据外媒报道,RubyGems 维护人员移除了 18 个包含后门机制的恶意版本的 Ruby 库,如果剔除同一库的不同版本,那么包含后门机制的 Ruby 库有 11 个。据悉,这些 Ruby 库被攻击者破解并恶意植入了后门代码,可在其他人启用的 Ruby 项目中开展隐匿的加密货币挖掘任务。
恶意代码是在流行 Ruby 库 rest-client 的四个版本中首次发现的,荷兰 Ruby 开发人员 Jan Dintel 分析称:“rest-client 中发现的恶意代码会收集受攻击系统的 URL 和环境变量,发送到乌克兰的远程服务器。根据用户设置,可能会包括用户的服务使用凭证,例如数据库、支付服务提供商等。”
另外,代码还包含一个后门机制,允许攻击者将 cookie 文件发送回受攻击的项目,并执行恶意命令。
据了解,这些恶意代码已经存在了一个多月未被他人发现,在恶意库版本被 RubyGems 移除之前,已经累积了 3584 次下载。官方建议如果项目开发者使用了这些库,一定要采取相应的升级或降级措施,使用相对安全的版本。
发现后门代码的 Ruby 库列表:
- rest-client: 1.6.10 (downloaded 176 times since August 13, 2019), 1.6.11 (downloaded 2 times since August 14, 2019), 1.6.12 (downloaded 3 times since August 14, 2019), and 1.6.13 (downloaded 1,061 times since August 14, 2019)
- bitcoin_vanity: 4.3.3 (downloaded 8 times since May 12, 2019 )
- lita_coin: 0.0.3 (downloaded 210 times since July 17, 2019)
- coming-soon: 0.2.8 (downloaded 211 times since July 17, 2019)
- omniauth_amazon: 1.0.1 (downloaded 193 times since July 26, 2019)
- cron_parser: 0.1.4 (downloaded 2 times since July 8, 2019), 1.0.12 (downloaded 3 times since July 8, 2019), and 1.0.13 (downloaded 248 times since July 8, 2019)
- coin_base: 4.2.1 (downloaded 206 times since July 9, 2019) and 4.2.2 (downloaded 218 times since July 16, 2019)
- blockchain_wallet: 0.0.6 (downloaded 201 times since July 10, 2019) and 0.0.7 (downloaded 222 times since July 16, 2019)
- awesome-bot: 1.18.0 (downloaded 232 times since July 15, 2019)
- doge-coin: 1.0.2 (downloaded 213 times since July 17, 2019)
- capistrano-colors: 0.5.5 (downloaded 175 times since August 1, 2019)