Ilabhorethri yocwaningo i-360 Netlab ibike ngokukhonjwa kohlelo olungayilungele ikhompuyutha olusha lwe-Linux, olunekhodi ebizwa ngokuthi i-RotaJakiro kanye nokufaka ukuqaliswa kwe-backdoor ekuvumela ukuthi ulawule uhlelo. Uhlelo olungayilungele ikhompuyutha kungenzeka ukuthi lufakwe abahlaseli ngemva kokusebenzisa ubungozi obungavaliwe ohlelweni noma ukuqagela amaphasiwedi abuthakathaka.
I-backdoor itholwe ngesikhathi sokuhlaziywa kwethrafikhi esolisayo evela kwenye yezinqubo zesistimu, ekhonjwe ngesikhathi sokuhlaziywa kwesakhiwo se-botnet esetshenziselwa ukuhlasela kwe-DDoS. Ngaphambi kwalokhu, i-RotaJakiro yahlala iminyaka emithathu ingaziwa; ikakhulukazi, imizamo yokuqala yokuskena amafayela ane-MD5 hashes ehambisana ne-malware ekhonjiwe kusevisi ye-VirusTotal yangomhla ka-May 2018.
Esinye sezici ze-RotaJakiro ukusetshenziswa kwamasu ahlukene wokufihla lapho usebenza njengomsebenzisi ongenalungelo kanye nempande. Ukufihla ubukhona bayo, i-backdoor isebenzise amagama enqubo ethi systemd-daemon, session-dbus kanye ne-gvfsd-helper, okuthi, uma kubhekwa imfuhlumfuhlu yokusabalalisa kwe-Linux yesimanje nazo zonke izinhlobo zezinqubo zesevisi, ekuqaleni kwakubonakala kusemthethweni futhi akuzange kubangele ukusola.
Lapho isetshenziswa ngamalungelo ezimpande, imibhalo /etc/init/systemd-agent.conf kanye /lib/systemd/system/sys-temd-agent.service zidalwe ukuze kusebenze uhlelo olungayilungele ikhompuyutha, futhi ifayela elisebenzisekayo elinonya ngokwalo lalitholakala njenge/ bin/systemd/systemd -daemon kanye /usr/lib/systemd/systemd-daemon (ukusebenza kwaphindwa kumafayela amabili). Lapho isebenza njengomsebenzisi ojwayelekile, ifayela eliziqalela ngokuzenzakalelayo elithi $HOME/.config/au-tostart/gnomehelper.desktop lasetshenziswa futhi kwenziwa izinguquko ku-.bashrc, futhi ifayela elisebenzisekayo lalondolozwa njenge-$HOME/.gvfsd/.profile/gvfsd -helper kanye ne-$HOME/ .dbus/sessions/session-dbus. Womabili amafayela asebenzisekayo aqalwa kanyekanye, ngalinye laqapha ukuba khona kwelinye futhi alibuyisele uma linqanyulwa.
Ukufihla imiphumela yemisebenzi yabo ku-backdoor, kusetshenziswe ama-algorithms wokubethela amaningana, isibonelo, i-AES yasetshenziselwa ukubethela izinsiza zabo, futhi inhlanganisela ye-AES, XOR ne-ROTATE ngokuhambisana nokucindezelwa kusetshenziswa i-ZLIB yasetshenziselwa ukufihla isiteshi sokuxhumana. ngeseva yokulawula.
Ukuze uthole imiyalo yokulawula, uhlelo olungayilungele ikhompuyutha luthinte izizinda ezi-4 ngembobo yenethiwekhi engu-443 (isiteshi sokuxhumana sasebenzisa iphrothokholi yaso, hhayi i-HTTPS ne-TLS). Izizinda (cdn.mirror-codes.net, status.sublineover.net, blog.eduelects.com kanye ne-news.thaprior.net) zabhaliswa ngo-2015 futhi zasingathwa umhlinzeki wokusingatha we-Kyiv i-Deltahost. Imisebenzi eyi-12 eyisisekelo ihlanganiswe kumnyango ongemuva, ovumele ukulayisha nokusebenzisa ama-plugin anokusebenza okuthuthukile, ukudlulisa idatha yedivayisi, ukwamukela idatha ebucayi nokuphatha amafayela endawo.
Source: opennet.ru