Pierluigi Paganini November 17, 2013

In May sophisticated attackers breached a large Internet hosting provider and gained access to internal administrative systems using a singular Linux backdoor.

Symantec security researchers have discovered a Linux backdoor, dubbed Fokirtor, that implements a covert communication protocol to hide its presence. The experts revealed that the malicious code was used to compromise a large hosting provider ‬in May.

The Linux backdoor masquerades its traffic within the legitimate one, in particular exploiting traffic of legitimate SSH connections.

The attackers used the Linux backdoor to syphon customer personal information including credentials and emails, the malicious code uses the Blowfish encryption algorithm to encrypt data sent back to the command-and-control servers.

When the Linux backdoor infects the victim it gathers the following information from the compromised computer:

• Peer host name and IP address
• Peer port
• Password
• SSH key
• User name

and encrypts the above information and sends it to the remote attacker.

The Trojan then opens a back door and allows a remote attacker to perform the following actions on the compromised computer: 

• Steal files from the computer
• Other malicious activities

According the analysis proposed by Symantec researchers  the choice of implementing a similar Linux backdoor is motivated by the fact that attackers were aware of the advanced level of security of the target, for this reason the cyber criminals needed to remain under coverage avoiding to trigger defense systems with anomalous traffic.

The attackers have disguised the legitimate processes including  Secure Shell (SSH) with their Linux backdoor as described in the post:

“This backdoor allowed an attacker to perform the usual functionality — such as executing remote commands — however, the backdoor did not open a network socket or attempt to connect to a command-and-control server (C&C). Rather, the backdoor code was injected into the SSH process to monitor network traffic and look for the following sequence of characters: colon, exclamation mark, semi-colon, period (“:!;.”). After seeing this pattern, the back door would parse the rest of the traffic and then extract commands which had been encrypted with Blowfish and Base64 encoded.”

Practically the Linux backdoor doesn’t use its own communication channel, instead it exploits particular sequences of character to delimit its traffic within the legitimate data exchanged during an SSH connection.

The Symantec analysts conclude that the Linux backdoor found is different from any other Linux malicious code previously detected, because it suggests the new tactics for further malware.

Pierluigi Paganini

(Security Affairs – Linux backdoor, Malware, cybercrime)