Abacwaningi abavela ku-Intezer kanye ne-BlackBerry bathole uhlelo olungayilungele ikhompyutha olubizwa ngokuthi i-Simbiote, olusetshenziselwa ukujova izicabha ezingemuva nama-rootkits kumaseva asengozini asebenzisa i-Linux. Kutholwe uhlelo olungayilungele ikhompuyutha ezinhlelweni zezikhungo zezezimali emazweni amaningana aseLatin America. Ukuze ufake i-Simbiote ohlelweni, umhlaseli kufanele abe nokufinyelela kwezimpande, okungatholwa, isibonelo, njengomphumela wokusebenzisa ubungozi obungapakishwanga noma ukuvuza kwe-akhawunti. I-Simbiote ikuvumela ukuthi uhlanganise ubukhona bakho ohlelweni ngemuva kokugebenga ukuze wenze okunye ukuhlasela, ufihle umsebenzi wezinye izinhlelo zokusebenza ezinonya futhi uhlele ukutholwa kwedatha eyimfihlo.
Isici esikhethekile se-Simbiote ukuthi isakazwa ngendlela yelabhulali eyabiwe, elayishwa ngesikhathi sokuqaliswa kwazo zonke izinqubo kusetshenziswa indlela ye-LD_PRELOAD futhi imiselela ezinye izingcingo kumtapo wolwazi ojwayelekile. Izibambi zezingcingo ezihlanekezelwe zifihla umsebenzi ohlobene nomnyango wangemuva, njengokungabandakanyi izinto ezithile ohlwini lwezinqubo, ukuvimbela ukufinyelela kumafayela athile ku-/proc, ukufihla amafayela kuhlu lwemibhalo, ngaphandle komtapo wolwazi ohlanganyelwe ekukhishweni kwe-ldd (ukugebenga umsebenzi wokuphatha nokuhlaziya izingcingo okuguquguqukayo kwemvelo LD_TRACE_LOADED_OBJECTS) awabonisi amasokhethi enethiwekhi ahlobene nomsebenzi onobungozi.
Ukuze kuvikelwe ekuhlolweni kwethrafikhi, imisebenzi yomtapo wezincwadi we-libpcap ichazwa kabusha, /proc/net/tcp read ukuhlunga futhi uhlelo lwe-eBPF lulayishwa ku-kernel, oluvimbela ukusebenza kwabahlaziyi bethrafikhi futhi lulahle izicelo zezinkampani zangaphandle kubaphathi bayo benethiwekhi. Uhlelo lwe-eBPF lwethulwa phakathi kwamaphrosesa okuqala futhi lwenziwa ezingeni eliphansi kakhulu lesitaki senethiwekhi, okukuvumela ukuthi ufihle umsebenzi wenethiwekhi we-backdoor, okuhlanganisa kusukela kubahlaziyi abaqaliswe kamuva.
I-Simbiote futhi ikuvumela ukuthi udlule abanye abahlaziyi bomsebenzi ohlelweni lwefayela, njengoba ukwebiwa kwedatha eyimfihlo kungenziwa hhayi ezingeni lokuvula amafayela, kodwa ngokwamukela ukusebenza kokufundwa kwalawa mafayela kuzinhlelo zokusebenza ezisemthethweni (ngokwesibonelo, esikhundleni somtapo wolwazi). imisebenzi ikuvumela ukuthi ubambe umsebenzisi efaka iphasiwedi noma elayisha idatha yefayela ngokhiye wokungena). Ukuze uhlele ukungena ngemvume okukude, u-Simbiote ubamba ezinye izingcingo ze-PAM (Imojula Yokuqinisekisa Exhunyiwe), ekuvumela ukuthi uxhume kusistimu nge-SSH ngemininingwane ethile ehlaselayo. Kukhona futhi inketho efihliwe yokwandisa amalungelo akho kumsebenzisi wempande ngokusetha i-HTTP_SETTHIS imvelo eguquguqukayo.
Source: opennet.ru