Feeds

back to article Linux backdoor squirts code into SSH to keep its badness buried

Security researchers have discovered a Linux backdoor that uses a covert communication protocol to disguise its presence on compromised systems. The malware ‪was used in an attack on a large (unnamed) hosting provider ‬back in May. It cleverly attempted to avoid setting off any alarm bells by injecting its own communications …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Meh

Let the whining

commence.

1
18
Silver badge
Headmaster

Re: Let the whining

NO!!

(slaps commenter)

We FIGHT!

20
0
Roo
Silver badge

Re: Let the whining

Far from it... It looks like a nifty bit of work from the teeny amount of info I've managed to dig up on it.

Actually I do have a whine: I'd like to know a bit more about what vulnerabilities were exploited to get it installed...

34
0
Silver badge
Pint

Re: Let the whining

Blimey!

I stand, pleasantly surprised!

Keep up the high standard of well reasoned commenting - the bridge dwellers slumber on, it seems...

6
0
Bronze badge
Coat

Re: Let the whining

Let the WINE-ing commence.

6
1

Re: Let the whining

... the most common vulnerability ... the one HOLDING THE MOUSE.

2
0
Silver badge

Re: Let the whining

I'd like to know a bit more about what vulnerabilities were exploited to get it installed...

Usually Linux malware gets out (in the rare instance that it does actually get out) through compromised repositories, though that doesn't seem to be the case here since it only infected one host.

1
0
Anonymous Coward

This is what happens when you use Linux.

Should've used *BSD

9
27
Bronze badge
Devil

Re: Should've used *BSD

Was that openBSD as in the originators of openSSH?

If you have root access to any Unix type system you can install anything you like. The unexplained problem is gaining unauthorized root access to any system that has not already been weakened by ignorance or stupidity.

20
3
Anonymous Coward

Re: Should've used *BSD

>>> Goalposts shall not be moved <<<

Doesn't matter where OpenSSH originated, it's the OS that's the problem.

1
15

Re: Should've used *BSD

I politely disagree with the first bit: E.g. for linux, grsecurity and/or SELinux come to mind as a possibility to harden your systems against attacks that comprise your root account. Of course, this does not mean that anything is "completely safe".

But the idea that attaining root status on a Unix system is akin to hitting the jackpot is no longer generally valid and in fact may constitue a trap in a properly secured system.

1
0
Silver badge
Linux

Re: Should've used *BSD

> Doesn't matter where OpenSSH originated, it's the OS that's the problem.

Until the exploit vector is identified, you can't claim that.

13
0
Silver badge

Re: >>> Goalposts shall not be moved <<<

There are no fixed points in computer security, not even the goal posts. Everything is constantly evolving, even the maxims by which we determine what our current measurements of security are.

That's what makes it such a challenging environment in which to work.

4
0

Infection Vector?

I get how it hides itself in a shared library once its installed but how does it get there in the first place?

Presumably you would need root permissions install the shared library. Is there an update system compromised or could it be a rogue sysadmin?

36
0
Silver badge
Pint

Re: Infection Vector?

That is the true question here.

24
0
Anonymous Coward

NSA Trojan installed by other malware

Norton from June:

http://www.nortoninternetsecurity.cc/2013/06/linuxfokirtor.html

Symantec from June:

http://www.symantec.com/security_response/writeup.jsp?docid=2013-061917-4900-99

It's trojan installed by some other malware. It seems to be a pure backdoor. Lets the remote attacker grab files and send commands.

Looks like the work of a certain $10 billion dollar guerrilla in the room, and it's pet monkey side kick.

Who was the ISP targetted? And have they found the initial installation yet?

Also what distro? What version?

21
0
Anonymous Coward

Re: NSA *BACKDOOR* installed by other malware

Excuse my slack terminology it's a *Backdoor*, hanging off the SSH port, it shouldn't be called a trojan.

Q1. Can this command sequence ":!;." be spotted in the SSH connection logs?

Q2. Is there more than one instance found?

Q3. Is the blowfish key *different* for each instance?

Q4. Why blowfish? Why encrypt rather than obfuscate or simply XOR? Someone wanted to put a backdoor in but secure it with a proper key??? What key length?

8
0
Anonymous Coward

Re: Looks like the work of a certain $10 billion dollar guerrilla in the room

You're posting AC, why not just name it?

4
0
Anonymous Coward

Re: Infection Vector?

Place your bets:

Unpatched Apache flaw or zero day Apache flaw ?

0
7
Silver badge
Headmaster

Re: AC 09:45

"You're posting AC, why not just name it?"

They did - read the title of their post.

6
0
Anonymous Coward

TAO or MyNoc

Nobody is anonymous on elReg, all elReg traffic is present in the GCHQ logs because the pages all reference non-UK content and are thus logged and monitored by GCHQ. Clicking 'post anonymously' was simply to remind them of the right to privacy laws they're breaking. Equivalent to David Cameron hiding his old speeches.

There is no warrant protecting you here, the warrant was signed days ago and is a blanket one. Nothing stops a GCHQ operative from running any query on that data on you, Brit or not. Do *not* use anonymous posting on any British site in the belief you are not monitored by GCHQ and NSA because you are.

It will be NSA's hacking division TAO (Tailored access operations) or MyNoc the GCHQ hacking division that did Belgacom I suspect.

What did the Mexico hack look like? The hack of the presidents email server? What did Merkels hack look like?

http://www.theguardian.com/world/2013/oct/21/mexico-condemns-us-nsa-hacking-presidents-emails

"According to Der Spiegel, the NSA succeeded in hacking a central server in the network of the Mexican presidency that was also used by other members of Calderon's cabinet, yielding a trove of information on diplomatic and economic matters."

That's a central server hack too, what did the backdoor look like???? Release the details so we can connect the dots and catch this 'hole in the donut gang'.

12
3
Bronze badge

Re: Infection Vector?

> ... it hides itself in a shared library ...

But unless it was part of the original base OS installation, I would expect it to be pickeded up by rkhunterd or somesuch.

I have not seen anything to suggest that this malware could be installed and remain undetected on a system with a reasonably alert sysadmin.

8
0
Silver badge

Re: NSA Trojan installed by other malware

From the Norton link in June

Risk Level 1: Very Low

Linux.Fokirtor Threat Assessment

Component Severity

Wild Level Low

Number of Infections 0 - 49

Number of Sites 0 - 2

Geographical Distribution Low

Threat Containment Easy

Removal Easy

Damage Level Medium

Distribution Level Low

5
1
Silver badge

Re: Infection Vector?

Place your bets:

Unpatched Apache flaw or zero day Apache flaw ?

Do you even know how little of httpd executes with enhanced credentials? I would very much doubt that that is the vector.

8
1

Re: Infection Vector?

Wouldn't sendmail or bind represent a far more likely avenue?

1
0
Bronze badge

Re: Infection Vector?

As this has only been reported as occurring at a hosting company; I would put my money on a buggy and/or poorly configured HTTP(S) ISP control panel.

4
0
Anonymous Coward

Re: Infection Vector?

The infection vector is probably nothing exciting or 0-day. A hosting company has the added problems of it's customers installing all kinds of vulnerable software.

1) Find ANY vulnerability on the netblock of the hosting provider

2) Privilege escalation if needed

3) Install wireshark/other network analyser

4) Stop the webserver service

5) Wait for hosting admin to login to investigate

6) Retrieve sniffed login details from wireshark

7) SSH to other servers on the internal IP using admin login

8) Install what you want, including obfuscated back doors so you can enter any time at will

9) Get bored doing this manually so write a script that logs in to every IP on the netblock and automatically installs your custom software

0
3
Anonymous Coward

Re: Infection Vector?

"Retrieve sniffed login details from wireshark"

Load of disinformation here. Properly used SSH will authenticate both sides (server and client) before even txmitting a single payload bit. SSH will bail out as soon as the counterparty cannot cryptographically vouch for the posession of an SSH secret key. YOU CANNOT INTERCEPT ANYTHING from a properly set up SSH link. Short of breaking RSA, SHA1 and AES/3DES/RC4 and the like. Neither can you insert or replay a single fucking bit in a proper SSH connection.

The client will warn you "server key has changed" or something to this effect. Or the connection will simply not be established because of the MITM antics of sombody. Including the antics of GCHQ, as we now know.

This displays the power of Open Source: Commercial parties now go around spreading disinformation on the military-grade security that is openSSH, because it is just so perfect and it's free.

You can get similar security from SSL/TLS/HTTPS, if you sign your own keys and run your own CA. The USAF, Army and Navy do this on a regular basis. TLS and SSH have been specifically designed to thwart any MITMing.

If I talk like a seargeant here, it's because this comment section is full of dumb-o-matics from some "PR" company.

5
0
Silver badge

Re: NSA Trojan installed by other malware

> Looks like the work of a certain $10 billion dollar guerrilla in the room, and it's pet monkey side kick.

State sponsored perhaps, but not necessarily US. There's at least four vassal allied countries who could do this. Then there's China and Russia, which rival the $10B gorilla when it comes to cyber warfare, and Iran, which, ah, tries its best. That Norton reports the malware suggests it was found on a western computer, so I'd guess China made it.

1
0
Bronze badge
Linux

Re: Infection Vector?

While it's important to openly and honestly recognise security vulnerabilities, in many cases what's implied as "software insecurity" often has bugger-all to to with the security of the actual software, certainly in the realm of generally secure operating systems like GNU/Linux and *BSD, and is more likely to be due to a password compromised by social engineering, then used to gain full access, at which point it's game over and no amount of "software security" could possibly defend against it.

That's also true of most of what passes for "malware" on Android, nearly every example of which is actually a rogue application that must be deliberately downloaded, installed, granted permissions and run by the user. Again, that has exactly zero to do with "software security", it's PEBKAC, and I'm afraid there's no software on earth that can mitigate stupidity.

Genuine software insecurity is far more likely to be found in the realm of proprietary operating systems and applications, where the lack of public scrutiny of the sources means bugs, and consequently security vulnerabilities, are rife, and typically remain unaddressed for extended periods, long enough to be widely exploited.

So I doubt this latest scare has anything to do with the security of GNU/Linux or Free Software in general, at least there's been no evidence to support that theory. But those who despise the principle of intellectual freedom will nonetheless use any excuse to attack Free Software.

I still recall the retarded comments made by Ashley Highfield, former director of "Future Media and Technology" at the BBC, who infamously claimed; "It’s almost a contradiction in terms, if you have DRM how can you have it open source? Because open source people will be able to find out how it works and get round it."

Highfield seemed blissfully ignorant of the fact that the sources for things like PGP were (and still are) available for decades, without its encryption being compromised. The same is true of most encryption software, so there's no reason DRM, or any other kind of software, should be any different.

Ironically (but unsurprisingly) Highfield went on to work for Microsoft, where he was responsible for such things as the proprietary MSN, Hotmail and Windows Live/Instant Messenger services, all of which have have a long track record of security issues.

I find it odd that whenever there's a security breach involving GNU/Linux passwords being compromised by (typically) social engineering, much is made of the fact that it's Linux, and that Linux is Open Sauce®, but whenever genuine software insecurities are exposed in proprietary software, there's an eerie silence on the subject of closed sources.

9
0

Backdoor or Trojan?

I'd describe it as a backdoor if someone writing the official software sneaked in some unofficial code. If it sneaked itself in, then it'd be a Trojan. Injecting code into an already present file isn't exactly news, though. That's what viruses do, hence their name.

2
0
Silver badge

Re: Backdoor or Trojan?

No, it's properly called a backdoor. Any program that surreptitiously opens another way to access the system is by definition a backdoor. A program can be BOTH a trojan and a backdoor (it's the flow that determines if it's a backdoor or not--if the malware waits for a C&C to connect to it, it's a backdoor. If it actively seeks the C&C and connects to it, it's just a trojan).

As for how it got in, I would wager it piggybacked on another trojan that carried a privilege escalation exploit.

5
0
Bronze badge

It's not a backdoor. It's a door.

If every Linux server running SSH has this vulnerability, THAT'S a backdoor - an alternative access mechanism that bypasses the authentication on the front door.

This is a botnet. Of one machine.

1
0

This wouldn't have happened if they were using Linux!

Err. .. oh bugger.

Seriously though the malware in this story seems to be of a level way above the usual windows effort. Guess the malware merchants have stopped looking at userland for their id theft needs..

6
0
Anonymous Coward

Re: This wouldn't have happened if they were using Linux!

the malware in this story seems to be of a level way above the usual windows effort.

That is what worries me. What I want to know is if this is someone clever, or someone with a Very Large Budget, i.e. government. Some people have very correctly asked how that code got to where it was because it requires fairly deep access, which is another thing I really don't like about it.

The traffic cloaking idea itself is not new, but it's impressive that they managed to inject it into an SSH stream - that's a serious notch beyond your average hack because it counters classic IT monitoring.

14
0
Silver badge
Thumb Up

Re: The malware in this story seems to be of a level way above the usual windows effort.

Well it'd have to be, it infected a linux box and we all know they are secure by design!

1
16
Silver badge

Re: The malware in this story seems to be of a level way above the usual windows effort.

Well I'm going to downvote you because although mostly correct in your statement you missed out 'rather secure' or better 'exceptionally secure'

8
0
Silver badge
Happy

Re: The malware in this story seems to be of a level way above the usual windows effort.

Actually I was totally taking the piss.

4
5
Silver badge

Re: The malware in this story seems to be of a level way above the usual windows effort.

"Actually I was totally taking the piss."

Yes, I know. I enjoyed it all the more !

4
0
Silver badge

Re: This wouldn't have happened if they were using Linux!

That is what worries me. What I want to know is if this is someone clever, or someone with a Very Large Budget

"or"??

6
0

Re: This wouldn't have happened if they were using Linux!

Didn't say "xor"

2
0
Anonymous Coward

A million eyes look at the source

A million eyes looking at the source are only any good if they're looking in the right place and comprehend what they're seeing, otherwise you end up with attack vectors to allow insertion of malware like this.

2
9
Anonymous Coward

Re: A million eyes look at the source

No source code I think. The original attack vector isn't known (or at least the articles I find don't mention it).

And it may not be a Linux vector at all. Belgacom was likely a Windows Browser exploit, that infected a PC, captured passwords and logins which in turn captured servers.

So suppose a certain agency (e.g. MyNoc the GCHQ hacking agency) infected the ISP's sysadmin's computer by intercepting Slashdot, or Linked In and injecting the zero day exploit, spied on their PC, obtained the SSH password to the server, from that they can install the backdoor.

What did Belgacom backdoor look like? Was *it* a blowfish encrypted protocol? Was it hanging off a public port like SSH?

http://www.computing.co.uk/ctg/news/2306175/gchq-used-fake-linkedin-pages-bearing-malware-to-attack-belgacom

"Comfone, Syniverse and Starhome Mach were all targeted by GCHQ for this information."

"The research into targets that worked at Belgacom and telecoms billing companies included not just LinkedIn profiles, but also Skype user names, home IP addresses, tablet computer use, Gmail addresses and any other social profiles that could be used to help compromise targets."

Man, that "be nice and encrypt the backdoor we just installed with a proper key" just *screams* government malware. You wouldn't want anyone with a supercomputer cracking your key after all, so better to use a decent crypto algorithm.

11
0
WTF?

Re: A million eyes look at the source

This kind of thing makes me wonder about the whole "open source is inherently safe 'cos anybody can look at the code" thing.

I would question whether anybody actually does look at the code. I rather suspect that because it requires (a) a very high level of understanding and (b) a lot of time and effort, very few people (if any) actually do. How many actually download the code for the latest release, review it, and then compile it for their own machine? Doesn't everybody just dowload the latest update from a site they believe they can trust.

This is an honest question - I have no angle and am not trying to make any point. I would genuinely like to know.

5
12
Anonymous Coward

Re: A million eyes look at the source

Trouble for Linux is that it's codebase moves too fast for an audit to be completed in a sensible timeframe. Whether that's a positive or negative is entirely up to you.

3
6

Re: A million eyes look at the source

It's not so much that having the source code solves all problems. It's that hiding the source code solves no problems and creates new ones.

If no-one can see the source code then it is very easy to make programs do things other than their advertised purpose. If anyone can see the source code, then you can try putting malware in your program, but you might get caught, so you are less likely to try. You might think that no-one will look at the code, but you can't be sure.

I think you're right that most code is not looked at, or not looked at in the right places by the right people. But exploits *are* found and fixed in widely used open source programs, so at least we can see something is working.

There are no certainties, only tradeoffs. A malware writer trades effort needed to make malware against expected value of information stolen. An end user trades effort spent attempting to prevent or detect malware against value of the information that needs protecting. Open source definitely increases the effort a malware writer needs to make to hide their work. Whether it reduces the effort you need to spend on prevention and detection probably depends on what you are doing.

16
0
Anonymous Coward

Re: A million eyes look at the source

If you can slipstream non SSH data into the SSH datastream, I'd say that was a pretty serious vulnerability.

1
7

Re: A million eyes look at the source

"Trouble for Linux is that it's codebase moves too fast for an audit to be completed"

No, what happens is that a Linux adopter (distro maintainer or hardware manufacturer or whoever) picks a stable baseline to "freeze", then does whatever audits and analysis and testing is needed. This is why new products usually ship with a version of the kernel that is several months old. Nobody *has* to use the latest code - pick a baseline. It's not going anywhere! :-)

8
0
Silver badge

@AC re slipstream SSH datastream

Yes it would be, especially if it could be done from outside the SSH client/server communication stream. But this does not appear to be what has happened. This is hijacking one end or the other, and intercepting/injecting the data at one end of the secure pipe as it were.

Just to point out that SSH is *NOT* part of Linux. It's not in the kernel, nor part of the GNU toolchain, and although it is in the repositories of most distributions, it's also available for most UNIX systems, and also for Windows and probably any other network enabled operating system as well. It's a cross-platform tool. What is important is how and by what vector it was compromised.

So there is a vector (possibly OS specific) that was used to break into SSH, and SSH itself is a vector to compromise whatever OS is being used. Which may be Linux.

8
0
Silver badge

Re: @AC re slipstream SSH datastream

So there is a vector (possibly OS specific) that was used to break into SSH, and SSH itself is a vector to compromise whatever OS is being used. Which may be Linux.

No-one has suggested that sshd was broken in to, only that once the server was broken in to with enhanced credentials, that allowed them to install a backdoor that hooked itself in to sshd.

4
0

Page:

This topic is closed for new posts.