In May of this year, sophisticated attackers breached a large Internet hosting provider and gained access to internal administrative systems. The attackers appear to have been after customer record information such as usernames, emails, and passwords. While these internal administrative systems had access to customer records, discovery of the attack and certain security implementations mitigated the scope of the breach. Customer passwords were accessible, but these passwords were hashed and salted making mass password cracking difficult. Customer financial information was also accessible, but encrypted. Unfortunately, access to the encryption key cannot be ruled out. While breaches of organizations and mass customer record dumps are posted almost daily, this particular attack was more sophisticated than we have seen in the past.
The attackers understood the target environment was generally well protected. In particular, the attackers needed a means to avoid suspicious network traffic or installed files, which may have triggered a security review. Demonstrating sophistication, the attackers devised their own stealthy Linux back door to camouflage itself within the Secure Shell (SSH) and other server processes.
This back door allowed an attacker to perform the usual functionality—such as executing remote commands—however, the back door did not open a network socket or attempt to connect to a command-and-control server (C&C). Rather, the back door code was injected into the SSH process to monitor network traffic and look for the following sequence of characters: colon, exclamation mark, semi-colon, period (“:!;.”).
After seeing this pattern, the back door would parse the rest of the traffic and then extract commands which had been encrypted with Blowfish and Base64 encoded.
Figure. Example of injected command
The attacker could then make normal connection requests through SSH or other protocols and simply embed this secret sequence within some otherwise legitimate traffic to avoid detection. The commands would be executed and the result sent back to the attacker. This back door code is not similar to any other Linux back door that Security Response has previously analysed.
The fragmented file is a shared library and appears to hook a number of functions (read, EVP_CipherInit, fork, ioctl, etc.). Once the code is activated, it can perform the following actions:
- Execute any command the attacker submits through;
exec sh -c '[ATTACKER_COMMAND]' >/dev/null 2>/dev/null
- Execute one of several preconfigured commands and retrieve output from those commands
- Retrieve the following data from individual SSH connections:
- Connecting hostname, IP address, and port
- Username and password or SSH key
- Encrypt stolen data or command responses using blowfish, and then send to attacker
To identify the presence of this back door on your network, look for traffic that contains the “:!;.” string (excluding quotes). Traffic which contains this string will not appear in SSH logs. Another identification method is to dump the SSHD process and search for the following strings within the dump (where [VALUE] can be various values):
key=[VALUE]
dhost=[VALUE]
hbt=3600
sp=[VALUE]
sk=[VALUE]
dip=[VALUE]
Symantec protects customers by detecting this back door as Linux.Fokirtor.