Laboratory bincike 360 Netlab ya ba da rahoton gano sabbin malware don Linux, mai suna RotaJakiro kuma gami da aiwatar da kofa na baya wanda ke ba ku damar sarrafa tsarin. Ƙila mahara sun shigar da malware bayan sun yi amfani da rashin lahani a cikin tsarin ko tunanin kalmomin sirri masu rauni.
An gano kofa ta baya yayin nazarin zirga-zirgar da ake tuhuma daga ɗayan tsarin tsarin, wanda aka gano a lokacin nazarin tsarin botnet da aka yi amfani da shi don harin DDoS. Kafin wannan, RotaJakiro ya kasance ba a gano shi ba har tsawon shekaru uku; musamman, ƙoƙarin farko na bincika fayiloli tare da hashes na MD5 wanda ya dace da gano malware a cikin sabis na VirusTotal an kwanan watan Mayu 2018.
Ɗaya daga cikin fasalulluka na RotaJakiro shine amfani da dabaru daban-daban na kama kama yayin aiki azaman mai amfani da tushen mara amfani. Don ɓoye kasancewarsa, ƙofar baya ta yi amfani da tsarin sunaye systemd-daemon, session-dbus da gvfsd-helper, wanda, da aka ba da rarrabuwa na rarrabawar Linux na zamani tare da kowane nau'i na tsarin sabis, kallon farko ya zama daidai kuma bai haifar da zato ba.
Lokacin da aka kunna tare da haƙƙin tushen, an ƙirƙiri rubutun /etc/init/systemd-agent.conf da /lib/systemd/system/sys-temd-agent.service don kunna malware, kuma fayil ɗin da za a iya aiwatarwa da kansa ya kasance a matsayin / bin/systemd/systemd -daemon da /usr/lib/systemd/systemd-daemon (an yi kwafi a cikin fayiloli guda biyu). Lokacin da yake gudana azaman madaidaicin mai amfani, an yi amfani da fayil ɗin autostart $HOME/.config/au-tostart/gnomehelper.desktop kuma an yi canje-canje zuwa .bashrc, kuma an adana fayil ɗin aiwatarwa azaman $HOME/.gvfsd/.profile/gvfsd -mataimaki da $HOME/ .dbus/zama/zama-dbus. Duk fayilolin da za a iya aiwatarwa an ƙaddamar da su a lokaci guda, kowannensu yana lura da kasancewar ɗayan kuma ya mayar da su idan ya ƙare.
Don ɓoye sakamakon ayyukansu a cikin bayan gida, an yi amfani da algorithms masu ɓoyewa da yawa, alal misali, an yi amfani da AES don ɓoye albarkatun su, kuma an yi amfani da haɗin AES, XOR da ROTATE tare da matsawa ta amfani da ZLIB don ɓoye tashar sadarwa. tare da uwar garken sarrafawa.
Don karɓar umarnin sarrafawa, malware sun tuntuɓi yankuna 4 ta hanyar tashar tashar 443 (tashar sadarwar ta yi amfani da nata yarjejeniya, ba HTTPS da TLS ba). An yi rajistar yankin (cdn.mirror-codes.net, status.sublineover.net, blog.eduelects.com da news.thaprior.net) a cikin 2015 kuma mai ba da sabis na Kyiv Deltahost ya shirya. An haɗa ayyuka na asali na 12 a cikin bayan gida, wanda ya ba da izinin lodawa da aiwatar da plugins tare da ayyuka na ci gaba, watsa bayanan na'urar, tsangwama bayanai masu mahimmanci da sarrafa fayilolin gida.
source: budenet.ru