A large Internet hosting provider has been target of a very sophisticated linux trojan in May of this year. The target of this attack was the customer data such as usernames, emails, password and financial information which was accessible, but encrypted. According to the symantec official blog, this attack was more sophisticated than what they have seen in the past.
The attackers were very smart as they understood that their target was well protected, so they devised Linux backdoor to camouflage itself within the Secure Shell (SSH) and other server processes. This way the attackers avoided suspicious network traffic or installed files.
The smart linux backdoor,known as Linux.Fokirtor was able to execute remote commands, but it did not extract any of its encrypted commands until the following sequence of characters: colon, exclamation mark, semi-colon, period (“:!;.”) was found during the network traffic monitoring. A very important fact that should be mentioned is that the Linux backdoor was injected into the SSH process to monitor the network traffic. Commands inside the linux backdoor had been encrypted with Blowfish and Base64 encoded.
Backdoor Was Able To Perform These Actions:
Execute any command the attacker submits through;
exec sh -c '[ATTACKER_COMMAND]' >/dev/null 2>/dev/null
Execute one of several preconfigured commands and retrieve output from those commands
Retrieve the following data from individual SSH connections:
Connecting hostname, IP address, and port
Username and password or SSH key
Encrypt stolen data or command responses using blowfish, and then send to attacker
Even is very hard to detect such sophisticated backdoors, there is nothing that can not be detected. Symantec explains two ways to detect the Linux.Fokirtor backdoor:
Identify the presence of this back door on your network, look for traffic that contains the “:!;.” string (excluding quotes)
Dump the SSHD process and search for the following strings within the dump (where [VALUE] can be various values):