{"id":5621,"date":"2019-01-29T14:28:27","date_gmt":"2019-01-29T11:28:27","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=5621"},"modified":"2019-01-29T14:28:27","modified_gmt":"2019-01-29T11:28:27","slug":"razy-trojan-cryptocurrency-stealer","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/razy-trojan-cryptocurrency-stealer\/5621\/","title":{"rendered":"Bitcoin h\u0131rs\u0131z\u0131 \u00c7\u0131lg\u0131n Razy"},"content":{"rendered":"

\u0130\u015fletim sisteminin varsay\u0131lan taray\u0131c\u0131s\u0131ndan farkl\u0131 bir taray\u0131c\u0131 kullan\u0131yorsan\u0131z b\u00fcy\u00fck ihtimalle taray\u0131c\u0131 uzant\u0131lar\u0131n\u0131 biliyor, hatta birka\u00e7 tanesini kullan\u0131yorsunuzdur. Ayr\u0131ca bu blogu devaml\u0131 olarak takip ediyorsan\u0131z, bu uzant\u0131lardan baz\u0131lar\u0131n\u0131n tehlikeli oldu\u011funun ve yaln\u0131zca resmi kaynaklardan y\u00fcklenmeleri gerekti\u011finin de fark\u0131ndas\u0131n\u0131zd\u0131r. Ancak buradaki as\u0131l sorun, k\u00f6t\u00fc ama\u00e7l\u0131 eklentilerin kullan\u0131c\u0131n\u0131n bilgisi olmadan, hatta kullan\u0131c\u0131 (neredeyse) hi\u00e7bir i\u015flem yapmadan bile kurulabilmesidir.<\/p>\n

\"\"<\/p>\n

Razy k\u00f6t\u00fc ama\u00e7l\u0131 uzant\u0131lar\u0131 nas\u0131l y\u00fckl\u00fcyor?<\/h2>\n

Ba\u015f \u015f\u00fcpheli, (Windows i\u00e7in ge\u00e7erli olmak \u00fczere) Google Chrome, Mozilla Firefox ve Yandex Browser\u2019\u0131 kendi eklentileriyle yenileyen Razy Trojan\u2019d\u0131r. Securelist.com adresinden daha detayl\u0131 bilgiye ula\u015fabilirsiniz, ancak temelde bu k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m, y\u00fcklenen uzant\u0131lar\u0131n taranmas\u0131n\u0131 devre d\u0131\u015f\u0131 b\u0131rak\u0131r, her ihtimale kar\u015f\u0131 taray\u0131c\u0131n\u0131n g\u00fcncellenmesini engeller ve ard\u0131ndan k\u00f6t\u00fc ama\u00e7l\u0131 eklentileri y\u00fcklemeye ba\u015flar: Firefox\u2019a Firefox Protection uzant\u0131s\u0131 eklenirken Yandex Browser\u2019a Yandex Protect uzant\u0131s\u0131 y\u00fcklenir.<\/p>\n

Bu uzant\u0131lar\u0131n isimleri yan\u0131lt\u0131c\u0131 olsa da bir anda ortaya \u00e7\u0131kmalar\u0131 tehlike i\u015fareti olarak g\u00f6r\u00fclmelidir. Google Chrome\u2019a y\u00f6nelik komut dosyas\u0131 bu ba\u011flamda \u00f6zellikle tehlikelidir: \u00c7\u00fcnk\u00fc Razy, genel taray\u0131c\u0131 eklentileri listesinde g\u00f6r\u00fcnmeyen ve g\u00fcvenlik yaz\u0131l\u0131m\u0131 olmad\u0131k\u00e7a yaln\u0131zca dolayl\u0131 olarak tespit edilebilen Chrome Media Router sistem uzant\u0131s\u0131na bula\u015fabilir.<\/p>\n

Vir\u00fcs bula\u015ft\u0131ktan sonra ne olur?<\/h2>\n

T\u00fcm bu senaryo, man-in-the-browser (taray\u0131c\u0131ya yerle\u015ftirilen zararl\u0131 yaz\u0131l\u0131m) sald\u0131r\u0131lar\u0131n\u0131n tipik bir \u00f6rne\u011fidir. K\u00f6t\u00fc ama\u00e7l\u0131 uzant\u0131lar, internet sitesinin i\u00e7eri\u011fini yarat\u0131c\u0131lar\u0131n\u0131n iste\u011fi do\u011frultusunda de\u011fi\u015ftirir. Razy olay\u0131nda en \u00e7ok korkmas\u0131 gerekenler, kripto para sahipleridir. Uzant\u0131, kripto para borsas\u0131 sitelerini hedef al\u0131r, siteyi \u201ckazan\u00e7l\u0131\u201d teklifler g\u00f6steren reklamlarla doldurur ancak yemi yutan kullan\u0131c\u0131lar kendilerini de\u011fil, siber su\u00e7lular\u0131 zenginle\u015ftirmi\u015f olur.<\/p>\n

\"\"<\/p>\n

Bu da yetmezmi\u015f gibi, uzant\u0131 Google\u2019da veya Yandex\u2019te yap\u0131lan kullan\u0131c\u0131 aramalar\u0131n\u0131 g\u00f6zetler ve e\u011fer arama sorusu kripto para birimiyle ilgiliyse uzant\u0131, bu ba\u011flant\u0131lar\u0131 arama sonu\u00e7lar\u0131 sayfas\u0131ndaki kimlik av\u0131 sitelerine ekler.<\/p>\n

\"\"

Razy sonu\u00e7lar\u0131: Arama sonu\u00e7lar\u0131ndaki ilk be\u015f ba\u011flant\u0131, k\u00f6t\u00fc ama\u00e7l\u0131 uzant\u0131 taraf\u0131ndan eklenir ve kimlik av\u0131 sitelerini g\u00f6sterir<\/p><\/div>\n

Coin\u2019leri \u201cyeniden da\u011f\u0131tman\u0131n\u201d bir ba\u015fka yolu da, bir Web sayfas\u0131ndaki t\u00fcm c\u00fczdan numaralar\u0131n\u0131 (veya QR kodlar\u0131n\u0131) siber su\u00e7lulara ait c\u00fczdanlar\u0131n numaralar\u0131yla de\u011fi\u015ftirmektir.<\/p>\n

A\u015fa\u011f\u0131dakilere benzer c\u00f6mert teklifler sunan reklamlar, vir\u00fcs bula\u015fm\u0131\u015f taray\u0131c\u0131 kullan\u0131c\u0131lar\u0131n\u0131n pe\u015fini Vkontakte veya Youtube gibi sitelerde de b\u0131rakmaz: \u201c\u015eimdi biraz yat\u0131r\u0131m yap\u0131n, sonras\u0131nda bir milyon kazan\u0131n,\u201d \u201c\u00c7evrimi\u00e7i bir ankete kat\u0131larak para kazan\u0131n\u201d vb. Vikipedi sayfalar\u0131nda kullan\u0131c\u0131lardan projeyi desteklemelerini isteyen sahte ba\u015fl\u0131k da cabas\u0131.<\/p>\n

\"\"<\/p>\n

Razy\u2019den korunma yollar\u0131<\/h2>\n

Razy Trojan, ba\u011fl\u0131 programlar arac\u0131l\u0131\u011f\u0131yla<\/a> faydal\u0131 yaz\u0131l\u0131m g\u00f6r\u00fcnt\u00fcs\u00fc alt\u0131nda gizlenerek yay\u0131l\u0131r ve \u00e7e\u015fitli \u00fccretsiz dosya bar\u0131nd\u0131rma hizmetlerinden indirilebilir, bu nedenle bu vir\u00fcsten nas\u0131l korunulaca\u011f\u0131na dair tavsiyeler de olduk\u00e7a standartt\u0131r:<\/p>\n