Researchers find out New Linux Backdoor

Security researchers from Doctor Web, a Russian Anti-malware
company, have detected a new backdoor dubbed Linux.BackDoor.Dklkt.1 that targets Linux operating systems.
However, the signature of the backdoor has been added to
Dr.Web virus databases. So, its Linux users are under reliable protection.
“It clear that creators of this malicious program planned to
equip it with wide variety of powerful features, but bringing all their
intentions to life proved rather problematic at the moment, not all of the
program’s components work as they should,” the researchers wrote in a blog.
The researchers have claimed that backdoor is supposedly of
Chinese origin. They have said that the virus makers tried to create a
multi-component malicious program encompassing a large number of functional
properties.
“For example, they wanted to equip it with functions typical
of file managers, DDoS Trojans, proxy servers, and so on,” they added.
“However, not all of these plans were destined to see the light. Moreover,
virus makers attempted to make a cross-platform program out of their creation; so
that the executable file could be assembled both for Linux and Windows
architectures. However, due to carelessness of cybercriminals, the disassembled
code contains some strange constructions that have absolutely nothing to do
with Linux.”
According to the researchers, the backdoor checks the folder
from which it is run for the configuration file containing all operating
settings. The file has three addresses of command and control servers. One of
them is used by the backdoor, while the other two are stored for backup
purposes. The configuration file is encrypted with Base64.
Once the backdoor gets activated, it tries to register
itself in the system as a domain (system service). If the attempt fails, the
backdoor terminates its work.
“Once the malicious program is successfully run, it sends
the server information on the infected system; at that, the transmitted data is
compressed with LZO and encrypted with the Blowfish algorithm. In addition to
that, every packet contains a checksum, so that the recipient could verify data
integrity,” the researchers explained.
Researchers have said that then Linux.BackDoor.Dklkt.1 waits
for incoming commands that can include launching a DDoS attack, starting SOCKS
proxy server, running a specified application, rebooting the computer or
turning it off.

Leave a Reply