77600854; rev:1;) 
alert tcp any any -> any any (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"virtualdataserver.com"; within:100; sid:77600855; rev:1;)

在这种情况下,这些规则基本上是说:在HTTP上搜索(甚至在非标准端口上),如果你发现了指向特定网站的连接(例如freescanonline.com),就会发出警报。

总而言之,这些都是为2000年的协议设计的老式规则,需要更新。这些是相当于nDPI的规则:

$ cat sunburst.protos
#  Format:
#  <tcp|udp>:,<tcp|udp>:,.....@
#  Subprotocols
#  Format:
#  host:"",host:"",.....@
#
#  IP based Subprotocols
#  Format:
#  ip:,ip:,.....@
host:"avsvmcloud.com"@APT.Backdoor.MSIL.SUNBURST
host:"digitalcollege.org"@APT.Backdoor.MSIL.SUNBURST
host:"freescanonline.com"@APT.Backdoor.MSIL.SUNBURST
host:"freescanonline.com"@APT.Backdoor.MSIL.SUNBURST
host:"deftsecurity.com"@APT.Backdoor.MSIL.SUNBURST
host:"thedoccloud.com"@APT.Backdoor.MSIL.SUNBURST
host:"virtualdataserver.com"@APT.Backdoor.MSIL.SUNBURST

现在您可以按如下方式启动 ndpiReader。

$ ndpiReader -p sunburst.protos -i ~/avsvmcloud.com.pcap -v 2

...

Detected protocols:
APT.Backdoor.MSIL.SUNBURST packets: 13 bytes: 2551 flows: 1

Protocol statistics:
Acceptable 2551 bytes

JA3 Host Stats:
IP Address # JA3C
1 192.168.1.102 1

1 TCP 192.168.1.102:51293 <-> 20.140.0.1:443 [proto: 91.255/TLS.APT.Backdoor.MSIL.SUNBURST][cat: Web/5][7 pkts/998 bytes <-> 6 pkts/1553 bytes][Goodput ratio: 52/74][1.74 sec][ALPN: h2;http/1.1][bytes ratio: -0.218 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/109 253/420 1142/1033 447/434][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 143/259 583/1215 180/428][Risk: ** Self-signed Certificate **][TLSv1.2][Client: avsvmcloud.com][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA3S: 364ff14b04ef93c3b4cfa429d729c0d9][Issuer: CN=localhost][Subject: CN=localhost][Certificate SHA-1: D2:D1:B8:2B:15:FB:C9:51:B7:24:FF:56:B4:EF:9D:82:E2:E5:EA:B3][Validity: 2020-10-14 21:20:12 - 2022-12-17 11:32:25][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0]

现在你可以在其他工具中使用这种技术,如ntopng,如下所示

ntopng -p sunburst.protos -i ~/avsvmcloud.com.pcap

然后在ntopng里面,你必须通过绑定(菜单设置->应用程序和类别)告诉它Sunburst是一个恶意软件,Sunburst属于恶意软件类别。

ntopng检测到它是一个恶意软件

然后触发警报。

可以通过endpoint/recipients机制发送到外部应用、消息应用、ElasticSearch或SecurityOnion。

如果除了检测你还想阻止它,只要使用ntopng Edge(基本上就是ntopng inline)就可以了。