Abacwaningi abavela ku-Malwarebytes Labs bahlonze ukukhushulwa kwewebhusayithi mbumbulu yesiphathi sephasiwedi samahhala i-KeePass, esabalalisa uhlelo olungayilungele ikhompuyutha, ngenethiwekhi yokukhangisa ye-Google. Okukhethekile kokuhlasela kwaba ukusetshenziswa kwabahlaseli besizinda esithi “ķeepass.info”, lapho uma uthi nhlá lapho siqala khona, singakwazi ukuhlukanisa isipelingi esivela esizindeni esisemthethweni sephrojekthi ethi “keepass.info”. Lapho usesha igama elingukhiye elithi “keepass” ku-Google, isikhangiso sesayithi elingumgunyathi sibekwe endaweni yokuqala, ngaphambi kwesixhumanisi esiya kusayithi elisemthethweni.
Ukuze kukhohliseke abasebenzisi, kusetshenziswe indlela yobugebengu bokweba imininingwane ekude eyaziwa isikhathi eside, esekelwe ekubhalisweni kwezizinda zamazwe ngamazwe (IDN) eziqukethe ama-homoglyphs - izinhlamvu ezibukeka zifana nezinhlamvu zesiLatini, kodwa ezinencazelo ehlukile futhi ezinekhodi yazo ye-unicode. Ikakhulukazi, isizinda esithi “ķeepass.info” empeleni sibhaliswe ngokuthi “xn--eepass-vbb.info” ku-punycode notation futhi uma ubhekisisa igama eliboniswe kubha yekheli, ungabona ichashazi ngaphansi kohlamvu “ ķ”, okubonwa ngabasebenzisi abaningi kufana nechashaza esikrinini. Inkohliso yobuqiniso besayithi evulekile yathuthukiswa ukuthi isayithi elingumgunyathi lavulwa nge-HTTPS ngesitifiketi esilungile se-TLS esitholwe isizinda samazwe ngamazwe.
Ukuze uvimbele ukuhlukumeza, ababhalisi abavumeli ukubhaliswa kwezizinda ze-IDN ezixuba izinhlamvu zama-alfabhethi ahlukene. Isibonelo, isizinda se-dummy apple.com (“xn--pple-43d.com”) asikwazi ukudalwa ngokushintshanisa igama lesiLatini elithi “a” (U+0061) ngo-Cyrillic “a” (U+0430). Ukuxuba izinhlamvu zesiLatini ne-Unicode egameni lesizinda nakho kuvinjiwe, kodwa kukhona okuhlukile kulo mkhawulo, okuyikhona abahlaseli abasizakala ngakho - ukuxuba nezinhlamvu ze-Unicode zeqembu lezinhlamvu zesiLatini zezinhlamvu ezifanayo kuvunyelwe ku- isizinda. Isibonelo, uhlamvu oluthi “ķ” olusetshenziswe ekuhlaselweni okucatshangwayo luyingxenye yezinhlamvu zamagama zesi-Latvian futhi luyamukeleka ezizindeni ngolimi lwesi-Latvian.
Ukuze udlule izihlungi zenethiwekhi yokukhangisa ye-Google kanye nokuhlunga ama-bot angakwazi ukubona uhlelo olungayilungele ikhompyutha, isayithi le-interlayer eliphakathi nendawo i-keepassstacking.site licaciswe njengesixhumanisi esiyinhloko kubhulokhi yokukhangisa, eqondisa kabusha abasebenzisi abahlangabezana nemibandela ethile kusizinda se-dummy “ķeepass .ulwazi”.
Idizayini yesizindalwazi se-dummy yenziwa isitayela ukuze ifane newebhusayithi ye-KeePass esemthethweni, kodwa yashintsha yaba ukulandwa kohlelo olunamandla (ukuqashelwa nesitayela sewebhusayithi esemthethweni kwalondolozwa). Ikhasi lokulanda lengxenyekazi ye-Windows linikeze isifaki se-msix esiqukethe ikhodi enonya eze nesiginesha yedijithali evumelekile. Uma ifayela elilandiwe lasetshenziswa kusistimu yomsebenzisi, umbhalo we-FakeBat wethulwa ngokungeziwe, ukulanda izingxenye ezinonya kusuka kuseva yangaphandle ukuze zihlasele isistimu yomsebenzisi (isibonelo, ukuvimba idatha eyimfihlo, ukuxhuma kwi-botnet, noma ukufaka izinombolo ze-crypto wallet ibhodi lokunamathisela).
Source: opennet.ru