I-ProHoster > Блог > izindaba ze-inthanethi > Isibungu se-FritzFrog sihlonziwe, sithelela amaseva nge-SSH futhi sakha i-botnet ehlukanisiwe.

Isibungu se-FritzFrog sihlonziwe, sithelela amaseva nge-SSH futhi sakha i-botnet ehlukanisiwe.

Inkampani ye-Guardicore, egxile ekuvikeleni izikhungo zedatha nezinhlelo zamafu, kwembulwa I-FritzFrog, i-malware entsha yobuchwepheshe obuphezulu ehlasela amaseva asekelwe ku-Linux. I-FritzFrog ihlanganisa isikelemu esisakazeka ngokuhlaselwa kwe-bruteforce kumaseva anembobo evulekile ye-SSH, kanye nezingxenye zokwakha ibhothithi enwetshiwe esebenza ngaphandle kwamanodi okulawula futhi engenakho iphuzu elilodwa lokwehluleka.

Ukwakha i-botnet, kusetshenziswa i-protocol ye-P2P yokuphathelene, lapho ama-node axhumana khona, axhumanisa inhlangano yokuhlasela, asekele ukusebenza kwenethiwekhi futhi aqaphe isimo somunye nomunye. Izisulu ezintsha zitholwa ngokwenza ukuhlasela kwe-bruteforce kumaseva amukela izicelo nge-SSH. Uma kutholwa iseva entsha, isichazamazwi senhlanganisela evamile yokungena ngemvume namagama ayimfihlo siyaseshwa. Ukulawula kungenziwa nganoma iyiphi i-node, okwenza kube nzima ukukhomba nokuvimbela opharetha be-botnet.

Ngokusho kwabacwaningi, i-botnet isivele inama-node angaba ngu-500, okuhlanganisa amaseva amanyuvesi amaningana kanye nenkampani enkulu yesitimela. Kuyaphawuleka ukuthi okuhlosiwe okuyinhloko kwalokhu kuhlasela amanethiwekhi ezikhungo zemfundo, izikhungo zezokwelapha, izinhlangano zikahulumeni, amabhange kanye nezinkampani zokuxhumana. Ngemuva kokuthi iseva isengozini, inqubo yokumba i-cryptocurrency ye-Monero ihlelwa kuyo. Umsebenzi wohlelo olungayilungele ikhompuyutha okukhulunywa ngalo ulandelelwe kusukela ngoJanuwari 2020.

Into ekhethekile ngeFritzFrog ukuthi igcina yonke idatha nekhodi esebenzisekayo kuphela enkumbulweni. Izinguquko kudiski zihlanganisa kuphela ukwengeza ukhiye omusha we-SSH kufayela le-auted_keys, elisetshenziswa kamuva ukufinyelela iseva. Amafayela esistimu awashintshiwe, okwenza isibungu singabonakali ezinhlelweni ezihlola ubuqotho zisebenzisa amasheke. Inkumbulo iphinde igcine izichazamazwi zamaphasiwedi aphoqayo nedatha yezimayini, ezivumelaniswa phakathi kwamanodi kusetshenziswa iphrothokholi ye-P2P.

Izingxenye ezinonya zifihlwa njengezinqubo ze-ifconfig, libexec, php-fpm kanye ne-nginx. Amanodi e-Botnet aqapha isimo somakhelwane bawo futhi, uma iseva iqalwa kabusha noma i-OS iphinda ifakwe (uma ifayela le-authod_keys elilungisiwe lidluliselwe kusistimu entsha), aphinde avule izingxenye ezinonya kumsingathi. Ukuze kuxhunyanwe, kusetshenziswa i-SSH evamile - uhlelo olungayilungele ikhompuyutha ngokungeziwe luvula “i-netcat” yasendaweni ebophezela kusixhumi esibonakalayo sosokhaya futhi ilalele ithrafikhi ku-port 1234, ebamba abasingathi bangaphandle ukufinyelela ngomhubhe we-SSH, kusetshenziswa ukhiye osuka ku- authorized_keys ukuze uxhume.

Isibungu se-FritzFrog sihlonziwe, sithelela amaseva nge-SSH futhi sakha i-botnet ehlukanisiwe.

Ikhodi yengxenye yeFritzFrog ibhalwe kokuthi Go futhi isebenza ngemodi enemicu eminingi. Uhlelo olungayilungele ikhompuyutha luhlanganisa amamojula amaningana asebenza ngemicu eyahlukene:

  • I-Cracker - isesha amaphasiwedi kumaseva ahlaselwe.
  • I-CryptoComm + Parser - ihlela ukuxhumana okubethelwe kwe-P2P.
  • I-CastVotes iyindlela yokukhetha ngokuhlanganyela abasingathi okuqondiwe ukuze bahlasele.
  • I-TargetFeed - Ithola uhlu lwama-node ozowahlasela kusuka kuma-node angomakhelwane.
  • I-DeployMgmt ukusetshenziswa kwesikelemu esabalalisa ikhodi enonya kuseva eyonakele.
  • Kunomnikazi - onesibopho sokuxhuma kumaseva asevele asebenzisa ikhodi enonya.
  • Hlanganisa - ihlanganisa ifayela enkumbulweni kumabhulokhi adluliselwe ngokwehlukana.
  • I-Antivir - imojula yokucindezela uhlelo olungayilungele ikhompuyutha oluqhudelanayo, ihlonza futhi inqamule izinqubo ngochungechunge oluthi “xmr” olusebenzisa izinsiza ze-CPU.
  • I-Libexec iyimojula yokumba i-cryptocurrency ye-Monero.

Iphrothokholi ye-P2P esetshenziswa kuFritzFrog isekela imiyalo engaba ngu-30 enesibopho sokudlulisa idatha phakathi kwama-node, ukusebenzisa imibhalo, ukudlulisa izingxenye ze-malware, isimo sokuvota, ukushintshanisa izingodo, ukwethulwa kwama-proxies, njll. Ulwazi ludluliselwa ngesiteshi esibethelwe esiseceleni esinefomethi ye-JSON. Ukubethela kusebenzisa i-asymmetric AES cipher kanye nombhalo wekhodi we-Base64. Iphrothokholi ye-DH isetshenziselwa ukushintshanisa ukhiye (UDiffie-Hellman). Ukunquma isimo, ama-node ashintshana njalo ngezicelo ze-ping.

Wonke ama-botnet node agcina isizindalwazi esabalalisiwe esinolwazi mayelana nezinhlelo ezihlaselwe kanye nezonakalisiwe. Izinhloso zokuhlasela zivumelaniswa kuyo yonke i-botnet - inodi ngayinye ihlasela ithagethi ehlukile, i.e. amanodi amabili e-botnet ahlukene ngeke ahlasele umsingathi ofanayo. Ama-Node aphinde aqoqe futhi adlulisele izibalo zasendaweni komakhelwane, njengosayizi wenkumbulo yamahhala, isikhathi esengeziwe, umthwalo we-CPU, nomsebenzi wokungena we-SSH. Lolu lwazi lusetshenziselwa ukunquma ukuthi kuqalwe yini inqubo yezimayini noma ukusebenzisa i-node kuphela ukuhlasela ezinye izinhlelo (isibonelo, ukumba izimayini akuqali kumasistimu alayishiwe noma amasistimu anoxhumano oluvamile lwabaphathi).

Ukuhlonza uFritzFrog, abacwaningi bahlongoze indlela elula iskripthi segobolondo. Ukunquma umonakalo wesistimu
izimpawu ezifana nokuba khona kokuxhumana okulalelayo ku-port 1234, ubukhona ukhiye oyingozi kuma- authorized_keys (ukhiye ofanayo we-SSH ufakiwe kuwo wonke ama-node) kanye nokuba khona enkumbulweni yezinqubo ezisebenzayo “ifconfig”, “libexec”, “php-fpm” kanye “ne-nginx” angenawo amafayela asebenzisekayo ahlobene ("/proc/ /exe" ikhomba ifayela elikude). Uphawu futhi kungaba ubukhona bethrafikhi ku-network port 5555, okwenzeka lapho uhlelo olungayilungele ikhompuyutha lufinyelela ichibi elivamile le-web.xmrpool.eu ngesikhathi sokumbiwa kwe-cryptocurrency ye-Monero.

Source: opennet.ru

Engeza amazwana