I-RotaJakiro: i-malware entsha ye-Linux ifihlwe njengenkqubo yenkqubo

Darkcrizt

Imizuzu ye4

ILebhu yoPhando i-360 Netlab ibhengeziwe Ukuchongwa kwe-malware entsha yeLinux, enamakhowudi I-RotaJakiro kwaye ibandakanya ukumiliselwa kwangaphandle evumela ukulawula inkqubo. Abahlaseli banokuthi bafake isoftware enobungozi emva kokuxhaphaza ukuba semngciphekweni okungalungiswanga okanye ukuqikelela iipaswedi ezibuthathaka.

Ingaphandle lafunyanwa ngexesha lokuhlalutya kwezithuthi Enye yeenkqubo zenkqubo ezichongiweyo ngexesha lokuhlalutya ubume be-botnet esetyenziselwa uhlaselo lwe-DDoS. Ngaphambi koku, iRotaJakiro iye yaqatshelwa iminyaka emithathu, ngakumbi, iinzame zokuqala zokuqinisekisa iifayile nge-MD5 hashes kwinkonzo yeVirusTotal ehambelana nomhla we-malware emva ko-Meyi 2018.

Sayibiza ngokuba yiRotaJakiro esekwe kwinto yokuba usapho lusebenzisa ukubethela okujikelezayo kwaye luziphatha ngendlela eyahlukileyo kwiingcambu / kwiiakhawunti ezingezizo ezengcambu xa zibaleka.

I-RotaJakiro ihlawula ingqalelo yokufihla umkhondo wayo, isebenzisa i-encryption algorithms ezininzi, kubandakanya: ukusebenzisa i-AES algorithm ukubethela ulwazi ngemithombo ngaphakathi kwesampulu; Unxibelelwano lwe-C2 usebenzisa indibaniselwano ye-AES, XOR, ROTATE encryption, kunye ne-ZLIB compression.

Olunye lweempawu zeRotaJakiro kukusetyenziswa kweendlela ezahlukeneyo zokufihla ubuso xa uqhutywa njengomsebenzisi ongenalusizo kunye nengcambu. Ukufihla ubukho bakho, i-malware isebenzise inkqubo yenkqubo-daemon, iseshoni-dbus kunye ne-gvfsd-helper, ethi, inikwe ukungqubana konikezelo lwangoku lweLinux ngazo zonke iintlobo zeenkqubo zenkonzo, kwabonakala kusemthethweni ekuboneni kuqala kwaye akuzange kuvuse isikrokro.

I-RotaJakiro isebenzisa ubuchule obufana ne-AES eguqukayo, iiprotokholi zonxibelelwano ezifihliweyo ezibini zokulwa uhlalutyo lwezibini kunye nenethiwekhi.
I-RotaJakiro kuqala igqiba ukuba ingaba ingcambu yomsebenzisi okanye ayinengcambu ngexesha lokubaleka, kunye nemigaqo-nkqubo eyahlukeneyo yokuphumeza iiakhawunti ezahlukeneyo, emva koko ichaze izixhobo ezinobuzaza ezifanelekileyo.

Xa iqhutywa njengengcambu, isistim-ye-arhente.conf kunye ne-sys-temd-agent.izikripthi zenkonzo zenziwe zasebenza i-malware kwaye into enobungozi inokufezekiswa ibekwe ngaphakathi kwezi ndlela zilandelayo: / bin / systemd / systemd -daemon kunye / usr / lib / systemd / systemd-daemon (ukusebenza okuphindiweyo kwiifayile ezimbini).

Ngexesha xa uqhuba njengomsebenzisi oqhelekileyo ifayile ye-autorun isetyenzisiwe $ IKHAYA / .config / au-tostart / gnomehelper.desktop kunye notshintsho lwenziwe kwi-.bashrc, kwaye ifayile ephunyeziweyo igcinwe njenge- $ HOME / .gvfsd / .profile / gvfsd-helper kunye ne- $ HOME / .dbus / sessions / session -ibhasi. Zombini iifayile ezenziweyo zazisungulwa ngaxeshanye, nganye yayijonga ubukho bayo kwaye iyibuyisele kwimeko yokucima.

I-RotaJakiro ixhasa imisebenzi eyi-12 iyonke, emithathu yayo inxulumene nokwenza iiplagi ezithile. Ngelishwa, asinako ukubonakala kweeplagi kwaye ke ngoko asizazi ezona njongo zazo. Ukusuka kwimbono ebanzi ye-hatchback, amanqaku anokuhlelwa ngokwamaqela amane alandelayo.

Xela ulwazi ngesixhobo
Yiba ulwazi olubuthathaka
Ulawulo lwefayile / lweplagin (jonga, ukhuphele, ucime)
Ukuqhuba iplagi ethile

Ukufihla iziphumo zemisebenzi yayo kwigumbi elingaphandle, kusetyenziswa iindlela ezahlukeneyo zokubhala ngokufihlakeleyo, umzekelo, i-AES yayisetyenziselwa ukubethela izixhobo zayo kunye nokufihla ijelo lonxibelelwano kunye neseva yolawulo, ukongeza ekusebenziseni i-AES, XOR kunye neROTATE kwi Ukudityaniswa koxinzelelo kusetyenziswa i-ZLIB. Ukufumana imiyalelo yolawulo, i-malware ifikelele kwimimandla emi-4 ngezibuko lenethiwekhi 443 (ijelo lonxibelelwano lisebenzise umthetho olandelwayo, hayi i-HTTPS kunye ne-TLS).

Imimandla (cdn.mirror-codes.net, status.sublineover.net, blog.eduelects.com, kunye news.thaprior.net) zabhaliswa ngo-2015 zaza zabanjwa ngumboneleli we-Kiev obamba i-Deltahost. Imisebenzi eyi-12 esisiseko yadityaniswa kumnyango wangasemva, ukuvumela ukuba ulayishe kwaye usebenze ii-plugins ngokuqhubela phambili kokusebenza, ukuhambisa idatha yesixhobo, ukuthintela idatha eyimfihlo kunye nokulawula iifayile zasekhaya.

Ukusuka kwimbono yobunjineli, iRotaJakiro kunye neTorii babelana ngezitayile ezifanayo: ukusetyenziswa kwe-encryption algorithms yokufihla izixhobo ezinobuzaza, ukumiliselwa kwesitayile sokuphikelela esidala, ukugcwala kwenethiwekhi, njl.

Gqibela ukuba unomdla wokufunda ngakumbi malunga nophando eyenziwe yi-360 Netlab, ungazijonga iinkcukacha ngokuya kule khonkco ilandelayo.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.

  1.   ingcaciso sitsho
    yenzayo 3 iminyaka

    Sukuchaza ukuba ipheliswa njani okanye wazi njani ukuba bosulelekile na okanye hayi, nto leyo engalunganga kwimpilo.

    Phendula kulwazi olungelulo
  2.   UMerlin uMlingo sitsho
    yenzayo 3 iminyaka

    Inqaku elinomdla kunye nohlalutyo olunomdla kwikhonkco elihamba nayo, kodwa ndiyaliphosa igama malunga nevector yosulelo. Ngaba yiTrojan, umbungu okanye yintsholongwane nje… Yintoni ekufuneka siyilumkele ukuthintela usulelo lwethu?

    Phendula uMerlin uMlingo
  3.   luyo sitsho
    yenzayo 3 iminyaka

    Uyintoni umahluko?
    Ngokwayo inkqubo sele isisoftware.

    Phendula ku-luix