nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Linux backdoor squirts code into SSH to keep its badness buried

Fokirtor! It LOOKED like legitimate traffic...

By John Leyden, 15 Nov 2013

Security researchers have discovered a Linux backdoor that uses a covert communication protocol to disguise its presence on compromised systems.

The malware ‪was used in an attack on a large (unnamed) hosting provider ‬back in May. It cleverly attempted to avoid setting off any alarm bells by injecting its own communications into legitimate traffic, specifically SSH chatter. SSH is a protocol commonly used to access shell accounts on Unix-like operating systems, a continuous activity for remote administration of websites.

The unknown cybercrooks or cyberspies behind that attack apparently targeted customer record information such as usernames, emails, and passwords using the subtle and stealthy malware, according to an analysis of the backdoor by security researchers at Symantec.

In addition, the malware made use of the Blowfish encryption algorithm to encrypt uploads of stolen data or other communications with a command-and-control network.

The attackers understood the target environment was generally well-protected. In particular, the attackers needed a means to avoid suspicious network traffic or installed files, which may have triggered a security review. Demonstrating sophistication, the attackers devised their own stealthy Linux backdoor to camouflage itself within the Secure Shell (SSH) and other server processes.

This backdoor allowed an attacker to perform the usual functionality — such as executing remote commands — however, the backdoor did not open a network socket or attempt to connect to a command-and-control server (C&C). Rather, the backdoor code was injected into the SSH process to monitor network traffic and look for the following sequence of characters: colon, exclamation mark, semi-colon, period (“:!;.”).

After seeing this pattern, the back door would parse the rest of the traffic and then extract commands which had been encrypted with Blowfish and Base64 encoded.

Symantec concludes that the mystery malware – which it detects as Fokirtor – is different from any other Linux backdoor that its security researchers have previously analysed.

Malware on Linux systems is mostly a server-side problem and incidents of worms and Trojans run into the hundreds or low thousands – as compared to the tens of millions of Windows pathogens and one million plus Android undesirables.

Even so, Symantec claims that Fokirtor is completely different from any previous strain of Linux malware is noteworthy – not least because it suggests the new tactics pioneered by the malware may crop up in follow-up code. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing