NSA组织"二次约会"间谍软件功能复现及加解密分析技术文档<\/h1>

1. 概述<\/h2>
本文档详细分析了NSA组织开发的"二次约会"(SecondDate)间谍软件v1.1.1.1版本的功能实现和加密机制。该软件是一款中间人攻击专用工具，主要功能包括：<\/p>
网络流量嗅探<\/li>
特定网络会话劫持<\/li>
网络流量篡改<\/li>
多层加密通信<\/li> <\/ul>
2. 样本基本信息<\/h2>

2.1 控制端(Seconddate_CnC)<\/h3>
文件大小：277,864字节<\/li>
MD5：485A83B9175B50DF214519D875B2EC93<\/li>
SHA1：0A7830FF10A02C80DEE8DDF1CEB13076D12B7D83<\/li>
CRC32：5869735B<\/li> <\/ul>
2.2 被控端(Seconddate_Implant)<\/h3>
文件大小：223,708字节<\/li>
MD5：4A1B659A517ACA1310AA98DB3508940C<\/li>
SHA1：DA3CB8AB4632EC36C99C71417D21960846D1FEFE<\/li>
CRC32：CB80FA6E<\/li> <\/ul>
3. 功能复现<\/h2>

3.1 受控端运行<\/h3>
在受控主机执行以下命令即可运行木马：<\/p>
.\/Seconddate_Implant
<\/span><\/span><\/code><\/pre>运行后无明显网络行为和文件行为，但会驻留在系统中。<\/p>
3.2 控制端操作流程<\/h3>
3.2.1 创建网络响应内容<\/h4>
准备篡改后的HTTP响应文件：<\/p>
cat response
<\/span><\/span>HTTP\/1.1 200<\/span> OK
<\/span><\/span>Content-Type: text\/html
<\/span><\/span>Content-Length: 87<\/span>
<\/span><\/span>
<\/span><\/span><html><body>Hello World!!<br><br>Test Seconddate_CnC Tools!!<br><\/iframe><\/body><\/html>
<\/span><\/span><\/code><\/pre>3.2.2 配置劫持规则<\/h4>
启动控制端并配置规则：<\/p>
.\/Seconddate_CnC 192.168.184.129 8080<\/span>
<\/span><\/span>SECONDDATE> rule 1<\/span> --dstport 2345<\/span> --maxinjections 2<\/span> --injectwindow 600<\/span> --nocheckregex --injectfile \/root\/Desktop\/response
<\/span><\/span>SECONDDATE> enable 1<\/span>
<\/span><\/span><\/code><\/pre>3.2.3 规则参数说明<\/h4>



参数<\/th>
描述<\/th>
默认值<\/th>
<\/tr>
<\/thead>


--srcaddr<\/td>
源IP地址<\/td>
0.0.0.0<\/td>
<\/tr>

--srcmask<\/td>
源IP掩码<\/td>
255.255.255.255<\/td>
<\/tr>

--dstaddr<\/td>
目标IP地址<\/td>
0.0.0.0<\/td>
<\/tr>

--dstmask<\/td>
目标IP掩码<\/td>
255.255.255.255<\/td>
<\/tr>

--protocol<\/td>
协议类型<\/td>
6\/TCP<\/td>
<\/tr>

--srcport<\/td>
源端口<\/td>
0<\/td>
<\/tr>

--dstport<\/td>
目标端口<\/td>
0<\/td>
<\/tr>

--mininterval<\/td>
最小注入间隔(秒)<\/td>
60<\/td>
<\/tr>

--maxinjections<\/td>
最大注入次数<\/td>
5<\/td>
<\/tr>

--injectwindow<\/td>
注入时间窗口(秒)<\/td>
0<\/td>
<\/tr>

--checkhttp<\/td>
检查HTTP协议<\/td>
默认启用<\/td>
<\/tr>

--checkregex<\/td>
检查正则表达式<\/td>
默认启用<\/td>
<\/tr>

--tcpflag<\/td>
TCP标志位<\/td>
FIN ACK<\/td>
<\/tr>

--regexfile<\/td>
正则表达式文件<\/td>
无<\/td>
<\/tr>

--injectfile<\/td>
注入内容文件<\/td>
无<\/td>
<\/tr>
<\/tbody>
<\/table>
4. 逆向分析<\/h2>
4.1 控制端(Seconddate_CnC)分析<\/h3>
4.1.1 远控指令集<\/h4>



指令<\/th>
功能描述<\/th>
<\/tr>
<\/thead>


clearlog<\/td>
清除规则触发日志<\/td>
<\/tr>

disable [rulenum]<\/td>
关闭指定规则<\/td>
<\/tr>

enable [rulenum]<\/td>
启用指定规则<\/td>
<\/tr>

help \/ ?<\/td>
显示帮助信息<\/td>
<\/tr>

ping<\/td>
测试与受控端的连接<\/td>
<\/tr>

quit \/ exit<\/td>
退出程序<\/td>
<\/tr>

rule [rulenum] [opts...]<\/td>
配置规则<\/td>
<\/tr>

getinfo<\/td>
获取受控端基本信息<\/td>
<\/tr>

showrule [--all\/rulenum]<\/td>
显示规则详情<\/td>
<\/tr>

getlog [--log logfile] [entrynum]<\/td>
获取日志<\/td>
<\/tr>

uninstall<\/td>
卸载受控端模块<\/td>
<\/tr>
<\/tbody>
<\/table>
4.2 受控端(Seconddate_Implant)分析<\/h3>
4.2.1 网络流量嗅探机制<\/h4>

监听所有网络流量数据包<\/li>
通过协议类型匹配筛选数据包<\/li>
根据数据包载荷长度进行二次筛选<\/li>
提取特定恶意数据包进行解密处理<\/li>
<\/ul>
4.2.2 远控指令处理流程<\/h4>

接收加密UDP数据包<\/li>
执行两层解密算法提取指令<\/li>
根据指令字段执行对应操作<\/li>
<\/ol>
5. 通信数据解密分析<\/h2>
5.1 通信特征<\/h3>

使用UDP协议通信<\/li>
每个UDP载荷长度固定为1048字节<\/li>
数据全部加密<\/li>
<\/ul>
5.2 解密流程<\/h3>
5.2.1 第一层解密：异或解密<\/h4>

提取前4字节作为异或算子<\/li>
计算：v83 = 前4字节值 - 0x61E57CC6<\/code><\/li>
校验：v83 + 第5-8字节值 == 0<\/code><\/li>
对剩余数据每4字节一组进行异或解密<\/li>
<\/ol>
Go语言解密函数：<\/p>
func<\/span> BytesToInt<\/span>(bys<\/span> []byte<\/span>) int<\/span> {
<\/span><\/span>    bytebuff<\/span> :=<\/span> bytes<\/span>.NewBuffer<\/span>(bys<\/span>)
<\/span><\/span>    var<\/span> data<\/span> int32<\/span>
<\/span><\/span>    binary<\/span>.Read<\/span>(bytebuff<\/span>, binary<\/span>.BigEndian<\/span>, &<\/span>data<\/span>)
<\/span><\/span>    return<\/span> int(data<\/span>)
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>func<\/span> IntToBytes<\/span>(n<\/span> int<\/span>) []byte<\/span> {
<\/span><\/span>    data<\/span> :=<\/span> int32(n<\/span>)
<\/span><\/span>    bytebuf<\/span> :=<\/span> bytes<\/span>.NewBuffer<\/span>([]byte<\/span>{})
<\/span><\/span>    binary<\/span>.Write<\/span>(bytebuf<\/span>, binary<\/span>.BigEndian<\/span>, data<\/span>)
<\/span><\/span>    return<\/span> bytebuf<\/span>.Bytes<\/span>()
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>func<\/span> main<\/span>() {
<\/span><\/span>    hex_data<\/span>, _<\/span> :=<\/span> hex<\/span>.DecodeString<\/span>(udpdata<\/span>)
<\/span><\/span>    v83<\/span> :=<\/span> BytesToInt<\/span>(hex_data<\/span>[:4<\/span>]) -<\/span> 0x61E57CC6<\/span>
<\/span><\/span>    if<\/span> (v83<\/span> +<\/span> BytesToInt<\/span>(hex_data<\/span>[4<\/span>:8<\/span>])) !=<\/span> 0<\/span> {
<\/span><\/span>        return<\/span>
<\/span><\/span>    }
<\/span><\/span>    output<\/span> :=<\/span> []byte<\/span>{}
<\/span><\/span>    for<\/span> i<\/span> :=<\/span> 0xc<\/span>; i<\/span> < 1048<\/span>; i<\/span> = i<\/span> +<\/span> 4<\/span> {
<\/span><\/span>        aa<\/span> :=<\/span> bits<\/span>.ReverseBytes32<\/span>(uint32(BytesToInt<\/span>(hex_data<\/span>[i<\/span>:i<\/span>+<\/span>4<\/span>]))) ^ bits<\/span>.ReverseBytes32<\/span>(uint32(v83<\/span>))
<\/span><\/span>        output<\/span> = append(output<\/span>, IntToBytes<\/span>(int(bits<\/span>.ReverseBytes32<\/span>(aa<\/span>)))...<\/span>)
<\/span><\/span>    }
<\/span><\/span>    fmt<\/span>.Println<\/span>(hex<\/span>.EncodeToString<\/span>(output<\/span>))
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5.2.2 第二层解密：修改版RC6算法<\/h4>


算法特点：<\/p>

使用非标准RC6算法<\/li>
算子运算被修改<\/li>
使用0x61C88647作为RC6算法的算子<\/li>
<\/ul>
<\/li>

RC6初始化函数(Go语言实现)：<\/p>
<\/li>
<\/ol>
func<\/span> New<\/span>(key<\/span> []byte<\/span>) (cipher<\/span>.Block<\/span>, error<\/span>) {
<\/span><\/span>    skeytable<\/span> :=<\/span> make([]uint32<\/span>, 44<\/span>)
<\/span><\/span>    skeytable<\/span>[0<\/span>] = uint32(0xb7e15163<\/span>)
<\/span><\/span>
<\/span><\/span>    for<\/span> i<\/span> :=<\/span> 1<\/span>; i<\/span> < 44<\/span>; i<\/span>++<\/span> {
<\/span><\/span>        skeytable<\/span>[i<\/span>] = skeytable<\/span>[i<\/span>-<\/span>1<\/span>] -<\/span> uint32(0x61C88647<\/span>)
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    if<\/span> l<\/span> :=<\/span> len(key<\/span>); l<\/span> !=<\/span> 16<\/span> {
<\/span><\/span>        return<\/span> nil<\/span>, KeySizeError<\/span>(l<\/span>)
<\/span><\/span>    }
<\/span><\/span>    c<\/span> :=<\/span> &<\/span>rc6cipher<\/span>{}
<\/span><\/span>    const<\/span> keyWords<\/span> = 3<\/span>
<\/span><\/span>    var<\/span> L<\/span> [keyWords<\/span>]uint32<\/span>
<\/span><\/span>
<\/span><\/span>    for<\/span> i<\/span> :=<\/span> 0<\/span>; i<\/span> < keyWords<\/span>; i<\/span>++<\/span> {
<\/span><\/span>        L<\/span>[i<\/span>] = binary<\/span>.LittleEndian<\/span>.Uint32<\/span>(key<\/span>[:4<\/span>])
<\/span><\/span>        key<\/span> = key<\/span>[4<\/span>:]
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    copy(c<\/span>.rk<\/span>[:], skeytable<\/span>)
<\/span><\/span>
<\/span><\/span>    var<\/span> A<\/span> uint32<\/span>
<\/span><\/span>    var<\/span> B<\/span> uint32<\/span>
<\/span><\/span>    var<\/span> i<\/span>, j<\/span> int<\/span>
<\/span><\/span>
<\/span><\/span>    for<\/span> k<\/span> :=<\/span> 0<\/span>; k<\/span> < 3<\/span>*<\/span>roundKeys<\/span>; k<\/span>++<\/span> {
<\/span><\/span>        c<\/span>.rk<\/span>[i<\/span>] = bits<\/span>.RotateLeft32<\/span>(c<\/span>.rk<\/span>[i<\/span>]+<\/span>(A<\/span>+<\/span>B<\/span>), 3<\/span>)
<\/span><\/span>        A<\/span> = c<\/span>.rk<\/span>[i<\/span>]
<\/span><\/span>        L<\/span>[j<\/span>] = bits<\/span>.RotateLeft32<\/span>(L<\/span>[j<\/span>]+<\/span>(A<\/span>+<\/span>B<\/span>), int(A<\/span>+<\/span>B<\/span>))
<\/span><\/span>        B<\/span> = L<\/span>[j<\/span>]
<\/span><\/span>        i<\/span> = (i<\/span> +<\/span> 1<\/span>) %<\/span> roundKeys<\/span>
<\/span><\/span>        j<\/span> = (j<\/span> +<\/span> 1<\/span>) %<\/span> keyWords<\/span>
<\/span><\/span>    }
<\/span><\/span>    return<\/span> c<\/span>, nil<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
解密后的数据结构：<\/li>
<\/ol>
66b832f6    # 校验值
48dd9c90    # 校验值
00000009    # 远控指令
...         # 指令参数
<\/code><\/pre>
6. 实际数据包解密示例<\/h2>
原始数据包：<\/p>
44a06029    # 0x44a06029 - 0x61E57CC6 = 0xe2bae363
1d451c9d    # 校验: 0x1d451c9d + 0xe2bae363 = 0
632a58aa    # checksum
d32b4ffa... # 加密数据(剩余部分)
<\/code><\/pre>
第一层解密后：<\/p>
3191ac993ee855b3    # RC6算法随机IV值
f8a2b1cc05af1425... # RC6加密数据
<\/code><\/pre>
第二层解密后：<\/p>
66b832f6    # 校验值
48dd9c90    # 校验值
00000009    # 远控指令
...         # 指令参数
<\/code><\/pre>
7. 防御建议<\/h2>


网络层面：<\/p>

监控异常UDP通信(固定1048字节载荷)<\/li>
检测网络边界设备的异常行为<\/li>
<\/ul>
<\/li>

主机层面：<\/p>

检查可疑进程(Seconddate_Implant)<\/li>
监控系统异常网络嗅探行为<\/li>
<\/ul>
<\/li>

加密特征检测：<\/p>

检测使用0x61C88647作为RC6算子的加密流量<\/li>
关注使用两层加密(UDP载荷先异或后RC6)的通信<\/li>
<\/ul>
<\/li>
<\/ol>
8. 总结<\/h2>
"二次约会"间谍软件展示了NSA组织在中间人攻击方面的技术能力，其特点包括：<\/p>

隐蔽的网络流量嗅探和篡改能力<\/li>
精心设计的多层加密通信机制<\/li>
针对网络边界设备的定向攻击能力<\/li>
使用修改版加密算法增加分析难度<\/li>
<\/ul>
通过深入分析其工作原理和加密机制，可以有效检测和防御此类高级威胁。<\/p>