I-Ebury ibisebenza ukusukela ngo-2009 kwaye ngoku ichaphazela ngaphezulu kwe-400,000 yeeseva zeLinux.

Umfanekiso we-ESET obonisa ukuphindaphindwa phakathi kwabaphuli-mthetho base-Ebury kunye ne-honeypot

Zimbalwa iintsuku ezidlulileyo, Abaphandi be-ESET bapapashe upapasho apho bajongana nemisebenzi enxulumene nayo "Ebury" rootkit. Ngokutsho kwengxelo, u-Ebury ibisebenza ukusukela ngo-2009 kwaye wosulele ngaphezulu kwe-400,000 yeeseva eziqhuba iLinux, kunye namakhulu aliqela eFreeBSD, i-OpenBSD kunye neenkqubo ezisekwe kwiSolaris. I-ESET inika ingxelo yokuba ekupheleni kuka-2023, kwakusekho malunga ne-110,000 yeeseva ezichatshazelwe yi-Ebury.

Esi studio ibaluleke kakhulu ngenxa yohlaselo lwe-kernel.org apho uEbury wayebandakanyeka khona, iveza iinkcukacha ezintsha malunga nokungeniswa kweziseko zophuhliso lwe-Linux kernel ngo-2011. Ukongeza, i-Ebury ichongiwe kwiiseva zobhaliso lwesizinda, utshintshiselwano lwe-crypto, iindawo zokuphuma zeTor, kunye nababoneleli abaninzi abangaziwa.

Kwiminyaka elishumi edlulileyo saye sazisa ulwazi malunga ne-Ebury ngokupapasha iphepha elimhlophe esilibiza ngokuba yi-Operation Windigo, ebhalwe ngephulo elanyusa i-malware ye-Linux ngenzuzo yemali. Namhlanje sipapasha inqaku elilandelayo malunga nendlela i-Ebury evele ngayo kunye neentsapho ezintsha ze-malware abasebenzisi bayo abazisebenzisayo ukwenza imali kwi-Botnet yabo ye-Linux.

Ekuqaleni kwakucingwa ukuba abahlaseli loo nto yabeka esichengeni abancedisi be kernel.org Bahlala bengabonwa kangangeentsuku ezili-17. Nangona kunjalo, ngokutsho kwe-ESET, eli xesha libalwe ekufakweni kwe-rootkit ye-Phalanx.

Kodwa oku kwakungenjalo, ekubeni I-Ebury, eyayisele ikhona kwiiseva ukususela ngo-2009, kwaye oku kwavumela ukufikelela kweengcambu malunga neminyaka emibini. I-Ebury kunye ne-Phalanx zafakwa njengenxalenye yohlaselo olwahlukeneyo eyenziwa ngamaqela ahlukeneyo abahlaseli. Ukufakwa kwe-backdoor ye-Ebury kuchaphazele ubuncinane iiseva ze-4 kwiziseko ze-kernel.org, ezimbini zazo eziye zaphazamiseka kwaye zingabonakali malunga neminyaka emibini kunye nezinye ezimbini kwithuba leenyanga ze-6.

Kuxelwe ukuba i Abahlaseli bakwazile ukufikelela kwi-password hashes yabasebenzisi abangama-551 igcinwe kwi/etc/shadow, kuquka abagcini bekernel. Ezi ngxelo Zazisetyenziselwa ukufikelela kwiGit.

Emva kwesiganeko, utshintsho lwenziwa kwiiphasiwedi kwaye imodeli yokufikelela yahlaziywa ukuze ifake iisignesha zedijithali. Kubasebenzisi abachaphazelekayo be-257, abahlaseli bakwazile ukucacisa amagama ayimfihlo kwisicatshulwa esicacileyo, mhlawumbi ngokusebenzisa i-hashes kunye ne-intercepting passwords esetyenziswe kwi-SSH yicandelo elibi le-Ebury.

Icandelo elibi I-Ebury yasasazeka njengethala leencwadi ekwabelwana ngalo evalele imisebenzi esetyenziswa kwi-OpenSSH ukuseka imidibaniso ekude kwiinkqubo ezinamalungelo eengcambu. Olu hlaselo alukhange lujolise ngokuthe ngqo kwi-kernel.org, kwaye ngenxa yoko, abancedisi abachaphazelekayo baba yinxalenye ye-botnet esetyenziselwa ukuthumela i-spam, ukubiwa kweenkcukacha zokusetyenziswa kwezinye iinkqubo, ukuqondisa ngokutsha i-web traffic, kunye nokwenza ezinye izinto ezinobungozi.

Usapho lwe-malware ye-Ebury nayo ihlaziyiwe. Uhlaziyo olutsha lwenguqu enkulu, i-1.8, yaqala ukubonwa ngasekupheleni kwe-2023. Phakathi kwezinto ezihlaziyiweyo zinobuchule obutsha be-obfuscation, i-algorithm ye-domain yesizukulwana esitsha (i-DGA), kunye nokuphuculwa kwe-rootkit yomsebenzisi esetyenziswa ngu-Ebury ukufihla kubalawuli benkqubo. Xa isebenza, inkqubo, ifayile, isiseko, kunye nememori eyabelwe (Umfanekiso 6) zifihliwe.

Ukuze ungene kwiiseva, i Abahlaseli basebenzise ubuthathaka obungafakwanga kwisoftware yeseva, njengokungaphumeleli kwiiphaneli zokusingatha kunye namagama ayimfihlo abanjwe.

Ukongeza, kucingelwa ukuba abancedisi be-kernel.org bagqekeziwe emva kokubeka esichengeni igama eligqithisiweyo lomnye wabasebenzisi abanofikelelo kwiqokobhe kunye nobuthathaka obunje ngeNKOMO emdaka zisetyenziselwe ukonyusa amalungelo.

Kukhankanyiwe ukuba iinguqulelo zamva nje ze-Ebury, ukongeza kwi-backdoor, zibandakanya iimodyuli ezongezelelweyo ze-Apache httpd, evumela ukuthumela i-traffic nge-proxy, ukuqondisa kwakhona abasebenzisi kunye nokwamkela ulwazi oluyimfihlo. Kwakhona babenemodyuli ye-kernel yokuguqula i-HTTP traffic kwi-transit kunye nezixhobo zokufihla i-traffic yabo kwii-firewalls. Ukongezelela, baquka izikripthi zokuqhuba uhlaselo lwe-Adversary-in-the-Middle (AitM), ukubamba iziqinisekiso ze-SSH kwiinethiwekhi zababoneleli bokusingatha.

Okokugqibela, ukuba unomdla wokwazi ngakumbi ngayo, ungajongana neenkcukacha kwi ukulandela ikhonkco.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.