Fokirtor, a sophisticated? malware for Linux

Florence Broderick    18 November, 2013
Symantec has just released some details about how a new malware for Linux works. It is relevant for its relative sophistication. It was discovered in June as a fundamental part of a targeted attack to a hosting provider, but it’s now when they disclose technical details about how it works. Although sophisticated for Linux environment, technically it’s not so relevant if we compare it with malware for Windows.

In May 2013, an important hosting provided was attacked. They knew exactly what they were doing and what errors to avoid. They wanted financial data and user passwords (oddly enough they were stored ciphered, but they cannot rule out the master key was not compromised…). This happens everyday, but the difference is the method used: Fokirtor, that is the way Symantec has baptised the trojan used as the attacking tool.

It was a quite important company, and they needed to evade the security systems, so they tried to be unnoticed injecting the trojan to some servers process as a SSH daemon. In this way, they disguised their presence physically (no new processes were needed) and in the traffic (that would be merged with the one generated by the SSH service itself). This is a “standard” method in malware for Windows, where regular trojans usually inject themselves inside the browser and cover their traffic under HTTP.

Of course, the malware needed connectivity with the outside world to receive commands. In the world of Windows, malware usually connects outbound periodically (to elude inbound firewall) towards a C&C via HTTP. In the case of Fokirtor, what it did was hooking functions and wait for commands injected in SSH process, preceded by ” :!;.  characters (without quotes). This would indicate that the attacker wanted to make some action. This method isn’t new. Usually, when some legitimate software is trojanized in Linux’s world, a reacting way for a certain pattern is embedded in its code, and then is published so it’s downloaded by the future victims. What isn’t so usual is to make it “on the fly” injecting it in a process. Although the news doesn’t make it clear, we understand that the attacker had to get root privileges in the compromised machine.

The attacker just had to connect via SSH to the servers and send the magic sequence to take over the machine. Received commands were coded in base64 and ciphered with blowfish (designed by Bruce Schneier in 1993). This traffic wasn’t logged.
In absolute terms, technically it’s under the “standard” malware for Windows, and light years behind professional malware as a “ciberwapon” (TheFlame, Stuxnet, etc). Nevertheless, it does represent an interesting milestone that doesn’t usually happen: finding specific malware for Linux servers that actively seeks to be unnoticed. 

To recall similar news, we have to go a year back. An user sent an email to the security list “Full Disclosure”, stating he had found his Debian servers infected with what seemed to be a “rootkit working with nginx”. It was about an administrator that had realized that the visitors of its web were being redirected to infected sites. Some kind of requests to that web server, returned an iframe injected in the page, that took to a point where Windows users tried to be infected. The administrator discovered some hidden processes and kernel modules responsible for the problem, and attached them to the email so it could be studied. After analyzed, we didn’t have too many news about that rootkit.

Some questions without answers

Something that calls the eye but doesn’t seem to have an explanation, is that Symantec detected this malware in June, with the same name, but hasn’t offered technical details about the way it works since now. What happened during these five months? Probably they have been studying it in cooperation with the affected company. Unless they have come across with administrative or legal problems, technically it’s not necessary to spend so much time to analyze a malware like this. And what happened before June? The attack was detected in May, but nothing is said about for how long the company was infected. It would be interesting to know the success of its hiding strategy during a real infection period. Being a hosting provider, have webpages of their costumers been compromised?

They say nothing about the trojan being able to replicate itself, or about detecting it in any other system. Possibly it’s a targeted attack to a specific company, and the attackers didn’t add this functionality to their tool. Just the strictly necessary to accomplish their task.

Although we instinctively relate Windows systems with malware world, when the attackers have a clear target, whatever operating system it is, there are no barriers. Or they are even weaker. Do not forget malware, technically speaking, is just a program “as any other” and only the will of programming it separates it from becoming a reality for a specific platform.
Sergio de los Santos

Leave a Reply

Your email address will not be published. Required fields are marked *