- 原始信息
- 功能
- 维基解密这一波公布的CIA泄露文件第三弹,名为“Marble”,其中包含反取证Marble Framework的676份源码文件,基本上就是用来隐藏CIA恶意程序真实源码的混淆工具
- 字符串/数据混淆工具——内含各种算法,主旨都是反追踪,用于阻碍取证调查人员和反病毒公司将病毒、木马和黑客攻击行为溯源到CIA身上
- 同时可植入中文、俄文、韩文、阿拉伯语和波斯语等语言,用于掩饰攻击者身份
- 参考资料
- 框架代码
- 框架使用VS工具,C++语言
- 框架结构
- Marble: A Marble is a specific algorithm that scrambles and unscrambles data.Mibster: The Mibster is the utility that does the scrambling and altering of source files. The Mibster starts by choosing a Marble (an algorithm) from the filtered list of available algroithms. The Mibster then scans the directories containing source, looking for an strings and data to scramble. The Mibster keeps a clean copy of the original source and replaces it with the scrambled versions of strings/data as well as supplies the unscramble function. The source should compile after Mibster modifies source.Mender: The Mender restores the source files to their original state. If, for any reason, the Mibster fails or breaks the code, the Meder can always restore the state to its original.Warble: A Warble is a wide-character string (wchar_t *) that needs to be scrambled by the Mibster.Carble: A Carble is a multi-byte string (char *) that needs to be scrambled by the Mibster.Validator: The Validator is a utility that takes (as an input) the receipt file generated by the Mibster. The Validator uses the receipt file to verify that all the strings intended to be scrambled are not contained in the final binary.
- 植入语言部分,有Unicode和UTF8两种编码
- 混淆的语言
- 两种混淆方式,都是随机植入
- 二进制(CARBLE)
- 文本字符串(WARBLE)
- 有阿拉伯、中文、俄罗斯文、韩文、波斯文(farsi,阿富汗、伊朗等地使用)
- 从语言内容来看,语义不明,混淆效果有限(可手动修改为有明确意义的文本)
- 阿拉伯文
- 中文无任何意义
- 俄文(但是被google检测为蒙古文,但依然翻译不出来,
- 韩文
- 波斯文
- 小结
- 混淆工具随机化植入其他国家语言文本,用于误导分析人员,但目前使用的文本语义不明,混淆效果有限
- 语言误导,个人认为关键信息替换为其他国家语言更有效果,如log输出、回传信息等
- 而且對於嚴格的溯源技術來說,需要基於多種因素來判定,僅靠Marble並不足以令經驗豐富的網路取證人員上當
- 混淆工具随机化植入其他国家语言文本,用于误导分析人员,但目前使用的文本语义不明,混淆效果有限
没有评论:
发表评论