Sneaky New Linux Attack Discovered

Nov 18, 2013

Innovative back door looks like normal SSH traffic.

Security experts have announced the discovery of a Linux back door attack that they have pronounced "more sophisticated than we have seen in the past." This attack apparently breached a large hosting provider, providing access to usernames, passwords, email, financial records, and other personal information. Although some of this information was encrypted, investigators could not rule out the possible theft of encryption keys.
The attack was unique in its ability to conceal its own communication within SSH. According to the report, “… the back door did not open a network socket or attempt to connect to a command-and-control server. Rather, the back door code was injected into the SSH process to monitor network traffic and look for the following sequence: colon, exclamation mark, semi-colon, period (:!;.).”
The back door watches for this pattern and parses any traffic after the traffic is received. Hidden commands are encrypted using Blowfish and Base64 encoding.
According to the report, once the code is activated, the attacker can submit any command using the following syntax:

exec sh -c '[ATTACKER_COMMAND]'>/dev/null 2>/dev/null

The backdoor also supports several pre-configured commands and lets the attacker extract SSH connection data from the system.To detect the attack, search the traffic for presence of the initiation string (:!;.). The report at the Symantec site also describes a way to detect the attack through an SSHD process dump.

Related content

  • Linux News

    Updates on Technologies, Trends, and Tools

  • Security Lessons: Modified Code Attacks

    Learn how to protect yourself against malicious attacks by modified source code.

  • Backdoors

    Backdoors give attackers unrestricted access to a zombie system. If you plan to stop the bad guys from settling in, you’ll be interested in this analysis of the tools they might use for building a private entrance.

  • Honeynet

    Security-conscious admins can use a honeynet to monitor, log, and analyze intrusion techniques.

  • Tripwire

    The simple but effective Tripwire HIDS provides its service quietly and discreetly, preventing attackers from infecting computers with trojans, backdoors, or modified files by identifying anomalies unnoticed by the user.

comments powered by Disqus

Issue 184/2016

Buy this issue as a PDF

Digital Issue: Price $9.99
(incl. VAT)