Guardicore kambani, inonyanya kuchengetedza nzvimbo dze data uye Cloud system, FritzFrog, itsva yepamusoro-tech malware inorwisa Linux-based servers. FritzFrog inosanganisa honye inopararira kuburikidza nekurwiswa kwe bruteforce pamaseva ane yakavhurika SSH chiteshi, uye zvikamu zvekuvaka bhotiti yakasarudzika inoshanda isina kudzora node uye isina kana imwe poindi yekutadza.
Kuvaka botnet, proprietary P2P protocol inoshandiswa, umo nodes inopindirana, inobatanidza sangano rekurwiswa, inotsigira kushanda kwetiweki uye kutarisa mamiriro eumwe neumwe. Vatsva vanobatwa vanowanikwa nekuita hutsinye kurwisa maseva anogashira zvikumbiro kuburikidza neSSH. Kana sevha nyowani yaonekwa, duramazwi rezvakajairwa musanganiswa wemalogi nemapassword rinotsvakwa. Kudzora kunogona kuitwa kuburikidza nechero node, izvo zvinoita kuti zviome kuziva uye kuvhara botnet vanoshanda.
Maererano nevatsvakurudzi, botnet inotova nepamusoro pe500 nodes, kusanganisira maseva emayunivhesiti akati wandei uye kambani hombe yechitima. Zvinocherechedzwa kuti zvinonangwa zvikuru zvekurwiswa idzi network yemasangano edzidzo, nzvimbo dzekurapa, masangano ehurumende, mabhanga nemakambani ekufonera. Mushure mekunge sevha yakanganiswa, maitiro ekuchera iyo Monero cryptocurrency yakarongeka pairi. Chiitiko cheiyo malware iri mubvunzo yakatevedzwa kubva muna Ndira 2020.
Chinhu chakakosha nezveFritzFrog ndechekuti inochengeta data rese uye kodhi inogoneka mundangariro chete. Shanduko padhisiki dzinosanganisira chete kuwedzera kiyi itsva yeSSH kune authorized_keys faira, iyo inozoshandiswa kuwana sevha. Mafaira eSistimu haashandurwe, izvo zvinoita kuti honye isaonekwe kune masisitimu anoongorora kutendeseka uchishandisa cheki. Iyo ndangariro inochengetawo maduramazwi ehutsinye-anomanikidza mapassword uye data remigodhi, ayo anowiriraniswa pakati penodhi uchishandisa iyo P2P protocol.
Zvinhu zvakashata zvakavharwa se ifconfig, libexec, php-fpm uye nginx maitiro. Botnet node dzinotarisisa mamiriro evavakidzani vadzo uye, kana sevha ikavhurwa kana kunyange OS ikadzoserwa (kana yakagadziridzwa authorized_keys faira yakaendeswa kune iyo itsva system), ivo vanomisikidza zvakare zvinokuvadza zvinoringana pamugamuchiri. Pakutaurirana, yakajairwa SSH inoshandiswa - iyo malware inowedzera inotangisa yemuno "netcat" inosunga kune yemunohost interface uye inoteerera traffic pachiteshi 1234, iyo yekunze inotambira kuburikidza neSSH tunnel, uchishandisa kiyi kubva kune authorized_keys kubatanidza.
Iyo FritzFrog chikamu kodhi yakanyorwa muGo uye inomhanya mune akawanda-akarukwa maitiro. Iyo malware inosanganisira akati wandei mamodule anomhanya mushinda dzakasiyana:
- Cracker - inotsvaga mapassword pane akarwiswa maseva.
- CryptoComm + Parser - inoronga yakavharidzirwa P2P yekubatanidza.
- CastVotes idhizaini yekusarudza pamwe chete mauto ekurwiswa.
- TargetFeed - Inogamuchira rondedzero yemanodhi ekurwisa kubva kune akavakidzana node.
- DeployMgmt ndeyekuitwa kwehonye inogovera yakaipa kodhi kune yakakanganiswa server.
- Wedzero - ane basa rekubatanidza kune maseva ari kutomhanyisa kodhi yakaipa.
- Assemble - inounganidza faira mundangariro kubva kune akasiyana akatamiswa mabhuroko.
- Antivir - module yekudzvinyirira kukwikwidza malware, inozivisa uye kumisa maitiro netambo "xmr" inoshandisa CPU zviwanikwa.
- Libexec imodule yekuchera iyo Monero cryptocurrency.
Iyo P2P protocol inoshandiswa muFritzFrog inotsigira anenge makumi matatu mirairo ine basa rekufambisa data pakati penodhi, kumhanya zvinyorwa, kuendesa malware zvinhu, mamiriro ekuvhota, kuchinjana matanda, kutanga ma proxies, nezvimwe. Ruzivo rwunofambiswa pamusoro peimwe yakavharidzirwa chiteshi ine serialization muJSON fomati. Encryption inoshandisa asymmetric AES cipher uye Base30 encoding. Iyo DH protocol inoshandiswa pakuchinjana kiyi () Kuti uone nyika, node dzinogara dzichichinjana zvikumbiro zveping.
Yese botnet node inochengetedza dhatabhesi yakagoverwa ine ruzivo nezve akarwiswa uye akanganisa masisitimu. Zvinangwa zvekurwisa zvinowiriraniswa mukati mebhotnet - imwe neimwe node inorwisa yakasarudzika chinangwa, i.e. maviri akasiyana botnet node haazorwise iyo imwe chete. Node zvakare inounganidza uye kuendesa nhamba dzenzvimbo kune vavakidzani, senge yemahara ndangariro saizi, uptime, CPU mutoro, uye SSH login chiitiko. Ruzivo urwu runoshandiswa kusarudza kana kutanga chirongwa chekuchera migodhi kana kushandisa node chete kurwisa mamwe masisitimu (somuenzaniso, migodhi haitangi pamasisitimu akaremerwa kana masisitimu ane anogarobatanidza maneja).
Kuziva FritzFrog, vaongorori vakakurudzira iri nyore . Kuti uone kukanganisa kwehurongwa
zviratidzo zvakadai sekuvapo kwekuteerera kwekubatanidza pachiteshi 1234, kuvapo mune authorized_keys (iyo imwechete SSH kiyi inoiswa pane ese node) uye kuvapo mukurangarira kwekuita maitiro "ifconfig", "libexec", "php-fpm" uye "nginx" iyo isina mubatanidzwa mafaera ("/proc/ / exe" inonongedza kune iri kure faira). Chiratidzo chinogonawo kuve kuvepo kwetraffic panetwork port 5555, iyo inoitika kana malware ichisvika pane yakajairika dziva web.xmrpool.eu panguva yekucherwa kweMonero cryptocurrency.
Source: opennet.ru