ProHoster > Блог > labaran intanet > An gano tsutsotsin FritzFrog, yana cutar da sabobin ta hanyar SSH da gina botnet mai rarraba.

An gano tsutsotsin FritzFrog, yana cutar da sabobin ta hanyar SSH da gina botnet mai rarraba.

Kamfanin Guardicore, ƙwararre kan kariyar cibiyoyin bayanai da tsarin girgije, bayyana FritzFrog, sabon babban fasaha na malware wanda ke kai hari ga tushen Linux. FritzFrog ya haɗu da tsutsa wanda ke yaduwa ta hanyar kai hari kan sabobin tare da bude tashar jiragen ruwa na SSH, da kuma abubuwan da aka gyara don gina botnet mai rarrabawa wanda ke aiki ba tare da nodes masu sarrafawa ba kuma ba shi da ma'ana guda na gazawa.

Don gina botnet, ana amfani da ka'idar P2P ta mallaka, wanda nodes ke hulɗa da juna, daidaita tsarin hare-haren, tallafawa aikin cibiyar sadarwa da kuma kula da matsayin juna. Ana samun sabbin waɗanda abin ya shafa ta hanyar kai hari kan sabar da ke karɓar buƙatun ta hanyar SSH. Lokacin da aka gano sabuwar uwar garken, ana bincika ƙamus na haɗe-haɗe da kalmomin shiga. Ana iya aiwatar da sarrafawa ta kowane kumburi, wanda ya sa ya zama da wuya a gano da kuma toshe masu aiki na botnet.

A cewar masu bincike, botnet ya riga yana da kusan nodes 500, ciki har da sabobin jami'o'i da yawa da kuma babban kamfanin jirgin kasa. An lura cewa, manyan wuraren da aka kai harin sune cibiyoyin sadarwa na cibiyoyin ilimi, cibiyoyin kiwon lafiya, hukumomin gwamnati, bankuna da kamfanonin sadarwa. Bayan da uwar garken ya lalace, an tsara tsarin hakar ma'adinai na Monero cryptocurrency akan shi. An gano ayyukan malware da ake tambaya tun watan Janairu 2020.

Abu na musamman game da FritzFrog shine cewa yana adana duk bayanai da lambar aiwatarwa kawai a cikin ƙwaƙwalwar ajiya. Canje-canje akan faifai sun ƙunshi ƙara sabon maɓallin SSH zuwa fayil ɗin maɓalli mai izini, wanda daga baya ana amfani dashi don samun damar uwar garken. Fayilolin tsarin ba a canza su ba, wanda ke sa tsutsa ba ta iya ganuwa ga tsarin da ke bincika amincin ta amfani da abin dubawa. Ƙwaƙwalwar ajiyar kuma tana adana ƙamus don kalmomin shiga masu tilastawa da kuma bayanai don hakar ma'adinai, waɗanda ke aiki tare tsakanin nodes ta amfani da ka'idar P2P.

Abubuwan da aka lalata suna kama su kamar ifconfig, libexec, php-fpm da nginx. Botnet nodes suna lura da matsayin maƙwabtansu kuma, idan an sake kunna uwar garken ko ma an sake shigar da OS (idan an canza fayil ɗin izini_keys zuwa sabon tsarin), suna sake kunna abubuwan ɓarna akan mai watsa shiri. Don sadarwa, ana amfani da daidaitaccen SSH - malware ɗin yana ƙaddamar da "netcat" na gida wanda ke daura da mahaɗar mahallin gida kuma yana sauraron zirga-zirga a tashar jiragen ruwa 1234, wanda runduna na waje ke shiga ta hanyar SSH, ta amfani da maɓalli daga maɓallan izini don haɗawa.

An gano tsutsotsin FritzFrog, yana cutar da sabobin ta hanyar SSH da gina botnet mai rarraba.

An rubuta lambar ɓangaren FritzFrog a cikin Go kuma yana gudana a cikin yanayin zaren da yawa. Malware ya ƙunshi nau'o'i da yawa waɗanda ke gudana cikin zaren daban-daban:

  • Cracker - yana neman kalmomin shiga akan sabar da aka kai hari.
  • CryptoComm + Parser - yana tsara haɗin P2P da aka ɓoye.
  • CastVotes hanya ce ta haɗin gwiwa don zaɓar rundunonin hari don kai hari.
  • TargetFeed - Yana karɓar jerin nodes don kai hari daga kumburin makwabta.
  • DeployMgmt shine aiwatar da tsutsa wanda ke rarraba lamba mara kyau zuwa uwar garken da aka daidaita.
  • Mallaka - alhakin haɗawa zuwa sabobin da ke aiki da lamba mara kyau.
  • Haɗa - yana haɗa fayil a ƙwaƙwalwar ajiya daga tubalan da aka canjawa wuri daban.
  • Antivir - wani tsari ne don murkushe malware masu fafatawa, ganowa da kuma dakatar da matakai tare da kirtani "xmr" da ke cinye albarkatun CPU.
  • Libexec wani tsari ne don hakar ma'adinai na Monero cryptocurrency.

Ka'idar P2P da aka yi amfani da ita a cikin FritzFrog tana goyan bayan kusan umarni 30 da ke da alhakin canja wurin bayanai tsakanin nodes, rubutun aiki, canja wurin abubuwan malware, matsayin zabe, musayar rajistan ayyukan, ƙaddamar da proxies, da sauransu. Ana watsa bayanai ta hanyar rufaffiyar tasha daban tare da jeri a tsarin JSON. Rufewa yana amfani da asymmetric AES cipher da Base64 rufaffiyar. Ana amfani da ka'idar DH don musayar maɓalli (diffie-helman). Don tantance jihar, nodes koyaushe suna musayar buƙatun ping.

Duk nodes na botnet suna kula da bayanan da aka rarraba tare da bayanai game da tsarin da aka kai hari da rikice-rikice. Makasudin kai hari suna aiki tare a ko'ina cikin botnet - kowane kumburi yana kaiwa hari daban, watau. biyu daban-daban botnet nodes ba za su kai hari iri ɗaya ba. Nodes kuma suna tattarawa da watsa kididdigar gida ga makwabta, kamar girman ƙwaƙwalwar ajiya kyauta, lokacin aiki, nauyin CPU, da ayyukan shiga SSH. Ana amfani da wannan bayanin don yanke shawara ko fara aikin hakar ma'adinai ko amfani da kumburi kawai don kai hari ga wasu tsarin (misali, hakar ma'adinai ba ta farawa akan tsarin da aka ɗora ko tsarin tare da haɗin gwiwar gudanarwa akai-akai).

Don gano FritzFrog, masu bincike sun ba da shawara mai sauƙi rubutun harsashi. Don ƙayyade lalacewar tsarin
alamomi irin su kasancewar haɗin sauraron a tashar jiragen ruwa 1234, kasancewar maɓalli na mugunta a cikin maɓallan izini (ana shigar da maɓallin SSH iri ɗaya akan duk nodes) da kasancewar a cikin ƙwaƙwalwar ajiyar tafiyar matakai "ifconfig", "libexec", "php-fpm" da "nginx" waɗanda ba su da alaƙa da fayilolin aiwatarwa ("/proc/). / exe" yana nuna fayil mai nisa). Alamar kuma na iya kasancewa kasancewar zirga-zirgar ababen hawa a tashar tashar 5555, wanda ke faruwa a lokacin da malware ya shiga cikin gidan wanka na yau da kullun web.xmrpool.eu yayin hakar ma'adinai na Monero cryptocurrency.

source: budenet.ru

Add a comment