Un Binciken kwanan nan ya girgiza yanayin tsaro na intanet: Masu bincike sun gano bootkit na UEFI na farko da aka tsara musamman don tsarin Linux, wanda ake kira Bootkitty ta masu yinta. Wannan binciken yana nuna gagarumin juyin halitta a cikin barazanar UEFI, wanda tarihi ya maida hankali kusan akan tsarin Windows. Ko da yake malware ya bayyana yana cikin tabbacin lokaci na ra'ayi, kasancewarsa yana buɗe kofa ga yuwuwar barazanar da ta fi dacewa a nan gaba.
A cikin 'yan shekarun nan, Barazanar UEFI sun ga gagarumin ci gaba. Daga hujjojin farko na ra'ayi a cikin 2012 zuwa lokuta na baya-bayan nan irin su ESPecter da BlackLotus, al'ummomin tsaro sun ga ci gaba a cikin rikice-rikicen waɗannan hare-hare. Koyaya, Bootkitty yana wakiltar muhimmin canji, yana mai da hankali ga tsarin Linux, musamman wasu nau'ikan Ubuntu.
Abubuwan Fasaha na Bootkitty
Bootkitty ya yi fice don ƙarfin fasaha na ci-gaba. Wannan malware yana amfani da hanyoyi don ketare hanyoyin tsaro na UEFI Secure Boot ta hanyar faci mahimman ayyukan tabbatar da ƙwaƙwalwar ajiya. Ta wannan hanyar, tana sarrafa loda kernel na Linux ba tare da la'akari da ko an kunna Secure Boot ko a'a ba.
Babban burin Bootkitty ya haɗa da kashe tabbatar da sa hannun kwaya da preload ba a sani ba malicious ELF binaries Ta hanyar tsari init na Linux. Koyaya, saboda amfani da tsarin ƙididdiga marasa inganci da ƙayyadaddun gyare-gyare, tasirin sa yana iyakance ga ƙaramin adadin daidaitawa da sigogin kwaya da GRUB.
Wani musamman na malware shine yanayin gwaji: ya ƙunshi fasalolin ayyuka waɗanda da alama an yi niyya don gwaji na ciki ko nuni. Wannan, tare da shi rashin iya aiki akan tsarin tare da Secure Boot da aka kunna daga cikin akwatin, yana nuna cewa har yanzu yana cikin farkon matakan haɓakawa.
Hanyar da ta dace da kuma yuwuwar hanyoyin haɗin gwiwa tare da sauran abubuwan haɗin gwiwa
A lokacin binciken su, masu bincike daga ESET Sun kuma gano wani tsarin kwaya mara sa hannu da ake kira BCDropper, wanda mawallafin Bootkitty iri ɗaya ne suka haɓaka. Wannan tsarin ya ƙunshi abubuwan haɓakawa kamar ikon ɓoye buɗaɗɗen fayiloli, matakai da tashoshin jiragen ruwa, Halayen asali na rootkit.
BCDropper Hakanan yana tura wani binary na ELF da ake kira BCObserver, wanda ke loda wani tsarin kwaya wanda har yanzu ba a gano shi ba. Ko da yake ba a tabbatar da alaƙa kai tsaye tsakanin waɗannan abubuwan haɗin gwiwa da Bootkitty ba, sunayensu da halayensu suna nuna alaƙa.
Tasirin Bootkitty da Matakan Kariya
Ko da yake Bootkitty har yanzu bai haifar da babbar barazana ba Ga yawancin tsarin Linux, kasancewar sa yana jaddada buƙatar yin shiri don yuwuwar barazanar nan gaba. Manufofin haɗin gwiwa masu alaƙa da Bootkitty sun haɗa da:
- Abubuwan da aka gyara a cikin kwaya: bayyane tare da umarnin
uname -v
. - Kasancewar mai canzawa
LD_PRELOAD
a cikin kayan tarihi/proc/1/environ
. - Ikon loda samfuran kwaya marasa sa hannu: ko da akan tsarin tare da kunna Secure Boot.
- Kwayar kwaya mai alamar "lalacewa," yana nuna yiwuwar yin tambari.
Don rage haɗarin da ke tattare da irin wannan nau'in malware, masana suna ba da shawarar kiyaye UEFI Secure Boot kunna, da kuma tabbatar da cewa firmware, tsarin aiki, da jerin sokewar UEFI. sabunta.
Canjin canji a cikin barazanar UEFI
Bootkitty ba wai kawai yana ƙalubalantar hasashen cewa UEFI bootkits keɓantacce ga Windows ba, amma kuma yana haskakawa haɓaka hankalin masu aikata laifuka ta yanar gizo zuwa tsarin tushen Linux. Duk da cewa har yanzu yana cikin wani ci gaba, bayyanarsa wani farkawa ne don inganta tsaro a cikin irin wannan yanayi.
Wannan binciken yana ƙarfafa buƙatar sa ido da aiwatarwa matakan tsaro na ci gaba don rage yuwuwar barazanar da za su iya yin amfani da lahani a matakin firmware da matakin aiwatar da boot.