I-RotaJakiro: i-malware entsha ye-Linux ifihliwe njengenqubo yohlelo

Darkcrizt

Imizuzu ye-4

Ilebhu Yezocwaningo i-360 Netlab imenyezelwe ukukhonjwa kwe-malware entsha yeLinux, enziwe ngamakhodi I-RotaJakiro futhi lokho kufaka phakathi ukwenziwa kwangaphandle evumela ukulawula uhlelo. Abahlaseli bebengafaka isoftware enobungozi ngemuva kokusebenzisa ubungozi obungalungisiwe ohlelweni noma ukuqagela amaphasiwedi abuthaka.

Ingaphakathi langemuva litholwe ngesikhathi kuhlaziywa izimoto ezisolisayo yenye yezinqubo zohlelo ezikhonjwe ngesikhathi sokuhlaziywa kwesakhiwo se-botnet esisetshenziselwa ukuhlaselwa kwe-DDoS. Ngaphambi kwalokhu, uRotaJakiro akazange abonwe iminyaka emithathu, ikakhulukazi, imizamo yokuqala yokuqinisekisa amafayela ane-MD5 hashes kwinsizakalo yeVirusTotal ehambelana nokutholwa kwe-malware kusukela ngoMeyi 2018.

Siyiqambe ngokuthi yiRotaJakiro ngokususelwa eqinisweni lokuthi umndeni usebenzisa ukubethela okujikelezayo futhi uziphatha ngokwehlukile kuma-akhawunti ezimpande / okungezona izimpande lapho usebenza.

I-RotaJakiro inaka kakhulu ukufihla imikhondo yayo, isebenzisa ama-algorithm amaningi wokubethela, kufaka phakathi: ukusetshenziswa kwe-AES algorithm ukubethela imininingwane yezinsizakusebenza ngaphakathi kwesampula; Ukuxhumana kwe-C2 kusetshenziswa inhlanganisela ye-AES, XOR, ROTATE encryption, kanye ne-ZLIB compression.

Esinye sezici zeRotaJakiro ukusetshenziswa kwezindlela ezahlukahlukene zokufihla ubuso lapho ugijimiswa njengomsebenzisi ongenalutho nempande. Ukufihla ubukhona bakho, i-malware isebenzise inqubo yamagama we-systemd-daemon, i-session-dbus ne-gvfsd-helper, okuthi, uma kunikezwa imfuhlumfuhlu yokusatshalaliswa kweLinux yanamuhla ngazo zonke izinhlobo zezinqubo zesevisi, kubonakale kusemthethweni ekuboneni kokuqala futhi akuzange kuvuse izinsolo.

I-RotaJakiro isebenzisa amasu afana ne-AES ashukumisayo, ama-protocols wokuxhumana abethelwe kabili ukunqanda ukuhlaziywa kanambambili kwenethiwekhi.
I-RotaJakiro kuqala inquma ukuthi ngabe umsebenzisi uyimpande noma akuyona impande ngesikhathi sokusebenza, enezinqubomgomo ezahlukahlukene zokwenza ama-akhawunti ahlukile, bese ekhipha izinsiza ezibucayi ezifanele.

Lapho isebenza njengezimpande, imibhalo yesevisi ye-systemd-agent.conf kanye ne-sys-temd-agent.service zenzelwe ukusebenzisa i-malware futhi okwenziwe okunonya kwakutholakala kulezi zindlela ezilandelayo: / bin / systemd / systemd -daemon kanye / usr / lib / systemd / systemd-daemon (ukusebenza okuphindwe kabili kumafayili amabili).

Ngesikhathi lapho kusebenza njengomsebenzisi ojwayelekile ifayela le-autorun lisetshenzisiwe $ HOME / .config / au-tostart / gnomehelper.desktop futhi izinguquko zenziwa ku-. . Womabili la mafayili asebenzayo athulwe ngasikhathi sinye, ngalinye libheke ubukhona belinye futhi lilibuyise uma kwenzeka kuvalwa.

I-RotaJakiro isekela inani lemisebenzi eyi-12, emithathu yayo ihlobene nokwenziwa kwama-plugins athile. Ngeshwa, asinakho ukubonakala kwama-plugins ngakho-ke asazi inhloso yawo yangempela. Ngokombono obanzi we-hatchback, izici zingahlukaniswa ngezigaba ezine ezilandelayo.

Bika imininingwane yedivayisi
Yeba imininingwane ebucayi
Ukuphathwa kwefayela / i-plugin (hlola, landa, susa)
Ukuqalisa i-plugin ethile

Ukufihla imiphumela yemisebenzi yayo emnyango wangemuva, kusetshenziswe ubuchule obuningi bokubethela, ngokwesibonelo, i-AES isetshenziselwe ukubethela izinsiza zayo nokufihla isiteshi sokuxhumana neseva yokulawula, ngaphezu kokusetshenziswa kwe-AES, XOR neROTATE ku ukuhlanganiswa nokucindezelwa usebenzisa i-ZLIB. Ukuthola imiyalo yokulawula, i-malware ifinyelele izizinda ezi-4 nge-network port 443 (isiteshi sokuxhumana sisebenzise umthetho waso olandelwayo, hhayi i-HTTPS ne-TLS).

Izizinda (cdn.mirror-codes.net, status.sublineover.net, blog.eduelects.com, ne-news.thaprior.net) zabhaliswa ngo-2015 futhi zabanjwa ngumhlinzeki wokusingathwa kweKiev uDeltahost. Imisebenzi eyisisekelo eyi-12 ihlanganiswe nomnyango ongemuva, ikuvumela ukuthi ulayishe futhi usebenzise ama-add-on ngokusebenza okuthuthukile, ukudlulisa idatha yedivayisi, ukuthola idatha ebucayi, nokuphatha amafayela endawo.

Ngokombono wobunjiniyela obuyela emuva, iRotaJakiro neTorii babelana ngezitayela ezifanayo: ukusetshenziswa kwama-encryption algorithms ukufihla izinsiza ezibucayi, ukuqaliswa kwesitayela sokuphikelela esidala, ithrafikhi yenethiwekhi ehleliwe, njll.

Okokugcina uma unentshisekelo yokufunda kabanzi ngocwaningo eyenziwe yi-360 Netlab, ungabheka imininingwane ngokuya kusixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Unomthwalo wemfanelo ngedatha: AB Internet Networks 2008 SL
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.

  1.   ukungabi nalwazi kusho
    kwenza iminyaka 3

    Ungachazi ukuthi lisuswa kanjani noma wazi kanjani ukuthi sinalo yini leli gciwane noma cha, okuyingozi empilweni.

    Phendula kulwazi olungelona iqiniso
  2.   UMerlin Isangoma kusho
    kwenza iminyaka 3

    I-athikili ethokozisayo nokuhlaziywa okuthakazelisayo kusixhumanisi esihambisana nakho, kepha ngiphuthelwa yigama nge-vector yokutheleleka. Ingabe iTrojan, isibungu noma igciwane nje?… Yini okufanele siyiqaphele ukugwema ukutheleleka kwethu?

    Phendula uMerlin The Magician
  3.   luix kusho
    kwenza iminyaka 3

    Uyini umehluko?
    Ngokwayo i-systemd isivele iyi-malware ..

    Phendula ku-luix