A Very Sophisticated Linux Backdoor Targeting Big Companies

linux trojans

A large Internet hosting provider has been target of a very sophisticated linux trojan in May of this year. The target of this attack was the customer data such as usernames, emails, password and financial information which was accessible, but encrypted. According to the symantec official blog, this attack was more sophisticated than what they have seen in the past.

The attackers were very smart as they understood that their target was well protected, so they devised Linux backdoor to camouflage itself within the Secure Shell (SSH) and other server processes. This way the attackers avoided suspicious network traffic or installed files.

The smart linux backdoor,known as Linux.Fokirtor was able to execute remote commands, but it did not extract any of its encrypted commands until the following sequence of characters: colon, exclamation mark, semi-colon, period (“:!;.”) was found during the network traffic monitoring. A very important fact that should be mentioned is that the Linux backdoor was injected into the SSH process to monitor the network traffic. Commands inside the linux backdoor had been encrypted with Blowfish and Base64 encoded.

Backdoor Was Able To Perform These Actions:

    Execute any command the attacker submits through;
    exec sh -c '[ATTACKER_COMMAND]' >/dev/null 2>/dev/null
    Execute one of several preconfigured commands and retrieve output from those commands
    Retrieve the following data from individual SSH connections:
    Connecting hostname, IP address, and port
    Username and password or SSH key
    Encrypt stolen data or command responses using blowfish, and then send to attacker

Backdoor Detection

Even is very hard to detect such sophisticated backdoors, there is nothing that can not be detected. Symantec explains two ways to detect the Linux.Fokirtor backdoor:

    Identify the presence of this back door on your network, look for traffic that contains the “:!;.” string (excluding quotes)
    Dump the SSHD process and search for the following strings within the dump (where [VALUE] can be various values):

    key=[VALUE] dhost=[VALUE] hbt=3600
    sp=[VALUE] sk=[VALUE] dip=[VALUE]

Oltjano Terpollari 9:42 pm

About Oltjano Terpollari

Oltjano Terpollari is a very passionate computer geek studying python, linux, netcat power tools and living a binary life. He goes by the nickname Ambition and is very happy living a science life. He also loves technical blogging and sharing his knowledge with others.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.