Access to Source Attack overview

Introduced

Guo Hua Company (not real name) is an internationally renowned system software company, its Hammer software is the company's security product line of the core system, but also the "lifeblood" of the state-China company. Small Black is a "guest age" three years of professional hackers, in addition to surfing the Internet, is carrying a travel bag around the world. The day before yesterday, a chubby guy in a black suit found little black, asked no questions, and asked very special: to get the hammer software in the next version of all the source code, pay a lot of cash. Whoever it is, business competition, small black is not very clear, anyway, the return of unusually rich, small black decided to accept the contract.

Exploration

Small black know the difficulty of the task, China's security products industry well-known, to their own safety can "casually"? Of course, he understands the dangers of work, and the relationship between the security company and the government is good ... Leaving no traces is not only to make users satisfied, but also to protect their own choice.

Little black first search on Google about the state-owned company's news: The state-owned companies are mainly software development companies, source code management is the company's core secrets, all hammer software sources are stored in the company's network source code warehouse, the network by a complex security gateway protection, Not a firewall but a combination of a variety of security measures, not to mention outsiders to enter, that is, internal personnel into the barriers are heavy. It's hard!

At the same time, little Black is aware of a situation as the state-China company is a typical High-tech software company, employees throughout many countries, a lot of programmers are accustomed to Home Office, they connect through the VPN to China company, after the user name, password verification can access the company's network resources, not only to send and receive company mail, But also can deal with such as the completion of personnel evaluation and other company business, of course, the work is the first, many programmers work every day is to download the source code files need to edit, upload the modified code file ...

Knowing the news, little Black felt there was a goal ...

Ready

In order to hide himself, little black did some preparatory work first. He first drove "Cruise", first to find himself a suitable "workplace", and soon he found a good location, through a primary school next to the Internet café can be wireless access. After the small black access network, through the Nessus vulnerability scanner, search the Internet server, found in a university in Beijing has a Trojan infected the Web server, but the installation of the Trojan "rookie", did not protect their "fruit", little black did not bother to guess the strength of the password, Grabbed the control of the server; Soon, small black and in Guangzhou, a commercial website found a very "retarded" Linux server, which also has a MySQL database, little black did not hesitate to occupy the server.

Although these are not related to the state-China company network, but the small black Hand has two can command the "Stormtroopers", they can not rush to the "frontline."

Investigation

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/

In order to further understand the information of the state-China company, Xiao Hei not only studied the Chinese company's website in detail, but also "Google" has many internet blogs, forums and newsgroups, searching for articles from employees of the Chinese company, and he soon found that there were many articles from the employees of China National Company, Of course, these articles are non-commercial discussions and suggestions, but also technical exchanges, occasionally there are related to the Chinese company network structure of the article, such as the company uses VPN mode of remote office, but the value is not high, little black more concerned that they have left the real mailbox address, soon small black guessed the state of China company's mailbox naming rules ( Name of the whole spell, but also accidentally found a part of the company's sales organization Address Book ...

After collecting the email addresses of about 200 companies, little Black began to prepare for the next job.

Trick

Small Black Hand has a very good game software (the Intelligence research type), is oneself bored when compiles, has not given the person to see, usually only oneself to play. Small black first put this game to Guangzhou's server, and then apply for registration of a network domain name, on the server to open the game download service, but also established the so-called company service mailbox. The next command of the Beijing server to the "select" Out of the 20 of the company's employees address, sent a seductive message: Free to play the latest game (the general content is that my company is testing a new game, need a master's test, you are the game master?) Come on, give it a try! There is a game download link to the server in Guangzhou, not to all the people on the list to email, is to avoid triggering the state-China company mail server anti-spam filtering function.

Of course, little black is not doing good, he used packaging software tools to a Trojan program and game software packaged together, on the Guangzhou server. In order to be safe, this Trojan program is small black separate "design" generated (of course, using tools), to ensure that the company's anti-virus software can not be found.

Bait

Xiao Hua is a national company of an old employee, is a typical workaholic, one day apart from writing code, is playing games, of course, she is also a family office. One morning, when Xiao Hua browsed the company's mail, she found a free demo game message, "Cool!" , "said Xiao Hua, with the impulse of the heart to let her decide to try.

As an old employee, Xiao Hua didn't want the company to catch itself downloading games through the company's network, so she shut down the company's VPN connection and clicked on the link download game in the mail. Xiao Hua of course know the harm of virus spread, so download the first thing, is to use the company to install a unified anti-virus software to check the game, to confirm that there is no problem, only the implementation of the game, the game is a "green" software, without installation, Xiao Hua feel very good, play very enjoyable, but also wrote a message to "developers" Made some suggestions, of course, she did not notice that the game began at the same time, Trojan back door program has begun to work, may only blame her anti-virus software is not often updated it (even if the timely update, it may not be able to find the new design of the Black Horse backdoor) ...

Spread

Play for a while, Xiaohua will continue to work, so set up a VPN connection with the company, entered their own ID and password, connected to the company network. At this time, the Trojan horse in the machine began to scan the network of Guo Hua company through the VPN link, it is very lucky! Trojan found a Windows file share directory, there are many commonly used software, of course, including VPN client software. Trojan found that there is a Notepad.exe software, is often used in the text editing software, the Notepad.exe renamed to Nn.com, and then upload their own copy after the Notepad.exe, Trojan from the VPN users spread to the company's internal network.

The company's other employees often use the editor, call Notepad.exe, the Trojan first copy themselves, and then call nn.com, so the user also did not feel anything unusual, very soon, small black Trojan in the company's internal spread around the country.

Attack

The little Black Trojan also has a task is to collect the password in the system to store hashes (files that store passwords), Trojan can also record users to establish a new connection when the keyboard records, analysis and application, but also filter the user ID and password login, and finally through the small black collection of more than 500 company's e-mail address, send mail to Beijing's server ( The message appears as if the employee is "normal", and the content is still encrypted. Soon, more than 500 password hashes were collected on the servers in Beijing.

Little black did not go directly to the Beijing server to decipher these passwords, so it is easy to be traced. Little black installed the Netcat software in a newly captured server in Shanghai, established the network connection "relay Station", installed the COVERT_TCP Server Software on the Guangzhou server (may use the secret channel technology which embeds TCP Baotou), also chose the famous Sina website ( Well-known commercial sites are not susceptible to suspicion as jumping points (rebound use, the site itself does not affect), established a "TCP ack" bounce mode access channel, using remote shell command to access the Beijing server.

Around a big circle, small black is to hide their traces. After the establishment of the channel, small black on the Beijing server installed John the Ripper crack tool, less than three hours, cracked 500 passwords in the 50.

Using these newly cracked passwords (including some of the senior managers ' IDs and Passwords), black is logged into the China company's VPN gateway with a "legal identity" from a Beijing server and begins to scan the hammer software source code hiding place. Of course, this kind of scanning can require very high "technical" skill, because the company's internal network security monitoring system is very strong, high-frequency contract scan will soon lead to safety management personnel's attention, so, small black use of distributed, intermittent scanning mode, slow detection ... At the same time, in order to cooperate with the internal scanning work, Black also use the hands of about 10,000 of the number of zombie machines, the company's external website of the intermittent DDoS attacks, mainly to attract the attention of the company's security managers.

In the location of the next version of the Hammer software source code position, because there are constantly provided "password support", small black quickly obtain the code warehouse download permission, "Treasure" hand, small black happy to call out. Of course, work needs to be done carefully, step-by-step ... In a few days, little black through the indirect way to download all the code gradually into its own system.

End

Small black is very comfortable, looking at the Fat Man to get the disc when the surprise look, little black is a sense of achievement, in the scheduled "delivery" after the light of the thick notes, began to plan their romantic South America journey ...

Reflection

Small Black is a professional hacker, understandable, but from his "more" experience, you can say China's security management loopholes? The sense of hardship is what every security manager must keep in mind ...

This article is from the "Jack Zhai" blog, please be sure to keep this source http://zhaisj.blog.51cto.com/219066/278006