Cov kws tshawb fawb los ntawm Intezer thiab BlackBerry tau tshawb pom malware codenamed Simbiote, uas yog siv los txhaj cov backdoors thiab rootkits rau hauv kev cuam tshuam servers khiav Linux. Malware tau kuaj pom ntawm lub tshuab ntawm cov tuam txhab nyiaj txiag hauv ntau lub tebchaws Latin America. Txhawm rau txhim kho Simbiote ntawm lub kaw lus, tus neeg tawm tsam yuav tsum muaj cov hauv paus nkag, uas tuaj yeem tau txais, piv txwv li, vim yog kev siv qhov tsis muaj qhov tsis zoo lossis cov nyiaj xau. Simbiote tso cai rau koj los sib sau ua ke koj lub xub ntiag nyob rau hauv lub kaw lus tom qab nyiag nkas los ua kom muaj kev tawm tsam ntxiv, zais cov haujlwm ntawm lwm cov ntawv thov phem thiab teeb tsa kev cuam tshuam ntawm cov ntaub ntawv tsis pub lwm tus paub.
Ib qho tshwj xeeb ntawm Simbiote yog tias nws tau muab faib rau hauv daim ntawv ntawm cov tsev qiv ntawv sib koom, uas tau thauj khoom thaum pib ntawm tag nrho cov txheej txheem siv LD_PRELOAD mechanism thiab hloov qee qhov kev hu mus rau lub tsev qiv ntawv txheem. Spoofed call handlers nkaum backdoor-related activities, xws li tsis suav cov khoom tshwj xeeb hauv cov txheej txheem sau npe, thaiv kev nkag mus rau qee cov ntaub ntawv hauv / proc, zais cov ntaub ntawv hauv cov npe, tsis suav nrog cov tsev qiv ntawv siab phem hauv ldd tso tawm (hijacking lub execve muaj nuj nqi thiab tshuaj xyuas hu nrog ib qho ib puag ncig hloov pauv LD_TRACE_LOADED_OBJECTS) tsis qhia cov khoom siv network cuam tshuam nrog kev ua phem.
Txhawm rau tiv thaiv kev kuaj xyuas tsheb, lub tsev qiv ntawv libpcap tau rov hais dua, /proc/net/tcp nyeem filtering thiab ib qho kev pabcuam eBPF tau thauj mus rau hauv cov ntsiav, uas tiv thaiv kev ua haujlwm ntawm cov neeg soj ntsuam tsheb thiab pov tseg cov neeg thov thib peb rau nws tus kheej lub network handlers. Qhov kev pab cuam eBPF tau pib ua haujlwm ntawm thawj cov txheej txheem thiab raug tua nyob rau theem qis tshaj plaws ntawm pawg network, uas tso cai rau koj los nkaum lub network kev ua haujlwm ntawm lub nraub qaum, suav nrog los ntawm cov ntsuas ntsuas tom qab.
Simbiote kuj tso cai rau koj hla qee qhov kev soj ntsuam kev ua haujlwm hauv cov ntaub ntawv, txij li kev nyiag ntawm cov ntaub ntawv tsis pub lwm tus paub tuaj yeem ua tsis tau nyob rau theem ntawm kev qhib cov ntaub ntawv, tab sis los ntawm kev cuam tshuam ntawm kev nyeem cov haujlwm ntawm cov ntaub ntawv no hauv cov ntawv thov raug cai (piv txwv li, hloov pauv. ntawm lub tsev qiv ntawv ua haujlwm tso cai rau koj cuam tshuam tus neeg siv nkag mus rau tus password lossis thauj khoom los ntawm cov ntaub ntawv cov ntaub ntawv nrog tus yuam sij nkag). Txhawm rau npaj kev nkag mus rau tej thaj chaw deb, Simbiote cuam tshuam qee qhov kev hu xov tooj PAM (Pluggable Authentication Module), uas tso cai rau koj txuas rau lub kaw lus ntawm SSH nrog qee qhov kev tawm tsam. Kuj tseem muaj qhov kev xaiv zais kom nce koj cov cai rau cov neeg siv hauv paus los ntawm kev teeb tsa HTTP_SETTHIS ib puag ncig hloov pauv.
Tau qhov twg los: opennet.ru