guardcore (gore uye data centre chengetedzo kambani) yaona malware matsva high-tech, inonzi "FritzFrog", iyo inobata maseva-based Linux. FritzFrog inosanganisa honye iyo iri kupararira kuburikidza nechisimba chisimba kurwisa pane maseva ane yakavhurika SSH chiteshi uye zvikamu kuvaka botnet yakasarudzika Inoshanda isina maodhi ekudzivirira uye haina kana poindi imwe yekutadza.
Sekureva kwevaongorori. iyo botnet yatove nenharaunda dzinosvika mazana mashanu, kusanganisira maseva kubva kumayunivhesiti akati wandei uye nekambani huru yezvitima. Iyo peculiarity yeFritzFrog ndeyekuti inochengeta rese data uye inoitisa kodhi chete mundangariro.
Shanduko kudiski bika pasi kungo wedzera kiyi nyowani yeSSH kune iyo Authorized_keys faira, iyo inozoshandiswa kuwana sevha.
Mafaira eSystem anoramba asina kuchinjika, achipa iyo honye isingaonekwe kumasystem anoratidza kutendeka kwecheksamu. Iyo ndangariro inewo maduramazwi ehuchaga simba mapassword nedata remigodhi, ayo akawiriraniswa pakati penzvimbo uchishandisa P2P protocol.
Zvinhu zvakashata zvakavharwa pasi pe "ifconfig", "libexec", "php-fpm" uye "nginx" maitiro.
Botnet node dzinoongorora hutano hwevavakidzani, uye kana server ikatangazve kana kunyangwe iyo yekushandisa system kudzoreredza (kana iyo yakagadziriswa yakagamuchirwa_keys faira raendeswa kune iyo nyowani sisitimu), ivo vanomutsiridza zvakashata zvinhu pamubati.
Zvekutaurirana, yakajairwa SSH inoshandiswa: iyo malware inotangisawo yemuno "netcat" iyo inobatana neiyohosthost interface uye inoteerera traffic pane chiteshi 1234, iyo inowana node dzekunze kuburikidza neSSH tunnel, uchishandisa iyo inobvumidzwa_kiyi kiyi yekubatanidza.
Malware inosanganisira akati wandei ma module anomhanya pane dzakasiyana tambo:
- Cracker- Shandisa mapassword akasvibika pamaseva akarwiswa.
- CryptoComm + Parser- Ronga yakavharidzirwa P2P kubatana.
- Mavhoti iyo nzira yekusangana kwekubatana kweanotarisirwa mauto ekurwisa.
- TargetFeed: tora runyorwa rwema node ekurwisa kubva kunzvimbo dzakavakidzana.
- DeployMgmt: iko kuita kwehonye inoparadzira kodhi yakaipa kune server yakanganisa.
- Akapiwa- Iri basa rekubatanidza kumaseva ari kutotanga kumhanyisa kodhi.
- batanidza- Unganidza faira mundangariro kubva pamatanho akatamisirwa akapatsanurwa.
- antivirus- Module yekudzvinyirira mukwikwidzi malware, inoona uye inouraya maitiro netambo "xmr" inodya CPU zviwanikwa.
- Libexec: iri module yekuchera Monero cryptocurrencies.
Iyo P2P protocol inoshandiswa muFritzFrog inotsigira kwakatenderedza makumi matatu emirairo inotarisira kuendesa data pakati penzvimbo, kutanga magwaro, kuendesa malware, nzvimbo yekuvhota, kuchinjana matanda, kutanga proxy, nezvimwe.
Ruzivo rwunopfuudzwa kuburikidza neyakavanzika nzira yakamira ine serialization muJSON fomati. Zvekunyorera, AES asymmetric encryption uye Base64 encoding zvinoshandiswa. Iyo DH (Diffie-Hellman) protocol inoshandiswa kuchinjana kiyi. Kuti uone mamiriro, iwo maodhi anogara achichinjana zvikumbiro zveping.
Ese botnet node anochengetedza dhatabhesi yakaparadzirwa neruzivo nezve akarwiswa uye akanganisa masisitimu.
Kurwisa zvinangwa zvinoenderana pane iyo yose botnet- Node yega yega inorwisa chakanangana chakatarwa, ndiko kuti, maviri akasiyana mabhotnet node haazorwisi imwechete
Node ivo zvakare vanounganidza nekuendesa manhamba emunharaunda kuvavakidzani, senge yemahara memory saizi, yekukwira, CPU mutoro, uye SSH yekupinda chiitiko.
Ruzivo urwu yaishandiswa kusarudza kuti yotanga nzira yekuchera here kana kushandisa kodhi chete kurwisa mamwe masisitimu (Semuenzaniso, kuchera hakutangi pane akaremerwa masystem kana masystem ane anowanzo maneja ekubatanidza).
Vatsvakurudzi ndatsvaga yakapfava script script kuti uone FritzFrog.
Kuti uone kana sisitimu yakakuvadzwa, zviratidzo zvakaita sekuvapo kwekuteerera chinongedzo pachiteshi 1234, kuvapo kwekiyi yakaipa mumakiyi anotenderwa (iyo imwechete SSH kiyi yakaiswa pane ese maodhi), uye kuvepo kwemaitiro mukuita "ifconfig", "libexec", "php-fpm" mundangariro uye "nginx" izvo zvisina zvine chinobatanidza executable ("/ proc / / exe »achinongedzera kure faira).
Kuvapo kwetraffic padandemutande chiteshi 5555, inoitika kana malware ikawana chaiyo webhu.xmrpool.eu dziva uku uchichera Monero cryptocurrency, inogona zvakare kushanda sechiratidzo.