An Bayyana Labaran Bincike na Netlab 360 ganewa da wani sabon malware don Linux, codenamed RotaJakiro kuma wannan ya haɗa da aiwatar da bayan fage hakan yana ba da damar sarrafa tsarin. Maharan za su iya girka wata muguwar software bayan amfani da raunin da ba a gyara ba a cikin tsarin ko yin hasashen kalmomin sirri masu rauni.
An gano bayan gida yayin binciken zirga-zirgar zato ɗaya daga cikin tsarin tsarin da aka gano yayin nazarin tsarin botnet da aka yi amfani da shi don harin DDoS. Kafin wannan, RotaJakiro ya kasance ba a san shi ba har tsawon shekaru uku, musamman, ƙoƙari na farko don tabbatar da fayiloli tare da hashewar MD5 akan sabis ɗin VirusTotal wanda yayi daidai da gano malware kwanan wata zuwa Mayu 2018.
Mun sanya masa suna RotaJakiro bisa laákari da gaskiyar cewa dangi suna amfani da ɓoyayyen ɓoyayyiyar hanya kuma suna yin halayya daban da asusun tushen / ba tushen lokacin da suke gudana.
RotaJakiro yana mai da hankali sosai don ɓoye alamunsa, ta amfani da algorithms ɓoyewa da yawa, gami da: amfani da AES algorithm don ɓoye bayanan albarkatu a cikin samfurin; C2 sadarwa ta amfani da haɗin AES, XOR, ɓoye ROTATE, da matse ZLIB.
Ofaya daga cikin halayen RotaJakiro shine amfani da fasahohin ɓoye maski daban-daban lokacin gudu kamar mai amfani mara izini da tushe. Don ɓoye gaban ku, malware sun yi amfani da tsarin sunaye-daemon, zaman-dbus da gvfsd-mataimaki, wanda, saboda yawan abubuwan rarraba Linux na zamani tare da kowane irin tsari na sabis, da alama halal ne a kallon farko kuma bai tayar da zato ba.
RotaJakiro yana amfani da fasahohi kamar su AES mai ƙarfi, ladabi na hanyar sadarwa mai ruɓi-biyu don magance binaryar da kuma nazarin hanyoyin sadarwa.
RotaJakiro da farko yana tantance ko mai amfani yana da tushe ko ba ya da tushe a lokacin aiki, tare da manufofi daban-daban na aiwatar da asusu daban-daban, sa'annan ya warware abubuwan da suka dace.
Lokacin da aka fara aiki azaman tushe, an ƙirƙiri rubutun tsarin-wakili.conf da sys-temd-agent.service don kunna malware kuma mummunan aikin da aka aiwatar yana cikin wadannan hanyoyin: / bin / systemd / systemd -daemon da / usr / lib / systemd / systemd-daemon (ayyukan da aka maimaita su cikin fayiloli guda biyu).
Duk da yake lokacin da aka gudana azaman mai amfani na al'ada ana amfani da fayil ɗin autorun $ HOME / .kon -dbus. An ƙaddamar da fayilolin zartarwa duka a lokaci guda, kowanne ɗayan yana lura da kasancewar ɗayan kuma ya dawo da shi idan aka rufe.
RotaJakiro yana tallafawa jimlar ayyuka 12, uku daga cikinsu suna da alaƙa da aiwatar da takamaiman plugins. Abun takaici, bamu da ganuwa game da abubuwan plugins sabili da haka bamu san ainihin dalilinsu ba. Daga hangen nesa mai ƙyanƙyashe, ana iya tattara fasalulluka zuwa rukuni huɗu masu zuwa.
Yi rahoton bayanin na'urar
Sata bayanai masu mahimmanci
Gudanar da fayil / plugin (duba, zazzage, share)
Gudun takamaiman plugin
Don ɓoye sakamakon ayyukanta akan bayan gida, anyi amfani da algorithms daban-daban na ɓoye, misali, an yi amfani da AES don ɓoye albarkatunta da ɓoye tashar sadarwa tare da uwar garken sarrafawa, ban da amfani da AES, XOR da ROTATE a hade tare da matsawa ta amfani da ZLIB. Don karɓar umarnin sarrafawa, malware ta sami damar amfani da yankuna 4 ta tashar jiragen ruwa ta 443 (tashar sadarwar ta yi amfani da yarjejeniyarta, ba HTTPS da TLS ba).
An yi rajistar yankuna (cdn.mirror-codes.net, status.sublineover.net, blog.eduelects.com, da news.thaprior.net) a cikin 2015 kuma mai ba da sabis na Kiev mai kula da Deltahost ne ya dauki nauyin su. 12 ayyuka na asali an haɗa su a ƙofar baya, suna ba ku damar ɗorawa da gudanar da ƙarin-aiki tare da ingantaccen aiki, canja wurin bayanan na'ura, tare bayanan sirri, da sarrafa fayilolin cikin gida.
Daga hangen nesa na injiniya, RotaJakiro da Torii suna raba salo iri ɗaya: yin amfani da algorithms na ɓoye don ɓoye albarkatu masu mahimmanci, aiwatar da salon nacewa na daɗaɗɗen zamani, tsarin sadarwar da aka tsara, da dai sauransu.
Finalmente idan kuna sha'awar ƙarin koyo game da binciken sanya ta 360 Netlab, zaka iya duba bayanan ta hanyar zuwa mahaɗin mai zuwa.
Kada ku bayyana yadda aka cire shi ko yadda za a san ko muna kamuwa ko ba mu da shi, wanda hakan ba shi da kyau ga lafiya.
Labari mai ban sha'awa da bincike mai ban sha'awa a cikin hanyar haɗin yanar gizon da ke tare da shi, amma na rasa kalma game da vector ɗin kamuwa da cuta. Shin Trojan ne, tsutsa ko kwayar cuta kawai?… Me yakamata mu kiyaye game da gujewa kamuwa da cutar mu?
Kuma menene bambanci?
A kanta systemd riga ya zama malware ..