Zimbalwa iintsuku ezidlulileyo, Abaphandi be-ESET bapapashe upapasho apho bajongana nemisebenzi enxulumene nayo "Ebury" rootkit. Ngokutsho kwengxelo, u-Ebury ibisebenza ukusukela ngo-2009 kwaye wosulele ngaphezulu kwe-400,000 yeeseva eziqhuba iLinux, kunye namakhulu aliqela eFreeBSD, i-OpenBSD kunye neenkqubo ezisekwe kwiSolaris. I-ESET inika ingxelo yokuba ekupheleni kuka-2023, kwakusekho malunga ne-110,000 yeeseva ezichatshazelwe yi-Ebury.
Esi studio ibaluleke kakhulu ngenxa yohlaselo lwe-kernel.org apho uEbury wayebandakanyeka khona, iveza iinkcukacha ezintsha malunga nokungeniswa kweziseko zophuhliso lwe-Linux kernel ngo-2011. Ukongeza, i-Ebury ichongiwe kwiiseva zobhaliso lwesizinda, utshintshiselwano lwe-crypto, iindawo zokuphuma zeTor, kunye nababoneleli abaninzi abangaziwa.
Kwiminyaka elishumi edlulileyo saye sazisa ulwazi malunga ne-Ebury ngokupapasha iphepha elimhlophe esilibiza ngokuba yi-Operation Windigo, ebhalwe ngephulo elanyusa i-malware ye-Linux ngenzuzo yemali. Namhlanje sipapasha inqaku elilandelayo malunga nendlela i-Ebury evele ngayo kunye neentsapho ezintsha ze-malware abasebenzisi bayo abazisebenzisayo ukwenza imali kwi-Botnet yabo ye-Linux.
Ekuqaleni kwakucingwa ukuba abahlaseli loo nto yabeka esichengeni abancedisi be kernel.org Bahlala bengabonwa kangangeentsuku ezili-17. Nangona kunjalo, ngokutsho kwe-ESET, eli xesha libalwe ekufakweni kwe-rootkit ye-Phalanx.
Kodwa oku kwakungenjalo, ekubeni I-Ebury, eyayisele ikhona kwiiseva ukususela ngo-2009, kwaye oku kwavumela ukufikelela kweengcambu malunga neminyaka emibini. I-Ebury kunye ne-Phalanx zafakwa njengenxalenye yohlaselo olwahlukeneyo eyenziwa ngamaqela ahlukeneyo abahlaseli. Ukufakwa kwe-backdoor ye-Ebury kuchaphazele ubuncinane iiseva ze-4 kwiziseko ze-kernel.org, ezimbini zazo eziye zaphazamiseka kwaye zingabonakali malunga neminyaka emibini kunye nezinye ezimbini kwithuba leenyanga ze-6.
Kuxelwe ukuba i Abahlaseli bakwazile ukufikelela kwi-password hashes yabasebenzisi abangama-551 igcinwe kwi/etc/shadow, kuquka abagcini bekernel. Ezi ngxelo Zazisetyenziselwa ukufikelela kwiGit.
Emva kwesiganeko, utshintsho lwenziwa kwiiphasiwedi kwaye imodeli yokufikelela yahlaziywa ukuze ifake iisignesha zedijithali. Kubasebenzisi abachaphazelekayo be-257, abahlaseli bakwazile ukucacisa amagama ayimfihlo kwisicatshulwa esicacileyo, mhlawumbi ngokusebenzisa i-hashes kunye ne-intercepting passwords esetyenziswe kwi-SSH yicandelo elibi le-Ebury.
Icandelo elibi I-Ebury yasasazeka njengethala leencwadi ekwabelwana ngalo evalele imisebenzi esetyenziswa kwi-OpenSSH ukuseka imidibaniso ekude kwiinkqubo ezinamalungelo eengcambu. Olu hlaselo alukhange lujolise ngokuthe ngqo kwi-kernel.org, kwaye ngenxa yoko, abancedisi abachaphazelekayo baba yinxalenye ye-botnet esetyenziselwa ukuthumela i-spam, ukubiwa kweenkcukacha zokusetyenziswa kwezinye iinkqubo, ukuqondisa ngokutsha i-web traffic, kunye nokwenza ezinye izinto ezinobungozi.
Usapho lwe-malware ye-Ebury nayo ihlaziyiwe. Uhlaziyo olutsha lwenguqu enkulu, i-1.8, yaqala ukubonwa ngasekupheleni kwe-2023. Phakathi kwezinto ezihlaziyiweyo zinobuchule obutsha be-obfuscation, i-algorithm ye-domain yesizukulwana esitsha (i-DGA), kunye nokuphuculwa kwe-rootkit yomsebenzisi esetyenziswa ngu-Ebury ukufihla kubalawuli benkqubo. Xa isebenza, inkqubo, ifayile, isiseko, kunye nememori eyabelwe (Umfanekiso 6) zifihliwe.
Ukuze ungene kwiiseva, i Abahlaseli basebenzise ubuthathaka obungafakwanga kwisoftware yeseva, njengokungaphumeleli kwiiphaneli zokusingatha kunye namagama ayimfihlo abanjwe.
Ukongeza, kucingelwa ukuba abancedisi be-kernel.org bagqekeziwe emva kokubeka esichengeni igama eligqithisiweyo lomnye wabasebenzisi abanofikelelo kwiqokobhe kunye nobuthathaka obunje ngeNKOMO emdaka zisetyenziselwe ukonyusa amalungelo.
Kukhankanyiwe ukuba iinguqulelo zamva nje ze-Ebury, ukongeza kwi-backdoor, zibandakanya iimodyuli ezongezelelweyo ze-Apache httpd, evumela ukuthumela i-traffic nge-proxy, ukuqondisa kwakhona abasebenzisi kunye nokwamkela ulwazi oluyimfihlo. Kwakhona babenemodyuli ye-kernel yokuguqula i-HTTP traffic kwi-transit kunye nezixhobo zokufihla i-traffic yabo kwii-firewalls. Ukongezelela, baquka izikripthi zokuqhuba uhlaselo lwe-Adversary-in-the-Middle (AitM), ukubamba iziqinisekiso ze-SSH kwiinethiwekhi zababoneleli bokusingatha.
Okokugqibela, ukuba unomdla wokwazi ngakumbi ngayo, ungajongana neenkcukacha kwi ukulandela ikhonkco.