Symantec researchers have spotted a cybercriminal operation that relies on a new Linux backdoor, dubbed Linux.Fokirtor, to steal data without being detected.
An attack in which the Linux backdoor was leveraged was carried out in May 2013 against a large hosting provider. The cybercriminals gained access to usernames, passwords, email addresses and possibly even financial information.
Suspicious traffic or files would have immediately prompted a security review, so the attackers have developed a Linux backdoor that hides inside server processes such as the Secure Shell (SSH).
Instead of opening network sockets or communicating with command and control (C&C) servers, the threat injects itself into a process and monitors traffic for certain character sequences. When the “:!;.” (without quotes) pattern is detected, the backdoor starts extracting encrypted commands.
The commands are encrypted with Blowfish and encoded to Base64.
“The attacker could then make normal connection requests through SSH or other protocols and simply embed this secret sequence within some otherwise legitimate traffic to avoid detection. The commands would be executed and the result sent back to the attacker,” experts noted in a blog post.
Linux.Fokirtor is capable of encrypting stolen data using Blowfish and send it back to the cybercriminals; retrieve hostname, IP address, port, username and password from SSH connections; and execute various preconfigured or attacker-submitted commands.
In order to identify this particular backdoor, organizations are advised to monitor their traffic for the “:!;.”string. There’s also a list of strings in the SSHD process dump that can be used to detect the malware. Experts note that SSH logs don’t contain the “:!;.” strings.
Symantec says this is the first time it has analyzed such Linux malware. Additional technical details on this threat are available on the company’s blog.