Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Nyongolotsi ya FritzFrog yadziwika, ikuyambitsa ma seva kudzera pa SSH ndikumanga botnet yokhazikika.

Nyongolotsi ya FritzFrog yadziwika, ikuyambitsa ma seva kudzera pa SSH ndikumanga botnet yokhazikika.

Kampani ya Guardicore, yomwe imayang'anira chitetezo cha malo opangira data ndi makina amtambo, kuwululidwa FritzFrog, pulogalamu yaumbanda yatsopano yapamwamba kwambiri yomwe imawononga ma seva a Linux. FritzFrog imaphatikiza nyongolotsi yomwe imafalikira kudzera pakuwukira kwa bruteforce pa maseva okhala ndi doko la SSH lotseguka, ndi zida zopangira botnet yokhazikika yomwe imagwira ntchito popanda ma node owongolera ndipo ilibe vuto limodzi.

Kuti apange botnet, protocol ya P2P ya eni ake imagwiritsidwa ntchito, momwe ma node amalumikizana wina ndi mzake, amagwirizanitsa bungwe lazowukira, kuthandizira ntchito ya intaneti ndikuyang'anirana momwe alili. Ozunzidwa atsopano amapezeka pochita zankhanza pa maseva omwe amavomereza zopempha kudzera pa SSH. Seva yatsopano ikazindikirika, dikishonale yophatikiza mawu olowera ndi mawu achinsinsi imafufuzidwa. Ulamuliro ukhoza kuchitidwa kudzera mu node iliyonse, zomwe zimapangitsa kuti zikhale zovuta kuzindikira ndi kuletsa ogwiritsira ntchito botnet.

Malinga ndi ochita kafukufuku, botnet ili kale ndi ma node a 500, kuphatikizapo ma seva a mayunivesite angapo ndi kampani yaikulu ya njanji. Zikudziwika kuti zolinga zazikulu za chiwonongeko ndi maukonde a mabungwe a maphunziro, zipatala, mabungwe a boma, mabanki ndi makampani olankhulana ndi telefoni. Seva ikasokonezedwa, njira yopangira migodi ya Monero cryptocurrency imakonzedwa pamenepo. Zochita za pulogalamu yaumbanda zomwe zikufunsidwa zakhala zikutsatiridwa kuyambira Januware 2020.

Chapadera pa FritzFrog ndikuti imasunga deta yonse ndi ma code omwe angathe kuchitika pamtima. Zosintha pa diski zimangowonjezera kiyi yatsopano ya SSH ku fayilo ya authorized_keys, yomwe pambuyo pake imagwiritsidwa ntchito kupeza seva. Mafayilo amachitidwe samasinthidwa, zomwe zimapangitsa nyongolotsi kuti isawonekere ku machitidwe omwe amawunika kukhulupirika pogwiritsa ntchito ma checksums. Chikumbukirocho chimasunganso otanthauzira mawu achinsinsi okakamiza mwankhanza ndi data yamigodi, yomwe imalumikizidwa pakati pa node pogwiritsa ntchito protocol ya P2P.

Zida zoyipa zimabisika ngati ifconfig, libexec, php-fpm ndi nginx. Ma node a botnet amayang'anira momwe anansi awo alili ndipo, ngati seva iyambiranso kapena OS imabwezeretsedwanso (ngati fayilo yosinthidwa ya authorized_keys idasamutsidwa ku dongosolo latsopano), amatsegulanso zida zoyipa pa wolandirayo. Pakulankhulana, SSH yokhazikika imagwiritsidwa ntchito - pulogalamu yaumbanda imayambitsanso "netcat" yakomweko yomwe imamangiriza mawonekedwe amderalo ndikumvera kuchuluka kwa magalimoto pa doko 1234, yomwe imalowetsa kunja kudzera mumsewu wa SSH, pogwiritsa ntchito kiyi yochokera ku authorized_keys kulumikiza.

Nyongolotsi ya FritzFrog yadziwika, ikuyambitsa ma seva kudzera pa SSH ndikumanga botnet yokhazikika.

Khodi ya gawo la FritzFrog imalembedwa mu Go ndipo imayenda mumitundu yambiri. Pulogalamu yaumbanda imaphatikizapo ma module angapo omwe amayenda mumitundu yosiyanasiyana:

  • Cracker - amafufuza mapasiwedi pa seva zomwe zawukira.
  • CryptoComm + Parser - imapanga kulumikizana kwachinsinsi kwa P2P.
  • CastVotes ndi njira yosankhira magulu omwe akuwatsatira kuti aukire.
  • TargetFeed - Imalandila mndandanda wamanode kuti aukire kuchokera kumadera oyandikana nawo.
  • DeployMgmt ndikukhazikitsa mphutsi yomwe imagawira code yoyipa ku seva yowonongeka.
  • Eni ake - omwe ali ndi udindo wolumikizana ndi ma seva omwe akuyendetsa kale ma code oyipa.
  • Kusonkhanitsa - kusonkhanitsa fayilo mu kukumbukira kuchokera ku midadada yosamutsidwa padera.
  • Antivir - gawo lopondereza pulogalamu yaumbanda yopikisana, imazindikiritsa ndikuthetsa njira ndi chingwe "xmr" chomwe chimawononga zida za CPU.
  • Libexec ndi gawo la migodi ya Monero cryptocurrency.

Protocol ya P2P yomwe imagwiritsidwa ntchito ku FritzFrog imathandizira pafupifupi malamulo 30 omwe amasamutsa deta pakati pa ma node, kuyendetsa zolemba, kusamutsa zida za pulogalamu yaumbanda, mawonekedwe ovotera, kusinthana mitengo, kuyambitsa ma proxies, ndi zina zambiri. Zambiri zimatumizidwa kudzera pa njira ina yobisika yokhala ndi serialization mu mtundu wa JSON. Kubisa kumagwiritsa ntchito asymmetric AES cipher ndi Base64 encoding. DH protocol imagwiritsidwa ntchito posinthana makiyi (diffie-hellman). Kuti mudziwe dziko, node nthawi zonse amasinthanitsa zopempha za ping.

Ma node onse a botnet amasunga nkhokwe yogawidwa yokhala ndi chidziwitso chokhudza machitidwe omwe akuwukiridwa komanso osokonezeka. Zolinga zowukira zimalumikizidwa mu botnet yonse - node iliyonse imalimbana ndi chandamale, mwachitsanzo. ma node awiri osiyana a botnet sangaukire wolandila yemweyo. Ma Node amasonkhanitsanso ndikutumiza ziwerengero zakomweko kwa oyandikana nawo, monga kukula kwa kukumbukira kwaulere, nthawi yowonjezera, kuchuluka kwa CPU, ndi ntchito yolowera pa SSH. Chidziwitsochi chimagwiritsidwa ntchito posankha kuti ayambe ntchito ya migodi kapena kugwiritsa ntchito node kuti awononge machitidwe ena (mwachitsanzo, migodi siyambira pa machitidwe odzaza kapena machitidwe omwe amalumikizana pafupipafupi ndi olamulira).

Kuti azindikire FritzFrog, ofufuza apereka njira yosavuta chipolopolo script. Kudziwa kuwonongeka kwa dongosolo
zizindikiro monga kukhalapo kwa kugwirizana kumvetsera pa doko 1234, kukhalapo kiyi yoyipa mu authorized_keys (kiyi yomweyo ya SSH imayikidwa pama node onse) ndikukhalapo pokumbukira njira zoyendetsera "ifconfig", "libexec", "php-fpm" ndi "nginx" zomwe zilibe mafayilo ogwirizira ("/proc/ / exe" amalozera ku fayilo yakutali). Chizindikiro chikhoza kukhalanso kupezeka kwa magalimoto pa doko la netiweki 5555, zomwe zimachitika pulogalamu yaumbanda ikafika padziwe la web.xmrpool.eu panthawi yamigodi ya cryptocurrency ya Monero.

Source: opennet.ru

Kuwonjezera ndemanga