Feeds

Linux backdoor squirts code into SSH to keep its badness buried

Fokirtor! It LOOKED like legitimate traffic...

SANS - Survey on application security programs

Security researchers have discovered a Linux backdoor that uses a covert communication protocol to disguise its presence on compromised systems.

The malware ‪was used in an attack on a large (unnamed) hosting provider ‬back in May. It cleverly attempted to avoid setting off any alarm bells by injecting its own communications into legitimate traffic, specifically SSH chatter. SSH is a protocol commonly used to access shell accounts on Unix-like operating systems, a continuous activity for remote administration of websites.

The unknown cybercrooks or cyberspies behind that attack apparently targeted customer record information such as usernames, emails, and passwords using the subtle and stealthy malware, according to an analysis of the backdoor by security researchers at Symantec.

In addition, the malware made use of the Blowfish encryption algorithm to encrypt uploads of stolen data or other communications with a command-and-control network.

The attackers understood the target environment was generally well-protected. In particular, the attackers needed a means to avoid suspicious network traffic or installed files, which may have triggered a security review. Demonstrating sophistication, the attackers devised their own stealthy Linux backdoor to camouflage itself within the Secure Shell (SSH) and other server processes.

This backdoor allowed an attacker to perform the usual functionality — such as executing remote commands — however, the backdoor did not open a network socket or attempt to connect to a command-and-control server (C&C). Rather, the backdoor code was injected into the SSH process to monitor network traffic and look for the following sequence of characters: colon, exclamation mark, semi-colon, period (“:!;.”).

After seeing this pattern, the back door would parse the rest of the traffic and then extract commands which had been encrypted with Blowfish and Base64 encoded.

Symantec concludes that the mystery malware – which it detects as Fokirtor – is different from any other Linux backdoor that its security researchers have previously analysed.

Malware on Linux systems is mostly a server-side problem and incidents of worms and Trojans run into the hundreds or low thousands – as compared to the tens of millions of Windows pathogens and one million plus Android undesirables.

Even so, Symantec claims that Fokirtor is completely different from any previous strain of Linux malware is noteworthy – not least because it suggests the new tactics pioneered by the malware may crop up in follow-up code. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.