Tsvagiridzo murabhoritari 360 Netlab yakashuma kuzivikanwa kweiyo malware nyowani yeLinux, codenamed RotaJakiro uye kusanganisira kuisirwa kwebackdoor iyo inokutendera iwe kudzora sisitimu. Iyo malware inogona kunge yakaiswa nevanorwisa mushure mekushandisa zvisina kuvharwa kusagadzikana muhurongwa kana kufungidzira mapassword asina simba.
Iyo yekumashure yakawanikwa panguva yekuongororwa kwekufungidzira kwetraffic kubva kune imwe yemasystem maitiro, akaonekwa panguva yekuongorora chimiro chebhotnet yakashandiswa kurwisa DDoS. Izvi zvisati zvaitika, RotaJakiro yakaramba isingaonekwe kwemakore matatu; kunyanya, kuedza kwekutanga kuongorora mafaira ane MD5 hashes inoenderana neiyo malware yakaonekwa muVirusTotal service yaMay 2018.
Chimwe chezvimiro zveRotaJakiro ndiko kushandiswa kweakasiyana matinji ekucamouflage kana uchimhanya semushandisi asina kurongeka uye mudzi. Kuvanza kuvepo kwayo, iyo backdoor yakashandisa iyo maitiro mazita systemd-daemon, session-dbus uye gvfsd-helper, iyo, yakapihwa clutter yemazuva ano Linux kugovera nemhando dzese dzesevhisi maitirwo, pekutanga kutaridzika kwaiita kunge kuri pamutemo uye hakuna kumutsa kufungidzira.
Paunenge uchimhanya nemidzi kodzero, zvinyorwa /etc/init/systemd-agent.conf uye /lib/systemd/system/sys-temd-agent.service akagadzirwa kuti avhure iyo malware, uye yakaipa faira inouraya pachayo yaive se / bin/systemd/systemd -daemon uye/usr/lib/systemd/systemd-daemon (kushanda kwakadhindwa mumafaira maviri). Paunenge uchishanda semushandisi wemazuva ese, faira rekutanga rekuti $HOME/.config/au-tostart/gnomehelper.desktop rakashandiswa uye shanduko dzakaitwa ku .bashrc, uye faira rinoshandiswa rakachengetedzwa se $HOME/.gvfsd/.profile/gvfsd -helper uye $ HOME/ .dbus/sessions/session-dbus. Mafaira ese ari maviri anogona kuitiswa akatangwa panguva imwe chete, imwe neimwe yakatarisa kuvepo kweimwe uye nekuidzosera kana ikapera.
Kuvanza mhedzisiro yemabasa avo kumashure, akati wandei encryption algorithms akashandiswa, semuenzaniso, AES yakashandiswa encrypt zviwanikwa zvavo, uye musanganiswa weAES, XOR uye ROTATE pamwe nekumanikidza kushandisa ZLIB yakashandiswa kuvanza nzira yekutaurirana. ne control server.
Kuti ugamuchire mirairo yekutonga, iyo malware yakabata 4 domains kuburikidza netiweki port 443 (iyo nzira yekutaurirana yakashandisa yayo protocol, kwete HTTPS neTLS). Iwo madomasi (cdn.mirror-codes.net, status.sublineover.net, blog.eduelects.com uye news.thaprior.net) akanyoreswa muna 2015 uye akatambirwa neKyiv hosting provider Deltahost. 12 mabasa ekutanga akabatanidzwa mukati mekuseri kwemba, iyo yaibvumira kurodha nekuita maplugins ane hunyanzvi hwekuita, kuendesa data yedhizaini, kubata data rakadzama uye kugadzirisa mafaera emunharaunda.
Source: opennet.ru