Jeebus Batman, A Linux Security Alert! Linux Backdoor Hides Itself in SSH Chatter
As the old arguments sometimes goes on the Internet, “Linux has great security! You have nothing to worry about!” While this post is not to install fear, or doubt in Linux Security, it is noteworthy and something to keep in mind. The malware, detected as “Fokirtor,” to Symantec software secretly cloaks itself in legitimate SSH chatter, avoiding detection for most systems. With SSH being a common access method into Linux server systems, it was no small matter of concern. The most widely known incident thus far was an attack back in May of a hosting provider, stealing large amounts of private information.
What is interesting, is the use of SSH and the Blowfish encryption algorithm in order to disguise the attack, Blowifsh being used to encrypt the uploads of said stolen data. I won’t go as far as to say it was an ingenious idea, but in a well protected environment, avoiding detection is no small feat. Once in the system, remote commands could potentially be used. In this particular case, code was injected into the network monitor of the target server to monitor for specific characters, and once detected, the attack would pick up the rest of the data and lift it.
Attack like this for Linux servers are not all that uncommon, as Linux desktop users, we normally don’t see all that much of anything in the wild. But, for Linux server admins it is quite a different story. Trojans and Worms infection attempts can go up into the hundreds or even thousands, but compared to the tens of millions for Windows servers, it is quite a small number. That is why it always remains important to be able to examine source code, something paramount to the development of Linux security and other areas of improvement. These new malware tactics are something new though, something that every administrator of a Linux system should be aware of and on the look for.
You can check out the analysis of the Fokirtor malware over at Symantec’s website.