Laeborari ea lipatlisiso 360 Netlab e tlalehile ho tsebahatsoa ha malware a macha bakeng sa Linux, e bitsoang RotaJakiro le ho kenyelletsa ts'ebetsong ea backdoor e u lumellang ho laola sistimi. Mohlomong malware e kentsoe ke bahlaseli ka mor'a ho sebelisa hampe bofokoli ba sistimi kapa ho hakanya li-password tse fokolang.
Monyako o ka morao o ile oa sibolloa nakong ea tlhahlobo ea sephethe-phethe se belaetsang ho tsoa ho e 'ngoe ea lits'ebetso tsa sistimi, e bonts'itsoeng nakong ea tlhahlobo ea sebopeho sa botnet se sebelisetsoang tlhaselo ea DDoS. Pele ho mona, RotaJakiro e ile ea lula e sa bonoe ka lilemo tse tharo, haholo-holo, liteko tsa pele tsa ho lekola lifaele tse nang le li-hashes tsa MD5 tse tsamaellanang le malware a fumanoeng ts'ebeletso ea VirusTotal li ne li ngotsoe ka Mots'eanong 2018.
E 'ngoe ea likarolo tsa RotaJakiro ke tšebeliso ea mekhoa e fapaneng ea ho pata ha e sebetsa e le mosebelisi ea se nang tokelo le motso. Ho pata boteng ba eona, ntlo e ka morao e ne e sebelisa mabitso a ts'ebetso ea systemd-daemon, session-dbus le gvfsd-helper, eo, ka lebaka la bohlasoa ba kabo ea sejoale-joale ea Linux ka mefuta eohle ea lits'ebetso tsa lits'ebeletso, qalong e ne e bonahala e nepahetse ebile e sa tsose lipelaelo.
Ha e tsamaisoa ka litokelo tsa motso, mangolo a /etc/init/systemd-agent.conf le /lib/systemd/system/sys-temd-agent.service li ile tsa bōptjoa ho kenya ts'ebetso ea malware, 'me faele e sebetsang e kotsi ka boeona e ne e le / bin/systemd/systemd -daemon le /usr/lib/systemd/systemd-daemon (tshebetso e ile ya kopitswa difaeleng tse pedi). Ha e sebetsa joalo ka mosebelisi ea tloaelehileng, ho ile ha sebelisoa faele ea autostart e $HOME/.config/au-tostart/gnomehelper.desktop 'me liphetoho li entsoe ho .bashrc,' me faele e sebetsang e bolokoa joalo ka $HOME/.gvfsd/.profile/gvfsd -helper le $HOME/ .dbus/sessions/session-dbus. Lifaele ka bobeli tse ka sebetsoang li ile tsa qalisoa ka nako e le 'ngoe, e' ngoe le e 'ngoe ea tsona e neng e shebile boteng ba e' ngoe le ho e khutlisa haeba e felile.
Ho pata liphetho tsa mesebetsi ea bona ka morao, ho ile ha sebelisoa li-algorithms tse 'maloa tsa encryption, mohlala, AES e ne e sebelisetsoa ho kenyelletsa lisebelisoa tsa bona,' me motsoako oa AES, XOR le ROTATE hammoho le compression e sebelisa ZLIB e ne e sebelisetsoa ho pata mocha oa puisano. le seva sa taolo.
Ho fumana litaelo tsa taolo, malware e ile ea ikopanya le libaka tse 4 ka marang-rang a marang-rang 443 (mocha oa puisano o sebelisitse protocol ea ona, eseng HTTPS le TLS). Libaka (cdn.mirror-codes.net, status.sublineover.net, blog.eduelects.com le news.thaprior.net) li ngolisitsoe ka 2015 'me li tsamaisoa ke mofani oa moeti oa Kyiv Deltahost. Mesebetsi ea mantlha ea 12 e ne e kenyelelitsoe ka morao, e lumellang ho kenya le ho kenya li-plugins tse nang le ts'ebetso e tsoetseng pele, ho fetisa lintlha tsa lisebelisoa, ho thibela lintlha tse tebileng le ho laola lifaele tsa lehae.
Source: opennet.ru