I-Linux rootkit ebaleka i-Elastic EDR: Ubunye buveziwe

  • Abaphandi babonisa ubunye, i-rootkit ye-Linux ekwaziyo ukudlula i-Elastic EDR isebenzisa ubuchule obuphambili.
  • Izicwangciso ezingundoqo: i-string obfuscation, isimboli randomization, ukuhlukana kunye nokulayisha imemori, kunye ne-syscalls ngqo.
  • Imisebenzi engalunganga: ukufihla iinkqubo, iifayile kunye noqhagamshelo, umva we-ICMP kunye nokunyuka kwamalungelo.
  • Impembelelo kwiYurophu naseSpain: imfuno engxamisekileyo yokubeka iliso kwingqibelelo ye-kernel kunye nokusebenzisa ukhuseleko olunzulu nge-memory forensics.
Isaac

Imizuzu ye4

I-Linux rootkit ibaleka i-Elastic EDR

Iqela labaphandi libonise a Linux rootkit ebizwa ngokuba bubunye ekwaziyo ukuhamba ingabonwa nguKhuseleko lwe-Elastic EDR, iqaqambisa imida ebalulekileyo ekubhaqweni kwenqanaba le-kernel. Obu bungqina bengcamango abukho nje ithiyori: Idibanisa ubuchule bokungabonakali kunye nokuphepha. ukunciphisa ukuya kuqanda imiqondiso eqhele ukungcatsha imodyuli engalunganga.

Ukufumanisa kuyakhathaza amaqela okhuseleko aseYurophu, kuquka eSpain, kuba Ilastiki ikholisa ukuxhokonxa ngaphezulu kwezilumkiso ezingama-26 ngokuchasene neerootkits eziqhelekileyo, kwaye kulo mzekelo, azizange ziqhutywe. Uphando, olupapashwe ngeenjongo zemfundo ngu-0xMatheuZ, lubonisa ukuba utyikityo- kunye neendlela ezisekelwe kwipateni Bayasilela ngokuchasene neentshaba ezicokisa ubunjineli babo.

Indlela yokugqithisa i-EDR ye-Elastic: iindlela eziphambili zokuphepha

Ukuphepha kwe-EDR kwiLinux

Inzuzo yokuqala yeSingularity yi qokelela-ixesha lomtya obfuscationAmaqhekeza amagama abuthathaka (umzekelo, "GPL" okanye "kallsyms_lookup_name") abe ziziqwengana ezinokuthi ziqondwe ngumqokeleli we-C. ibuyisela ngokuzenzekelayoukuthintela izikena ezifana ne-YARA ekufumaneni imitya ekhohlakeleyo eqhubekayo ngaphandle kokuncama ukusebenza.

Ngokuhambelanayo iyasebenza ukwenziwa ngokungaqhelekanga kwamagama esimboliEndaweni yezazisi eziqikelelwayo njenge hook_getdents okanye hide_modyuli, yamkela iithegi eziqhelekileyo ezinezimaphambili ezithi. Balinganisa i-kernel ngokwayo. (sys, kern, dev), ukwenza mfiliba umkhondo wemisebenzi ekrokrisayo kunye nokukhulula imithetho yobhaqo esekwe kumagama.

Inyathelo elilandelayo yi ukwahlulwa kwemodyuli kumaqhekeza afihliweyo aphinda adityaniswe kwinkumbulo kuphela. Amaqhekeza afakwe ngekhowudi nge-XOR kwaye umlayishi usebenzisa i-memfd_create ukunqanda ukushiya iintsalela kwidiski; xa uyifaka, isebenzisa iminxeba inkqubo ngqo (kubandakanya i-finit_module) usebenzisa i-inline assembler, udodging i-libc wrappers ezijongwa zii-EDR ezininzi.

Ikwafihla abancedisi be-ftrace: imisebenzi ebekwe esweni (efana nefh_install_hook okanye fh_remove_hook) qamba ngokutsha ngendlela eqinisekileyo kunye nezazisi ezingakhethiyo, zigcina indlela yazo yokuziphatha kodwa zophuka Utyikityo oluthambileyo lujolise kwii-rootkits eziqhelekileyo.

Kwinqanaba lokuziphatha, abaphandi bajikelezisa umva imithetho yeqokobhe ngokubhala umthwalo wokuhlawula kwidiski kwaye emva koko bawufeze "Coca" imigca yomyaleloNgaphezu koko, i-rootkit ifihla ngokukhawuleza iinkqubo ezisebenzayo usebenzisa izibonakaliso ezithile, inzima ukulungelelanisa. phakathi kweziganeko kunye nomsebenzi wokwenyani.

Izakhono ze-Rootkit kunye nobungozi beendawo zaseYurophu

Imingcipheko yeerootkits kwiLinux

Ngaphandle kokuphepha, Ubunye bubandakanya imisebenzi ekhubekisayo: iyakwazi fihla iinkqubo kwi/proc, ukufihla iifayile kunye nezalathisi ezinxulumene neepateni ezinjenge "singularity" okanye "matheuz", kunye guqula unxibelelwano lwe-TCP (umzekelo, kwizibuko 8081). Ikwavumela ukwandiswa kwelungelo ngokusebenzisa imiqondiso yesiko okanye ukuguquguquka kokusingqongileyo, kwaye inikezela nge-ICMP ngasemva ekwaziyo ukuvula amaqokobhe akude.

Iprojekthi yongeza ukhuseleko lokuchasa uhlalutyo, ukuthintela umkhondo kunye iirekhodi zokucoca ukunciphisa ingxolo yomthetho. Umlayishi uqulunqwe ngokwezibalo kwaye unokusebenza kwiindawo ezingajongwanga kancinci, ukuqinisa ikhonkco lophumezo apho umnqongo wonke awusoze uchukumise idiski Kwaye ke, uhlalutyo lwe-static luphelelwa yimathiriyeli.

Kwimibutho yaseSpain nakwiYurophu iphela exhomekeke kwi-Elastic Defend, ityala liyabanyanzela ukuba benze njalo ukuphonononga imithetho yokufumanisa kunye nokomeleza uhlolo olukwinqanaba elisezantsi. Indibaniselwano ye-obfuscation, ukulayishwa kwememori, kunye ne-syscalls ngqo ityhila umphezulu apho ulawulo olusekwe ekuziphatheni lulinganiselwe. Abawuthathi umxholo wekernel.

Amaqela e-SOC kufuneka abeke phambili kernel esweni ingqibelelo (umzekelo, ukuqinisekiswa kwe-LKM kunye nokukhusela ekulayisheni okungagunyaziswanga), bandakanya i-forensics yememori kunye Ulungelelwaniso lwesiginali ye-eBPF nge-telemetry yenkqubo, kwaye usebenzise ukhuselo olunzulu oluxuba i-heuristics, i-whitelists, ukuqina kunye uhlaziyo oluqhubekayo lwemisayino.

Kwiindawo ezinzima, kuyacetyiswa ukuba kuqiniswe imigaqo-nkqubo yokunciphisa indawo yokuhlaselwa: ukunciphisa okanye ukukhubaza ukukwazi ukulayisha iimodyuli, ukuqinisa imigaqo-nkqubo yokhuseleko, kunye ukukwazi (CAP_SYS_MODULE)Ukubeka iliso kusetyenziso lwe-memfd_create kwaye uqinisekise izinto ezingaqhelekanga kumagama esimboli. Konke oku ngaphandle kokuthembela kuphela kwi-EDR, kodwa ngokudibanisa iileya ezininzi zolawulo kunye nokutshekishwa.

Imeko yoBunye ibonisa ukuba, xa bejongene neentshaba ezigqibezela intsingiselo yazo, abakhuseli kufuneka baguqukele. iindlela zokuhlalutya nzulu kwaye yacwangciswa. Ukufunyanwa kwengozi ye-kernel ethembekileyo kubandakanya ukongeza ingqibelelo, inkumbulo, kunye nolungelelwaniso oluphambili kwi-EDR ukunciphisa amabala angaboniyo kunye nokunyusa ibha yokuqina.