Earlier this week we wrote about an Internet Explorer 0-day which used an in-memory drive by attack, which was pretty smart. Now another new type of malware (a backdoor in this case), this time targeting Linux known as Fokirtor.
There is no real discussion of the exploit used to plant this backdoor (if it was an exploit, there are other channels), but the way it operates is pretty interesting and certainly nothing I’ve seen before.
Security researchers have discovered a Linux backdoor that uses a covert communication protocol to disguise its presence on compromised systems.
The malware was used in an attack on a large (unnamed) hosting provider back in May. It cleverly attempted to avoid setting off any alarm bells by injecting its own communications into legitimate traffic, specifically SSH chatter. SSH is a protocol commonly used to access shell accounts on Unix-like operating systems, a continuous activity for remote administration of websites.
The unknown cybercrooks or cyberspies behind that attack apparently targeted customer record information such as usernames, emails, and passwords using the subtle and stealthy malware, according to an analysis of the backdoor by security researchers at Symantec.
In addition, the malware made use of the Blowfish encryption algorithm to encrypt uploads of stolen data or other communications with a command-and-control network.
It’s a pretty interesting method, assuming most Linux servers do have SSH enabled (which they do tend to) – it enables attackers to communicate covertly without setting off any alarms. The part I find really interesting is that the malware uses a pretty serious encryption algorithm (Blowfish), rather than the average backdoor or trojan which just uses XOR or Base64 encoding.
The conspiracists amongst us will likely find this pointing to governmental involvement in the development of this backdoor.
The attackers understood the target environment was generally well-protected. In particular, the attackers needed a means to avoid suspicious network traffic or installed files, which may have triggered a security review. Demonstrating sophistication, the attackers devised their own stealthy Linux backdoor to camouflage itself within the Secure Shell (SSH) and other server processes.
This backdoor allowed an attacker to perform the usual functionality — such as executing remote commands — however, the backdoor did not open a network socket or attempt to connect to a command-and-control server (C&C). Rather, the backdoor code was injected into the SSH process to monitor network traffic and look for the following sequence of characters: colon, exclamation mark, semi-colon, period (“:!;.”).After seeing this pattern, the back door would parse the rest of the traffic and then extract commands which had been encrypted with Blowfish and Base64 encoded.
Most sources mark this threat as pretty low, and it hasn’t been seen much – so it may have been a very targeted attack and some speculate it may be something to do with the GCHQ/Belgacom case.
It’ll be interesting to see if Fokirtor is found anywhere else, there is some very basic information about it from Symantec here: Linux.Fokirtor and a little more here Linux Back Door Uses Covert Communication Protocol.
In some ways it reminds me of pork knocking – fwknop – Port Knocking Tool with Single Packet Authorization.
Source: The Register
Balzak says
So, one basic way to detect if I have the trojan could be to telnet (SSH) the server, send :!;. and then see what goes out with tcpdump?