An Gano Bootkitty: Na farko UEFI Bootkit An Ƙirƙira don Linux

  • Bootkitty ya zama farkon bootkit na UEFI wanda aka tsara don tsarin Linux.
  • Masu bincike na ESET sun gano shi, yana kaiwa wasu nau'ikan Ubuntu kuma yana da hanyar gwaji.
  • Malware yana hana tabbatar da sa hannun kwaya kuma yana amfani da hanyoyin ci-gaba don ketare hanyoyin tsaro.
  • ESET yana nuna mahimmancin ƙarfafa tsaro ta yanar gizo a cikin Linux ta fuskar yuwuwar ci gaban gaba.

Bootkitty

Un Binciken kwanan nan ya girgiza yanayin tsaro na intanet: Masu bincike sun gano bootkit na UEFI na farko da aka tsara musamman don tsarin Linux, wanda ake kira Bootkitty ta masu yinta. Wannan binciken yana nuna gagarumin juyin halitta a cikin barazanar UEFI, wanda tarihi ya maida hankali kusan akan tsarin Windows. Ko da yake malware ya bayyana yana cikin tabbacin lokaci na ra'ayi, kasancewarsa yana buɗe kofa ga yuwuwar barazanar da ta fi dacewa a nan gaba.

A cikin 'yan shekarun nan, Barazanar UEFI sun ga gagarumin ci gaba. Daga hujjojin farko na ra'ayi a cikin 2012 zuwa lokuta na baya-bayan nan irin su ESPecter da BlackLotus, al'ummomin tsaro sun ga ci gaba a cikin rikice-rikicen waɗannan hare-hare. Koyaya, Bootkitty yana wakiltar muhimmin canji, yana mai da hankali ga tsarin Linux, musamman wasu nau'ikan Ubuntu.

Abubuwan Fasaha na Bootkitty

Bootkitty ya yi fice don ƙarfin fasaha na ci-gaba. Wannan malware yana amfani da hanyoyi don ketare hanyoyin tsaro na UEFI Secure Boot ta hanyar faci mahimman ayyukan tabbatar da ƙwaƙwalwar ajiya. Ta wannan hanyar, tana sarrafa loda kernel na Linux ba tare da la'akari da ko an kunna Secure Boot ko a'a ba.

Babban burin Bootkitty ya haɗa da kashe tabbatar da sa hannun kwaya da preload ba a sani ba malicious ELF binaries Ta hanyar tsari init na Linux. Koyaya, saboda amfani da tsarin ƙididdiga marasa inganci da ƙayyadaddun gyare-gyare, tasirin sa yana iyakance ga ƙaramin adadin daidaitawa da sigogin kwaya da GRUB.

Wani musamman na malware shine yanayin gwaji: ya ƙunshi fasalolin ayyuka waɗanda da alama an yi niyya don gwaji na ciki ko nuni. Wannan, tare da shi rashin iya aiki akan tsarin tare da Secure Boot da aka kunna daga cikin akwatin, yana nuna cewa har yanzu yana cikin farkon matakan haɓakawa.

Hanyar da ta dace da kuma yuwuwar hanyoyin haɗin gwiwa tare da sauran abubuwan haɗin gwiwa

A lokacin binciken su, masu bincike daga ESET Sun kuma gano wani tsarin kwaya mara sa hannu da ake kira BCDropper, wanda mawallafin Bootkitty iri ɗaya ne suka haɓaka. Wannan tsarin ya ƙunshi abubuwan haɓakawa kamar ikon ɓoye buɗaɗɗen fayiloli, matakai da tashoshin jiragen ruwa, Halayen asali na rootkit.

BCDropper Hakanan yana tura wani binary na ELF da ake kira BCObserver, wanda ke loda wani tsarin kwaya wanda har yanzu ba a gano shi ba. Ko da yake ba a tabbatar da alaƙa kai tsaye tsakanin waɗannan abubuwan haɗin gwiwa da Bootkitty ba, sunayensu da halayensu suna nuna alaƙa.

Tasirin Bootkitty da Matakan Kariya

Ko da yake Bootkitty har yanzu bai haifar da babbar barazana ba Ga yawancin tsarin Linux, kasancewar sa yana jaddada buƙatar yin shiri don yuwuwar barazanar nan gaba. Manufofin haɗin gwiwa masu alaƙa da Bootkitty sun haɗa da:

  • Abubuwan da aka gyara a cikin kwaya: bayyane tare da umarnin uname -v.
  • Kasancewar mai canzawa LD_PRELOAD a cikin kayan tarihi /proc/1/environ.
  • Ikon loda samfuran kwaya marasa sa hannu: ko da akan tsarin tare da kunna Secure Boot.
  • Kwayar kwaya mai alamar "lalacewa," yana nuna yiwuwar yin tambari.

Don rage haɗarin da ke tattare da irin wannan nau'in malware, masana suna ba da shawarar kiyaye UEFI Secure Boot kunna, da kuma tabbatar da cewa firmware, tsarin aiki, da jerin sokewar UEFI. sabunta.

Canjin canji a cikin barazanar UEFI

Bootkitty ba wai kawai yana ƙalubalantar hasashen cewa UEFI bootkits keɓantacce ga Windows ba, amma kuma yana haskakawa haɓaka hankalin masu aikata laifuka ta yanar gizo zuwa tsarin tushen Linux. Duk da cewa har yanzu yana cikin wani ci gaba, bayyanarsa wani farkawa ne don inganta tsaro a cikin irin wannan yanayi.

Wannan binciken yana ƙarfafa buƙatar sa ido da aiwatarwa matakan tsaro na ci gaba don rage yuwuwar barazanar da za su iya yin amfani da lahani a matakin firmware da matakin aiwatar da boot.


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.