Inkampani yeReversingLabs iziphumo zohlalutyo lwesicelo kwindawo yokugcina iRubyGems. Ngokwesiqhelo, i-typosquatting isetyenziselwa ukusasaza iipakethe ezikhohlakeleyo eziyilelwe ukubangela umphuhlisi ongakhathaliyo ukuba enze i-typo okanye angaqapheli umahluko xa ekhangela. Uphononongo luchonge iipakethe ezingaphezulu kwama-700 ezinamagama afana neepakethe ezidumileyo kodwa zahluke kwiinkcukacha ezincinci, ezinjengokutshintsha oonobumba abafanayo okanye ukusebenzisa ii-underscores endaweni yeedashi.
Amacandelo ekurhanelwa ukuba enze izinto ezikhohlakeleyo afunyenwe kwiiphakheji ezingaphezu kwama-400. Ngokukodwa, ifayile ngaphakathi yayiyi aaa.png, equka ikhowudi ephunyeziweyo kwifomathi ye-PE. Ezi phakheji zadityaniswa neeakhawunti ezimbini apho iRubyGems yathunyelwa ukusuka nge-16 kaFebruwari ukuya nge-25 kaFebruwari 2020. , eziye zakhutshelwa malunga ne-95 lamawaka amaxesha. Abaphandi bazisa ulawulo lweRubyGems kwaye iiphakheji ezinobungozi ezichongiweyo sele zisusiwe kwindawo yokugcina.
Kwiiphakheji eziyingxaki ezichongiweyo, eyona idumileyo yayiyi "atlas-client", ethi xa uyijonga kuqala ingabonakali kwiphakheji esemthethweni "". Iphakheji ekhankanyiweyo yakhutshelwa amaxesha angama-2100 (iphakheji eqhelekileyo yakhutshelwa amaxesha angama-6496, oko kukuthi abasebenzisi babengalunganga phantse kwi-25% yamatyala). Iipakethe eziseleyo zakhutshelwa kumndilili wamaxesha angama-100-150 kwaye zacanjwa njengezinye iipakethe zisebenzisa ubuchule obufanayo bokutshintsha i-underscores kunye nedashi (umzekelo, phakathi : appium-lib, action-mailer_cache_delivery, activemodel_validators, asciidoctor_bibliography, assets-pipeline, apress_validators, ar_octopus-replication-tracking, aliyun-open_search, aliyun-mns, ab_split, apns-polite).
Iiphakheji ezinobungozi ziquka ifayile yePNG equlethe ifayile ephunyezwayo yeqonga leWindows endaweni yomfanekiso. Ifayile yenziwe kusetyenziswa i-Ocra Ruby2Exe eluncedo kwaye ibandakanya i-archive yokuzikhupha kunye neskripthi seRuby kunye ne-Ruby toliki. Xa ufaka ipakethe, ifayile ye-png yathiywa ngokutsha ukuba ibe yi-exe kwaye yaziswa. Ngexesha lokuphunyezwa, ifayile yeVBScript yenziwe kwaye yongezwa kwi-autorun. I-VBScript ekhankanyiweyo ekhohlakeleyo kwi-loop yahlalutya imixholo yebhodi eqhotyoshwayo yobukho bolwazi olukhumbuza iidilesi ze-crypto wallet, kwaye ukuba ichongiwe, ithathe indawo yenombolo ye-wallet ngokulindela ukuba umsebenzisi akayi kuwuqaphela umahluko kunye nokudlulisela imali kwi-wallet engalunganga. .
Uphononongo lubonise ukuba akukho nzima ukufumana iipakethe ezinobungozi ezongezwe kwenye yezona ndawo zidumileyo zokugcina, kwaye ezi phakheji zinokuhlala zingabonwa, nangona kukho inani elikhulu lokukhutshelwa. Kufuneka kuqatshelwe ukuba ingxaki RubyGems kwaye igubungela ezinye iindawo zokugcina ezidumileyo. Ngokomzekelo, kunyaka ophelileyo abaphandi abafanayo kwindawo yokugcina ye NPM kukho ipakethe ekhohlakeleyo ebizwa ngokuba yibb-builder, esebenzisa ubuchule obufanayo bokundulula ifayile ephunyezwayo ukubiwa amagama agqithisiweyo. Ngaphambi koku, kwakukho i-backdoor ngokuxhomekeke kwiphakheji ye-NPM yesiganeko, ikhowudi enobungozi yakhutshelwa malunga ne-8 yezigidi zamaxesha. Iipakethe ezinobungozi nazo kwindawo yokugcina yePyPI.
umthombo: opennet.ru