{"id":83844,"date":"2022-04-08T10:25:04","date_gmt":"2022-04-08T07:25:04","guid":{"rendered":"http:\/\/hilmibilici.com\/?p=83844"},"modified":"2024-11-29T15:10:06","modified_gmt":"2024-11-29T12:10:06","slug":"b1txor20","status":"publish","type":"post","link":"http:\/\/hilmibilici.com\/?p=83844","title":{"rendered":"B1txor20"},"content":{"rendered":"<p><strong>Log4J<\/strong> vulnerability\u00a0arac\u0131l\u0131\u011f\u0131yla yay\u0131lan ve gizli C2 ileti\u015fimleri i\u00e7in DNS t\u00fcnelleri kullanan &#8220;B1txor20&#8221;\u00a0ad\u0131nda yeni bir <a href=\"https:\/\/www.linkedin.com\/feed\/hashtag\/?keywords=linux\">#Linux<\/a>\u00a0botnet\u00a0<a href=\"https:\/\/www.linkedin.com\/feed\/hashtag\/?keywords=malware\">#malware<\/a>\u00a0ke\u015ffedildi.<\/p>\n<p>Makineleri bir botnet&#8217;e ba\u011flamak, rootkit&#8217;leri indirmek ve kurmak i\u00e7in bir kanal g\u00f6revi g\u00f6rmek amac\u0131yla Linux sistemlerini hedef alan daha \u00f6nce belgelenmemi\u015f bir arka kap\u0131 g\u00f6zlemlendi.<\/p>\n<p>Malware\u00a0&#8220;b1t dosya ad\u0131n\u0131, XOR \u015fifreleme algoritmas\u0131n\u0131 ve 20 baytl\u0131k RC4 algoritmas\u0131 anahtar uzunlu\u011funu kullanarak yay\u0131lmas\u0131 sebebiyle&#8221;\u00a0 B1txor20 olarak adland\u0131r\u0131ld\u0131.<\/p>\n<p>\u0130lk olarak 9 \u015eubat 2022&#8217;de\u00a0<a href=\"https:\/\/www.dnssense.com\/post\/log4j-vulnerability\">Log4j g\u00fcvenlik a\u00e7\u0131\u011f\u0131<\/a>\u00a0yoluyla yay\u0131ld\u0131\u011f\u0131 g\u00f6zlemlenen k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m, DNS sorgular\u0131 ve yan\u0131tlar\u0131ndaki verileri kodlayarak komut ve kontrol (CC) sunucular\u0131yla ileti\u015fim kanallar\u0131 olu\u015fturmak i\u00e7in DNS t\u00fcneli ad\u0131 verilen teknikten yararlan\u0131yor.<\/p>\n<p>K\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n, ge\u00e7en y\u0131l Aral\u0131k ay\u0131n\u0131n ortalar\u0131nda ke\u015ffedilen Log4Shell g\u00fcvenlik a\u00e7\u0131\u011f\u0131ndan aktif olarak yararland\u0131\u011f\u0131 da belirtiliyor. Apache Logging Project&#8217;in bir par\u00e7as\u0131 olan pop\u00fcler Log4j g\u00fcnl\u00fck kitapl\u0131\u011f\u0131ndaki s\u0131f\u0131r\u0131nc\u0131 g\u00fcn (<strong>zero day<\/strong>) \u200b\u200b g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 (CVE-2021-44228) d\u00fczelten bir acil durum g\u00fcvenlik g\u00fcncellemesi yay\u0131nlayan Apache Software Foundation geli\u015ftiricileri taraf\u0131ndan bulundu.<\/p>\n<p><strong>Nas\u0131l \u00e7al\u0131\u015f\u0131yor?<\/strong><\/p>\n<p><strong>B1txor20<\/strong>, baz\u0131 y\u00f6nlerden eksik olsa da, \u015fu anda bir kabuk elde etme, keyfi komutlar y\u00fcr\u00fctme, bir k\u00f6k kullan\u0131c\u0131 tak\u0131m\u0131 kurma, bir\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/SOCKS\">SOCKS5 proxy&#8217;si<\/a>\u00a0a\u00e7ma ve hassas bilgileri C2 sunucusuna geri y\u00fckleme i\u015flevlerini desteklemektedir.<\/p>\n<p>Bir makine ba\u015far\u0131yla ele ge\u00e7irildi\u011finde, k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m, sunucu taraf\u0131ndan g\u00f6nderilen komutlar\u0131 almak ve y\u00fcr\u00fctmek i\u00e7in DNS t\u00fcnelini kullan\u0131yor.<\/p>\n<p>Bot, \u00e7al\u0131nan hassas bilgileri, komut y\u00fcr\u00fctme sonu\u00e7lar\u0131n\u0131 ve teslim edilmesi gereken di\u011fer bilgileri, belirli kodlama tekniklerini kullanarak gizledikten sonra, DNS iste\u011fi olarak C2&#8217;ye g\u00f6nderiyor. Talebi ald\u0131ktan sonra C2, DNS talebine yan\u0131t olarak payload&#8217;u Bot taraf\u0131na g\u00f6nderir. Bu sayede Bot ve C2, DNS protokol\u00fc yard\u0131m\u0131yla ileti\u015fim kurar.<\/p>\n<p>K\u00f6t\u00fc ama\u00e7l\u0131 bu yaz\u0131l\u0131m sistem bilgilerini y\u00fcklemek, rastgele sistem komutlar\u0131n\u0131 y\u00fcr\u00fctmek, dosyalar\u0131 okumak ve yazmak, proxy hizmetlerini ba\u015flatmak veya durdurmak ve ters kabuklar olu\u015fturmak gibi komutlar y\u00fcr\u00fctebiliyor.<\/p>\n<p><strong>\u00c7\u00f6z\u00fcm:\u00a0<\/strong><\/p>\n<p>&#8220;<a href=\"https:\/\/www.dnssense.com\/dns-visibility\" target=\"_blank\" rel=\"noopener\"><strong>DNS and Security Gap Visibility<\/strong><\/a>&#8221; \u00e7\u00f6z\u00fcm\u00fcn\u00fc mevcut EDR \u00e7\u00f6z\u00fcmlerine entegre etmeyi se\u00e7en kullan\u0131c\u0131lar, bu \u015f\u00fcpheli alanlara sorgu g\u00f6nderen belirli uygulamalar\u0131 tespit edebiliyor. Di\u011fer bir deyi\u015fle, &#8216;<strong>Log4J<\/strong>&#8216; g\u00fcvenlik a\u00e7\u0131\u011f\u0131 sonucunda vir\u00fcs bula\u015fan dosyalar, y\u00fcr\u00fct\u00fclebilir dosyalar ve uygulamalar do\u011frudan tespit edilebilir.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Log4J vulnerability\u00a0arac\u0131l\u0131\u011f\u0131yla yay\u0131lan ve gizli C2 ileti\u015fimleri i\u00e7in DNS t\u00fcnelleri kullanan &#8220;B1txor20&#8221;\u00a0ad\u0131nda yeni bir #Linux\u00a0botnet\u00a0#malware\u00a0ke\u015ffedildi. Makineleri bir botnet&#8217;e ba\u011flamak, rootkit&#8217;leri&#8230;<\/p>\n","protected":false},"author":1,"featured_media":85036,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[37],"tags":[87,103,158,159,164,281,285],"class_list":["post-83844","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bilisim-hukuku","tag-b1txor20","tag-botnet","tag-dns","tag-dns-guvenligi","tag-dnssense","tag-log4j","tag-log4shell"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"http:\/\/hilmibilici.com\/index.php?rest_route=\/wp\/v2\/posts\/83844","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/hilmibilici.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/hilmibilici.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/hilmibilici.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/hilmibilici.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=83844"}],"version-history":[{"count":2,"href":"http:\/\/hilmibilici.com\/index.php?rest_route=\/wp\/v2\/posts\/83844\/revisions"}],"predecessor-version":[{"id":85026,"href":"http:\/\/hilmibilici.com\/index.php?rest_route=\/wp\/v2\/posts\/83844\/revisions\/85026"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/hilmibilici.com\/index.php?rest_route=\/wp\/v2\/media\/85036"}],"wp:attachment":[{"href":"http:\/\/hilmibilici.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=83844"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/hilmibilici.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=83844"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/hilmibilici.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=83844"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}