China's release 丨 Analysis report revealed the details of the attack on the American Internet weapons at the U.S. Internet of Technology

China Net, September 13th News The National Computer Virus Emergency Center announced the "Analysis Report of" Tea Drinking "in the United States NSA Web Web Wealth" on the 13th. The report shows that the National Computer Virus Emergency Treatment Center investigated the Northwestern University of Technology's overseas network attack incident, and found the US National Security Agency (NSA) online weapon "tea drinking" on the network server equipment of Northwestern Polytechnical University (NSA). (NSA is named "SuctionChar").

The National Computer Virus Emergency Treatment Center combined with the Beijing Qi'an Pan Gu Lab conducted a technical analysis of the network weapon. The analysis results showed that the network weapon was "sniffing the stealing weapon", which was mainly aimed at the Unix/Linux platform. The remote access account password on the target host steals.

After technical analysis and research, this network weapon is aimed at the Unix/Linux platform and cooperates with other network weapons. The attacker can control the malware to perform specific secret stealing tasks by pushing the configuration file. Various user names and passwords, including SSH, Telnet, FTP, and other remote service login passwords, can also steal the user name password information stored in other locations according to the configuration.

The network weapon contains multiple components such as "Authenticate", "Decrypt", "Decode Module", "Configuration Module", "Agent", etc. During the analysis process, the other two modules were also found, namely the configuration file generation module and the guardian module. Among them, the function of the configuration file generating module may be to generate an INI temporary configuration file, and the guardian module and the spy module have high code similarity, which may be a variant produced for different versions of systems.

The technical analysis team believes that "tea drinking" is complicated, highly modular, supports multi -threaded, and has a wide range of adaptation of the operating system environment, including freeBSD, Sun Solaris system, and Debian, Redhat, CentOS, Ubuntu and other Linux distributions, reflecting the reflection Advanced software engineering capabilities. "Drinking Tea" also has good openness, which can be effectively integrated and linked with other network weapons. It uses encryption and verification to enhance its own safety and concealment. Extract information such as login username passwords. In theory, you can also extract all the information you want to get. It is a powerful network weapon tool with advanced functions and strong concealment.

In this attack on Northwestern Polytechnical University, the U.S. NSA's Specific Invasion Action Office (TAO) uses "tea drinking" as a sniffing secret tool to implant it into the internal network server of Northwestern Polytechnical University, stealing SSH, Telnet, FTP, FTP , SCP and other remote management and login passwords for remote file transmission services, so as to obtain access permissions from other servers in the internal network, realize the horizontal movement of the internal network, and send other high -value servers to other sniffing secrets, persistent control categories and durable control categories The concealed disappearance network weapon has caused large -scale and persistent sensitive data theft. With the gradual deepening of the survey, the technical team also discovered the "tea drinking" attack traces in other institutions outside Northwestern Polytechnical University. It is likely that TAO uses "tea drinking" to launch large -scale network attack activities to China. Essence

- END -