Ebury yanga ichishanda kubva 2009 uye parizvino inobata zvinopfuura mazana mana ezviuru zveLinux maseva.

Mufananidzo weESET unoratidza kudzokororwa pakati pevapari vemhosva veEbury nehari yehuchi

Mazuva mashoma apfuura, Vatsvagiri veESET vakaburitsa chinyorwa umo vanogadzirisa zviitiko zvine chekuita nazvo "Ebury" rootkit. Maererano neshumo, Ebury yave ichishanda kubva 2009 uye yatapurira anopfuura mazana mana ezviuru maseva anomhanyisa Linux, pamwe nemazana akati wandei FreeBSD, OpenBSD uye Solaris-based system. ESET inoshuma kuti pakupera kwa400,000, pakanga pachine maseva zviuru zana negumi nemazana akabatwa neEbury.

Iyi studio inonyanya kukosha nekuda kwekurwiswa kwe kernel.org umo Ebury yakabatanidzwa, kuzivisa zvitsva maererano nekupinzwa kweLinux kernel development infrastructure muna 2011. Pamusoro pezvo, Ebury yakaonekwa pamasevha ekunyoreswa kwedomasi, crypto exchanges, Tor exit node, uye akati wandei asingazivikanwe anopa vanopa.

Makore gumi apfuura takasimudzira ruzivo nezveEbury nekuburitsa bepa jena rataidana kuti Operation Windigo, iro rakanyora mushandirapamwe wakawedzera Linux malware kuti uwane mari. Nhasi tinoburitsa chinyorwa chekutevera pamusoro pekuti Ebury yakashanduka sei uye mhuri itsva dzemarware vashandisi vayo vari kushandisa kuita mari yavo Linux server botnet.

Pakutanga kwaifungidzirwa kuti varwisi izvo zvakakanganisa kernel.org maseva Vakaramba vasina kuonekwa kwemazuva gumi nemanomwe. Zvisinei, maererano neESET, nguva iyi yakaverengwa kubva pakuiswa kwePhalanx rootkit.

Asi izvi hazvina kudaro, sezvo Ebury, yaive yatovepo pamaseva kubvira 2009, uye izvi zvakabvumira kupinda kwemidzi kweanenge makore maviri. Ebury uye Phalanx yakaiswa sechikamu chekurwiswa kwakasiyana zvichiitwa nemapoka akasiyana evapambi. Kuiswa kweEbury backdoor kwakakanganisa kanokwana maseva mana mune kernel.org zvivakwa, maviri acho akakanganiswa uye asina kuonekwa kweanenge makore maviri uye mamwe maviri kwenguva ye4 mwedzi.

Zvinotaurwa kuti Vanorwisa vakakwanisa kuwana password hashes ye551 vashandisi yakachengetwa mukati /etc/shadow, kusanganisira vanochengeta kernel. Nhoroondo idzi Ivo vakashandiswa kuwana Git.

Mushure mechiitiko ichi, shanduko dzakaitwa kupassword uye modhi yekuwana yakadzokororwa kuti ibatanidze masiginecha edhijitari. Pakati pevashandisi ve257 vakabatwa, vapambi vakakwanisa kuona mapassword mumavara akajeka, pamwe nekushandisa hashes uye kubvunzurudza mapassword anoshandiswa muSSH neanoipa Ebury chikamu.

Iyo yakaipa chikamu Ebury yakapararira seraibhurari yakagovaniswa iyo yakabata mabasa anoshandiswa muOpenSSH kumisikidza kubatanidza kure kune masisitimu ane midzi ropafadzo. Kurwiswa uku hakuna kunanga kernel.org, uye nekudaro, maseva akabatwa akave chikamu chebhotnet inoshandiswa kutumira spam, kuba zvitupa zvekushandisa pane mamwe masisitimu, kutungamira pawebhu traffic, uye kuita mamwe mabasa akaipa.

Iyo Ebury malware mhuri pachayo yakagadziridzwa zvakare. Iyo itsva huru yeshanduro yekuvandudza, 1.8, yakatanga kuonekwa mukupera kwe 2023. Pakati pezvigadziriso ndezvitsva zvitsva zvebfuscation, itsva domain generation algorithm (DGA), uye kuvandudzwa kune rootkit inoshandiswa neEbury kuvanza kubva kuvatariri vehurongwa. Kana ichishanda, maitiro, faira, socket, uye kunyange yakagoverwa ndangariro (Mufananidzo 6) yakavanzwa.

Kuti upinde mukati memaseva, iyo Vapambi vakashandisa hutsinye husina kurongeka mune server software, sekutadza kwemapaneru ekugamuchira uye mapassword akabatwa.

Pamusoro pezvo, zvinofungidzirwa kuti maseva ekernel.org akabirwa mushure mekukanganisa password yemumwe wevashandisi vane mukana wegoko uye kusasimba senge Dirty COW yakashandiswa kuwedzera ropafadzo.

Zvinotaurwa kuti shanduro dzichangoburwa dzeEbury, kuwedzera kune yekuseri, yaisanganisira mamwe mamodule eApache httpd, inobvumira kutumira traffic kuburikidza neproxy, redirect vashandisi uye kubata zvakavanzika ruzivo. Ivo zvakare vaive nekernel module yekushandura HTTP traffic mukufambisa uye maturusi kuvanza yavo traffic kubva kune firewall. Pamusoro pezvo, ivo vaisanganisira zvinyorwa zvekuita Adversary-in-the-Middle (AitM) kurwisa, kubvunzurudza SSH zvitupa pane yekutambira network network.

Chekupedzisira, kana iwe uchida kukwanisa kuziva zvakawanda nezvazvo, unogona kubvunza iwo ruzivo mu inotevera chinongedzo.


Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako