Ofufuza ku Intezer ndi BlackBerry apeza pulogalamu yaumbanda yotchedwa Simbiote, yomwe imagwiritsidwa ntchito kubayira zitseko zakumbuyo ndi rootkits kumaseva a Linux omwe asokonezedwa. Mapulogalamu oyipa adapezeka pamakina azachuma m'maiko angapo ku Latin America. Kuti muyike Simbiote pamakina, wowukirayo ayenera kukhala ndi mizu, yomwe ingapezeke, mwachitsanzo, chifukwa chogwiritsa ntchito ziwopsezo zomwe sizinatchulidwe kapena maakaunti akutsa. Simbiote imakupatsani mwayi kuti muteteze kupezeka kwanu mudongosolo mutabera kuti muwonongenso zina, kubisala ntchito zina zoyipa ndikukonzekera kubisa zinsinsi.
Mbali ya Simbiote ndikugawira ngati laibulale yogawana, yomwe imayikidwa panthawi yoyambira njira zonse pogwiritsa ntchito njira ya LD_PRELOAD ndikulowetsa mafoni ena ku library yokhazikika. Othandizira mafoni oponderezedwa amabisa zochitika zokhudzana ndi kumbuyo, monga kusaphatikiza zinthu zina pamndandanda wazinthu, kutsekereza mafayilo ena mu / proc, kubisa mafayilo m'makalata, kuphatikiza laibulale yoyipa yomwe amagawana kuchokera ku ldd output (ntchito yoyang'anira imalandilidwa ndipo mafoni amagawidwa yokhala ndi zosintha zachilengedwe LD_TRACE_LOADED_OBJECTS) samawonetsa sockets zolumikizidwa ndi zoyipa.
Kuti muteteze pakuwunika kwa magalimoto, ntchito za library ya libpcap zimasinthidwanso, /proc/net/tcp imawerengedwa kusefedwa, ndipo pulogalamu ya eBPF imayikidwa mu kernel, zomwe zimalepheretsa osanthula magalimoto kugwira ntchito ndikutaya zopempha za chipani chachitatu kwa iwo okha. othandizira ma network. Pulogalamu ya eBPF imayambitsidwa pakati pa ogwiritsira ntchito oyambirira ndipo imayendetsa pamtunda wotsika kwambiri wa network network, zomwe zimapangitsa kubisala ntchito zapaintaneti za backdoor, kuphatikizapo kuchokera ku analyzers omwe adayambitsidwa pambuyo pake.
Simbiote imakupatsaninso mwayi kuti mulambalale zowunikira zochitika mu fayilo yamafayilo, chifukwa kuba kwachinsinsi sikungachitike pamlingo wotsegulira mafayilo, koma kuletsa kuwerengera kwa mafayilowa pamapulogalamu ovomerezeka (mwachitsanzo, m'malo mwa library. ntchito zimakupatsani mwayi kuti muzindikire mawu achinsinsi kapena mafayilo omwe ali mufayilo). Kuti mukonzekere kulowa kwakutali, Simbiote amadula mafoni ena a PAM (Pluggable Authentication Module), yomwe imakupatsani mwayi wolumikizana ndi dongosolo kudzera pa SSH ndi zidziwitso zina zowukira. Palinso njira yobisika yokwezera mwayi wanu kuti muzule pokhazikitsa kusintha kwa chilengedwe kwa HTTP_SETTHIS.
Source: opennet.ru