Masu bincike daga Intezer da BlackBerry sun gano malware mai suna Simbiote, wanda ake amfani da shi don allurar bayan gida da rootkits cikin sabar da ba ta dace ba da ke tafiyar da Linux. An gano Malware akan tsarin cibiyoyin kuɗi a ƙasashen Latin Amurka da yawa. Don shigar da Simbiote a kan tsarin, dole ne maharin ya sami tushen tushen, wanda za'a iya samu, alal misali, sakamakon amfani da rashin lahani da ba a bayyana ba ko kuma ɓarna asusu. Simbiote yana ba ku damar ƙarfafa kasancewar ku a cikin tsarin bayan hacking don aiwatar da ƙarin hare-hare, ɓoye ayyukan sauran aikace-aikacen ɓarna da tsara kutse na bayanan sirri.
Wani fasali na musamman na Simbiote shi ne cewa an rarraba shi a cikin nau'i na ɗakin karatu na raba, wanda aka ɗora a lokacin farawa na duk matakai ta amfani da tsarin LD_PRELOAD kuma ya maye gurbin wasu kira zuwa ɗakin karatu na yau da kullum. Masu kula da kiran da ba a yi ba suna ɓoye ayyukan da ke da alaƙa da bayan gida, kamar ban da takamaiman abubuwa a cikin jerin tsari, toshe damar yin amfani da wasu fayiloli a cikin /proc, ɓoye fayiloli a cikin kundayen adireshi, ban da babban ɗakin karatu na ɓarna a cikin fitarwa na ldd (sama da aikin zartarwa da nazarin kira tare da m yanayi LD_TRACE_LOADED_OBJECTS) baya nuna rukunan cibiyar sadarwa masu alaƙa da munanan ayyuka.
Don karewa daga binciken zirga-zirga, an sake fasalta ayyukan ɗakin karatu na libpcap, /proc/net/tcp karanta tacewa kuma an ɗora shirin eBPF a cikin kernel, wanda ke hana ayyukan masu nazarin zirga-zirgar zirga-zirga da watsar da buƙatun ɓangare na uku ga masu gudanar da hanyar sadarwar su. An ƙaddamar da shirin eBPF a cikin masu sarrafawa na farko kuma ana aiwatar da shi a matakin mafi ƙanƙanci na tarin cibiyar sadarwa, wanda ke ba ku damar ɓoye ayyukan cibiyar sadarwa na bayan gida, ciki har da masu nazarin da aka ƙaddamar daga baya.
Simbiote kuma yana ba ku damar ketare wasu masu nazarin ayyuka a cikin tsarin fayil, tunda satar bayanan sirri ba za a iya aiwatar da su ba a matakin buɗe fayiloli ba, amma ta hanyar shigar da ayyukan karantawa daga waɗannan fayilolin a cikin ingantattun aikace-aikace (misali, maye gurbin ɗakin karatu). Ayyuka suna ba ku damar kutse mai amfani da shigar da kalmar sirri ko lodawa daga bayanan fayil tare da maɓallin shiga). Don tsara shigar da nisa, Simbiote yana katse wasu kiran PAM (Module Tabbatar da Pluggable), wanda ke ba ku damar haɗawa da tsarin ta hanyar SSH tare da wasu takaddun shaida na kai hari. Hakanan akwai wani zaɓi na ɓoye don haɓaka gata ga tushen mai amfani ta hanyar saita canjin yanayi HTTP_SETHIS.
source: budenet.ru