There is a cybercriminal operation that relies on a new Linux backdoor to steal data without anyone noticing.
An attack, called Linux.Fokirtor, where the Linux backdoor came into play took place in May 2013 against a large hosting provider, said researches at Symantec. The cybercriminals gained access to usernames, passwords, email addresses and possibly even financial information.
Suspicious traffic or files would have immediately prompted a security review, so the attackers developed a Linux backdoor that hides inside server processes such as the Secure Shell (SSH).
Instead of opening network sockets or communicating with command and control (C&C) servers, the threat injects itself into a process and monitors traffic for certain character sequences. When the “:!;.” (without quotes) pattern ends up detected, the backdoor starts extracting encrypted commands, researchers said.
The commands have Blowfish encryption and it encodes to Base64.
“The attacker could then make normal connection requests through SSH or other protocols and simply embed this secret sequence within some otherwise legitimate traffic to avoid detection. The commands would be executed and the result sent back to the attacker,” researches said in a blog.
Linux.Fokirtor is capable of encrypting stolen data using Blowfish and send it back to the cybercriminals; retrieve hostname, IP address, port, username and password from SSH connections; and execute various preconfigured or attacker-submitted commands.
In order to identify this particular backdoor, organizations should monitor their traffic for the “:!;.”string. There’s also a list of strings in the SSHD process dump that can detect the malware. Experts note that SSH logs don’t contain the “:!;.” strings.
Symantec said this is the first time it has analyzed such Linux malware.
Click here for additional technical details on the threat.