Linux Backdoor Fokirtor Injects Traffic Into SSH Protocol

The New Acunetix V12 Engine


Earlier this week we wrote about an Internet Explorer 0-day which used an in-memory drive by attack, which was pretty smart. Now another new type of malware (a backdoor in this case), this time targeting Linux known as Fokirtor.

There is no real discussion of the exploit used to plant this backdoor (if it was an exploit, there are other channels), but the way it operates is pretty interesting and certainly nothing I’ve seen before.

Security researchers have discovered a Linux backdoor that uses a covert communication protocol to disguise its presence on compromised systems.

The malware ‪was used in an attack on a large (unnamed) hosting provider ‬back in May. It cleverly attempted to avoid setting off any alarm bells by injecting its own communications into legitimate traffic, specifically SSH chatter. SSH is a protocol commonly used to access shell accounts on Unix-like operating systems, a continuous activity for remote administration of websites.

The unknown cybercrooks or cyberspies behind that attack apparently targeted customer record information such as usernames, emails, and passwords using the subtle and stealthy malware, according to an analysis of the backdoor by security researchers at Symantec.

In addition, the malware made use of the Blowfish encryption algorithm to encrypt uploads of stolen data or other communications with a command-and-control network.

It’s a pretty interesting method, assuming most Linux servers do have SSH enabled (which they do tend to) – it enables attackers to communicate covertly without setting off any alarms. The part I find really interesting is that the malware uses a pretty serious encryption algorithm (Blowfish), rather than the average backdoor or trojan which just uses XOR or Base64 encoding.

The conspiracists amongst us will likely find this pointing to governmental involvement in the development of this backdoor.


The attackers understood the target environment was generally well-protected. In particular, the attackers needed a means to avoid suspicious network traffic or installed files, which may have triggered a security review. Demonstrating sophistication, the attackers devised their own stealthy Linux backdoor to camouflage itself within the Secure Shell (SSH) and other server processes.
This backdoor allowed an attacker to perform the usual functionality — such as executing remote commands — however, the backdoor did not open a network socket or attempt to connect to a command-and-control server (C&C). Rather, the backdoor code was injected into the SSH process to monitor network traffic and look for the following sequence of characters: colon, exclamation mark, semi-colon, period (“:!;.”).

After seeing this pattern, the back door would parse the rest of the traffic and then extract commands which had been encrypted with Blowfish and Base64 encoded.

Most sources mark this threat as pretty low, and it hasn’t been seen much – so it may have been a very targeted attack and some speculate it may be something to do with the GCHQ/Belgacom case.

It’ll be interesting to see if Fokirtor is found anywhere else, there is some very basic information about it from Symantec here: Linux.Fokirtor and a little more here Linux Back Door Uses Covert Communication Protocol.

In some ways it reminds me of pork knocking – fwknop – Port Knocking Tool with Single Packet Authorization.

Source: The Register

Posted in: Cryptography, Exploits/Vulnerabilities, Networking Hacking

, , ,


Latest Posts:


testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.
HTTrack - Website Downloader Copier & Site Ripper Download HTTrack – Website Downloader Copier & Site Ripper Download
HTTrack is a free and easy-to-use offline browser utility which acts as a website downloader and a site ripper for copying websites and downloading them for offline viewing.
sshLooter - Script To Steal SSH Passwords sshLooter – Script To Steal SSH Passwords
sshLooter is a Python script using a PAM module to steal SSH passwords by logging the password and notifying the admin of the script via Telegram when a user logs in.


One Response to Linux Backdoor Fokirtor Injects Traffic Into SSH Protocol

  1. Balzak November 20, 2013 at 3:47 am #

    So, one basic way to detect if I have the trojan could be to telnet (SSH) the server, send :!;. and then see what goes out with tcpdump?