Vatsvagiri kubva kuIntezer neBlackBerry vakawana malware codenamed Simbiote, iyo inoshandiswa kubaya madoor uye rootkits mumaseva akakanganisika anomhanya Linux. Malware akaonekwa pane masisitimu emasangano emari munyika dzinoverengeka dzeLatin America. Kuisa Simbiote pane sisitimu, anorwisa anofanira kunge aine midzi yekuwana, iyo inogona kuwanikwa, semuenzaniso, semhedzisiro yekushandisa zvisina kurongeka kusarongeka kana kubuda kweakaundi. Simbiote inokutendera iwe kusanganisa kuvepo kwako muhurongwa mushure mekubira kuti uite kumwe kurwiswa, kuvanza chiitiko chezvimwe zvikumbiro zvinokuvadza uye kuronga kubatwa kwechakavanzika data.
Chinhu chakakosha cheSimbiote ndechekuti inogoverwa muchimiro cheraibhurari yakagovaniswa, iyo inotakurwa panguva yekutanga kwemaitiro ese uchishandisa iyo LD_PRELOAD mashandiro uye inotsiva mamwe mafoni kuraibhurari yakajairika. Spoofed call handlers vanovanza backdoor-inoenderana chiitiko, sekusiya zvinhu zvakati muhurongwa hwekuita, kuvharidzira kupinda kune mamwe mafaera mu/proc, kuviga mafaera mumadhairekitori, kusasanganisa hutsinye hwakagovaniswa raibhurari mune ldd kubuda (kubira execve basa uye kuongorora mafoni ane shanduko yemamiriro ekunze LD_TRACE_LOADED_OBJECTS) hairatidze masokisi etiweki ane chekuita nebasa rakashata.
Kuchengetedza kubva pakuongorora traffic, iyo libpcap raibhurari mabasa anotsanangurwa patsva, /proc/net/tcp kuverenga kusefa uye chirongwa cheBPF chinotakurwa mu kernel, iyo inodzivirira kushanda kwevaongorori vemigwagwa uye inorasa zvikumbiro zvebato rechitatu kune vayo vanobata network. Iyo eBPF chirongwa chinotangwa pakati pekutanga processors uye inoitwa padanho rakaderera retiweki stack, iyo inokutendera iwe kuvanza network yebasa rekumashure, kusanganisira kubva kune vaongorori vakatangwa gare gare.
Simbiote zvakare inobvumidza iwe kuti upfuure mamwe maitiro ekuongorora mufaira system, sezvo kubiwa kwedata rakavanzika kunogona kuitwa kwete padanho rekuvhura mafaera, asi kuburikidza nekubvunzurudzwa kwekuverenga mashandiro kubva kune aya mafaera mukushandisa zviri pamutemo (semuenzaniso, kutsiva. yemabasa eraibhurari inobvumidza iwe kubata mushandisi kuisa password kana kurodha kubva kufaira data ine kiyi yekuwana). Kuronga kure kure, Simbiote inobata mamwe mafoni ePAM (Pluggable Authentication Module), iyo inokutendera kuti ubatanidze kune sisitimu kuburikidza neSSH uine humwe humbowo hwekurwisa. Pane zvakare yakavanzika sarudzo yekuwedzera ropafadzo dzako kune mudzi mushandisi nekuisa iyo HTTP_SETTHIS nharaunda inosiyana.
Source: opennet.ru