RotaJakiro: nyowani Linux malware yakavanzwa se systemd maitiro

 

360 Netlab Research Lab Yakaziviswa kuzivikanwa kweye malware nyowani yeLinux, codenamed RotaJakiro uye izvo zvinosanganisira iko kwekunze kuita iyo inobvumira kudzora iyo system. Vanorwisa vanogona kunge vakaisa software yakaipa mushure mekushandisa kusagadzikana kusagadziriswa musystem kana kufungidzira mapassword asina kusimba.

Imba yekumashure yakawanikwa panguva yekufungidzira kwekufamba kwemigwagwa yeimwe yemaitiro ehurongwa anoonekwa panguva yekuongororwa kweiyo botnet chimiro chinoshandiswa pakurwiswa kweDDoS. Izvi zvisati zvaitika, RotaJakiro yakaenda isingazivikanwe kwemakore matatu, kunyanya, kuyedza kwekutanga kuongorora mafaera ne MD5 hashes pane iyo VirusTotal sevhisi inoenderana yakaona malware musi waMay 2018.

Takatumidza zita rekuti RotaJakiro zvichibva nenyaya yekuti mhuri inoshandisa kutenderera kunyorera uye inoita zvakasiyana kubva kumidzi / isiri midzi midzi painomhanya.

RotaJakiro anonyatso tarisisa kuviga ayo maratidziro, achishandisa akawanda encryption algorithms, kusanganisira: kushandisa iyo AES algorithm kunyorera ruzivo rwekushandisa mukati meiyo sampuli; C2 kutaurirana uchishandisa mubatanidzwa weAES, XOR, ROTATE encryption, uye ZLIB compression.

Imwe yehunhu hweRotaJakiro mashandisirwo enzira dzakasiyana dzekuzevha kana uchimhanya semusina kusununguka mushandisi uye mudzi. Kuvanza huvepo hwako, iyo malware yakashandisa maitiro maitiro systemd-daemon, musangano-dbus uye gvfsd-mubatsiri, iyo, yakapihwa kuunganidzwa kwemazuvano ekuparadzirwa kweLinux nemhando dzese dzehurongwa hwekushandira, yaitaridzika kunge yakatendeseka pakutanga uye haina kumutsa kunyumwa.

RotaJakiro anoshandisa matekiniki senge anesimba AES, maviri-maseru akavharidzirwa manyorerwo ekutaurirana kurwisa mabhinari uye network traffic kuongorora.
RotaJakiro anotanga kuona kana mushandisi ari mudzi kana asiri mudzi panguva yekumhanya, aine akasiyana maitiro ekuuraya maakaundi akasiyana, obva aburitsa zvirevo zvine hungwaru.

Kana ichimhanya semidzi, iyo systemd-mumiririri.conf uye sys-temd-mumiriri.service zvinyorwa zvakagadzirwa kuti zviise malware uye yakaipa yaigona kuitwa yaive mukati medzira dzinotevera: / bin / systemd / systemd -daemon uye / usr / lib / systemd / systemd-daemon (mashandiro akaitwa mumafaira maviri).

Nguva painomhanya seyakajairika mushandisi iyo autorun faira yakashandiswa $ HOME / .config / au-tostart / gnomehelper.desktop uye shanduko dzakaitwa ku .bashrc, uye faira rinobatika rakachengetwa se $ HOME / .gvfsd / .profile / gvfsd-mubatsiri uye $ HOME / .dbus / sessions / session -dbus. Ese ari maviri mafaera aiburitswa akavhurwa panguva imwe chete, imwe neimwe yaitarisa kuvepo kweimwe uye kuidzosera kana ikadzima.

RotaJakiro inotsigira anokwana gumi nemaviri mashandiro, matatu acho ane hukama nekuitwa kwemamwe plugins. Nehurombo, isu hatina kuoneka kwemapulagi uye nekudaro hatizive chinangwa chavo chechokwadi. Kubva pane yakatarisa hatchback maonero, maficha anogona kuiswa muzvikamu zvina zvinotevera.

Rondedzera ruzivo rwechigadzirwa
Kuba ruzivo rwakashata
Faira / plugin manejimendi (tarisa, kurodha pasi, kudzima)
Kumhanya chaiyo plugin

Kuvanza mhedzisiro yezviitiko zvayo paseri kwemusuwo, akasiyana encryption algorithms akashandiswa, semuenzaniso, AES yaishandiswa kunyorera zviwanikwa zvayo uye kuviga chiteshi chekutaurirana neanodzora server, kuwedzera pakushandiswa kweAES, XOR uye ROTATE mukati kusanganiswa nekumanikidza uchishandisa ZLIB. Kuti ugamuchire mirairo yekudzora, iyo malware yakawana madomeni mana kuburikidza netiweki chiteshi 4 (chiteshi chekutaurirana chakashandisa protocol yayo, kwete HTTPS neTLS).

Iwo madomains (cdn.mirror-codes.net, status.sublineover.net, blog.eduelects.com, uye news.thaprior.net) zvakanyoreswa muna2015 uye zvakaitirwa neKiev inomubata mupi weDeltahost. Gumi nemaviri ekutanga mabasa akabatanidzwa mukati memusuwo wekumashure, uchibvumidza iwe kurodha uye kumhanyisa mapulagi neepamberi mashandiro, chinja dhata yedhata, gamuchira zvakavanzika dhata uye gadzirisa mafaira emuno.

Kubva pane yekumberi mainjiniya maonero, RotaJakiro naTorii vanogovana zvitaera zvakafanana: kushandiswa kwecryption algorithms yekuvanza zviwanikwa zvine hunyanzvi, kuitiswa kwechimiro chekare-chekare kushingirira, dhizaini yeneti traffic, nezvimwe.

Finalmente kana iwe uchifarira kudzidza zvakawanda nezve tsvagiridzo yakaitwa ne360 Netlab, unogona kutarisa ruzivo nekuenda kunotevera chinongedzo.


Izvo zviri muchinyorwa zvinoomerera pamisimboti yedu ye tsika dzekunyora. Kuti utaure chikanganiso tinya pano.

Makomendi gumi, siya zvako

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa.

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako

  1.   kusaziva akadaro

    Usatsanangure kuti inobviswa sei kana kuti ungaziva sei kuti tine hutachiona here kana kuti kwete, zvinova zvakaipira hutano.

  2.   Merlin N'anga akadaro

    Chinyorwa chinonakidza uye ongororo inonakidza muiyi link inoenda nayo, asi ini ndinoshaya izwi nezvehutachiona vector. Ndiyo Trojan, honye here kana kuti hutachiona chete?… Ndezvipi zvatinofanira kungwarira nezvazvo kuti tidziviriri hutachiona?

  3.   luix akadaro

    Uye ndeupi musiyano?
    Payo pachayo systemd yatove malware ..

bool (chokwadi)