I-Bootkitty: i-bootkit yokuqala ye-UEFI ye-Linux

Darkcrizt

Imizuzu ye-4

i-bootkitty-uefi-linux-backdoor

Zimbalwa izinsuku ezedlule I-ESET imemezele izindaba zobufakazi bokuqala bomqondo we-UEFI bootkit yeLinux, ebizwa ngokuthi «I-Bootkitty«, le-bootkit iyingxenye yephrojekthi edalwe ngabafundi be-cybersecurity abavela ohlelweni lokuqeqesha olungcono kakhulu lwase-Korea (BoB).

Bootkitty, kanjalo, Kuwusongo oluthuthukisiwe olufakwa njengokungena esikhundleni se-bootloader I-GRUB ezinhlelweni ze-Linux, usebenzisa imvelo ye-UEFI ukugcina ukulawula uhlelo ngokucashile. Lolu hlelo olungayilungele ikhompuyutha, okuyi-bootkit yokuqala ye-UEFI eyenzelwe i-Linux, ilayisha izingxenye ezinonya ku-kernel ukuze kuqinisekiswe ukuphikelela.

Ukusebenza kwe-bootkitty

  1. Ukushintsha i-GRUB:
    Isinyathelo sokuqala se-bootkit ukufaka esikhundleni isilayishi esijwayelekile sokuqalisa, grubx64.efi, ekuhlukaniseni kwesistimu ye-EFI, eyivumela ukuthi iqalise ukukhokha okunonya phakathi nokuqaliswa kwesistimu.
  2. Ukuguqulwa kwe-GRUB Enkumbulo:
    Ngemuva kokuthi i-bootkit icushwe, ilayisha i-bootloader esemthethweni ye-GRUB2 enkumbulweni, kodwa yethula izinguquko ukuze ukhubaze ukuhlola ubuqotho ezingxenyeni zakamuva. Futhi yengeza umshayeli okhohlisa inqubo yokulayisha i-kernel.
  3. Ukuguqulwa kwe-Kernel:
    • I-bootkit ilungisa imisebenzi ye-kernel elayishwe kumemori, ikhubaza ukuqinisekiswa kwesiginesha yedijithali kumamojula we-kernel.
    • Ngemuva kwalokho, umugqa wokuqalisa i-kernel uyashintsha, ufaka esikhundleni /init ngomyalo ononya osebenzayo LD_PRELOAD ukulayisha umtapo wolwazi onobungozi injector.so.
  • Izingxenye ezinonya:
    • Injector.so:
      Lona umtapo wezincwadi onesibophezelo sokunqanda amakholi wesistimu, njenge-SELinux kanye init_module, okuvumela ukulayishwa kwamamojula we-kernel enonya.
    • I-Dropper.ko:
      Imojuli ye-kernel edala futhi isebenzise ifayela kanambambili /opt/observer. Iphinde ifihle ohlwini lwamamojula e-kernel futhi ilawule imisebenzi yesistimu ukuze ivimbele ukuba khona kwayo noma amafayela athile nethrafikhi yenethiwekhi ukuthi ingatholwa.
    • Observer kanye Rootkit Loader:
      Okusebenzisekayo /opt/observer ilayisha enye imojuli enonya (rootkit_loader.ko), yona eyenza i-rootkit egcwele isebenze ohlelweni olonakele.

Ngakho-ke i-Bootkitty iyi-bootkit esebenzayo inhloso yayo kungu:

» Ukuqwashisa umphakathi wezokuphepha mayelana nezingozi ezingaba khona futhi ukhuthaze izinyathelo ezisheshayo zokuvimbela izinsongo ezifanayo. "Ngeshwa, ambalwa amasampula e-bootkit akhishwe ngaphambi kokwethulwa okuhlelwe engqungqutheleni."

Indlela yokuhlasela

Ukuhlasela kwenziwa ngu ifaka isithombe se-BMP esiklanyiwe ikakhulukazi ekuhlukaniseni kwe-ESP (EFI System Partition). Lesi sithombe yethulwe njengelogo yomkhiqizi ye-UEFI firmware. Ngenxa yobungozi obukumalabhulali asetshenziswa i-firmware ukucubungula izithombe, ezifana nokuchichima kwebhafa, isithombe esinonya sibangela ukusetshenziswa kwekhodi kumongo we-firmware ye-UEFI. Nakuba ukuba sengozini kwe-LogoFAIL kwatholwa ngonyaka odlule futhi kulungisiwe ezibuyekezweni zakamuva ze-UEFI firmware, amadivayisi amaningi asasebenza nezinguqulo ezidlulelwe yisikhathi nezisengozini, eziwashiya echayeke kulolu hlobo lokuxhashazwa.  bootkitty - ASCII art eshumekwe ku-bootkit

I-Bootkitty Inemikhawulo ebalulekile ekusetshenzisweni kwayo, njengoba izinguquko ezenziwe emisebenzini yenkumbulo ye-kernel zazisekelwe ekususeni okuzenzakalelayo, ngaphandle kokuhlola ukufaneleka kwazo ngokumelene nenguqulo ethile ye-kernel elayishiwe.

La Ukusebenza kwe-bootkit kukhawulelwe kuphela kuzinguqulo ze-kernel ne-GRUB ezifakwe ekusatshalalisweni okuthile kwe-Ubuntu., okubangela ukwehluleka kwe-boot kwezinye izinhlelo. Ukwengeza, i-bootkit isebenzise isitifiketi esizisayinele ukuze siqinisekise i-bootloader yaso eyakhelwe ubuciko (grubx64.efi), isenze singasebenzi kumasistimu ane-UEFI Secure Boot enikwe amandla ngaphandle kwalapho isitifiketi somhlaseli sifakwe mathupha kuhlu lomhlaseli lezitifiketi ezithenjwayo.

Abaphenyi ku-Binarly Research baphawule ukuthi izithombe ze-BMP ezixhumene nokuba sengozini kwe-LogoFAIL, i-lophole ku-UEFI evumela ukukhishwa kwekhodi ngokungafanele ezingeni le-firmware kanye nokudlula imikhawulo ye-UEFI Secure Boot, zitholwe phakathi kwezingxenye ze-Bootkitty. Kulokhu, i-LogoFAIL isetshenziselwe ukufaka ngokuzenzakalelayo isitifiketi somhlaseli esizisayinele ohlwini lwezitifiketi ezithenjiwe, okuvumela i-bootkit ukuthi isebenze ngisho nakumasistimu ane-Secure Boot esebenzayo.

ekugcineni uma ukhona unentshisekelo yokwazi okwengeziwe ngayo, ungabheka imininingwane kufayela le- isixhumanisi esilandelayo.