Linux Backdoor Fokirtor Injects Traffic Into SSH Protocol

Use Netsparker


Earlier this week we wrote about an Internet Explorer 0-day which used an in-memory drive by attack, which was pretty smart. Now another new type of malware (a backdoor in this case), this time targeting Linux known as Fokirtor.

There is no real discussion of the exploit used to plant this backdoor (if it was an exploit, there are other channels), but the way it operates is pretty interesting and certainly nothing I’ve seen before.

Security researchers have discovered a Linux backdoor that uses a covert communication protocol to disguise its presence on compromised systems.

The malware ‪was used in an attack on a large (unnamed) hosting provider ‬back in May. It cleverly attempted to avoid setting off any alarm bells by injecting its own communications into legitimate traffic, specifically SSH chatter. SSH is a protocol commonly used to access shell accounts on Unix-like operating systems, a continuous activity for remote administration of websites.

The unknown cybercrooks or cyberspies behind that attack apparently targeted customer record information such as usernames, emails, and passwords using the subtle and stealthy malware, according to an analysis of the backdoor by security researchers at Symantec.

In addition, the malware made use of the Blowfish encryption algorithm to encrypt uploads of stolen data or other communications with a command-and-control network.

It’s a pretty interesting method, assuming most Linux servers do have SSH enabled (which they do tend to) – it enables attackers to communicate covertly without setting off any alarms. The part I find really interesting is that the malware uses a pretty serious encryption algorithm (Blowfish), rather than the average backdoor or trojan which just uses XOR or Base64 encoding.

The conspiracists amongst us will likely find this pointing to governmental involvement in the development of this backdoor.


The attackers understood the target environment was generally well-protected. In particular, the attackers needed a means to avoid suspicious network traffic or installed files, which may have triggered a security review. Demonstrating sophistication, the attackers devised their own stealthy Linux backdoor to camouflage itself within the Secure Shell (SSH) and other server processes.
This backdoor allowed an attacker to perform the usual functionality — such as executing remote commands — however, the backdoor did not open a network socket or attempt to connect to a command-and-control server (C&C). Rather, the backdoor code was injected into the SSH process to monitor network traffic and look for the following sequence of characters: colon, exclamation mark, semi-colon, period (“:!;.”).

After seeing this pattern, the back door would parse the rest of the traffic and then extract commands which had been encrypted with Blowfish and Base64 encoded.

Most sources mark this threat as pretty low, and it hasn’t been seen much – so it may have been a very targeted attack and some speculate it may be something to do with the GCHQ/Belgacom case.

It’ll be interesting to see if Fokirtor is found anywhere else, there is some very basic information about it from Symantec here: Linux.Fokirtor and a little more here Linux Back Door Uses Covert Communication Protocol.

In some ways it reminds me of pork knocking – fwknop – Port Knocking Tool with Single Packet Authorization.

Source: The Register

Posted in: Cryptography, Exploits/Vulnerabilities, Networking Hacking

, , ,


Latest Posts:


snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.
QualysGuard - Vulnerability Management Tool QualysGuard – Vulnerability Management Tool
QualysGuard is a web-based vulnerability management tool provided by Qualys, Inc, which was the first company to deliver vulnerability management services as a SaaS-based web-service.


One Response to Linux Backdoor Fokirtor Injects Traffic Into SSH Protocol

  1. Balzak November 20, 2013 at 3:47 am #

    So, one basic way to detect if I have the trojan could be to telnet (SSH) the server, send :!;. and then see what goes out with tcpdump?