|
|
|
Linux Back Door Uses Covert Communication Protocol |
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Présentation : In May of this year, sophisticated attackers breached a large Internet hosting provider and gained access to internal administrative systems. The attackers appear to have been after customer record information such as usernames, emails, and passwords. While these internal administrative systems had access to customer records, discovery of the attack and certain security implementations mitigated the scope of the breach. Customer passwords were accessible, but these passwords were hashed and salted making mass password cracking difficult. Customer financial information was also accessible, but encrypted. Unfortunately, access to the encryption key cannot be ruled out. While breaches of organizations and mass customer record dumps are posted almost daily, this particular attack was more sophisticated than we have seen in the past. The attackers understood the target environment was generally well protected. In particular, the attackers needed a means to avoid suspicious network traffic or installed files, which may have triggered a security review. Demonstrating sophistication, the attackers devised their own stealthy Linux back door to camouflage itself within the Secure Shell SSH and other server processes. This back door allowed an attacker to perform the usual functionality such as executing remote commands however, the back door did not open a network socket or attempt to connect to a command-and-control server C C . Rather, the back door code was injected into the SSH process to monitor network traffic and look for the following sequence of characters colon, exclamation mark, semi-colon, period . . After seeing this pattern, the back door would parse the rest of the traffic and then extract commands which had been encrypted with Blowfish and Base64 encoded. 3357137-fig.png Figure. Example of injected command The attacker could then make normal connection requests through SSH or other protocols and simply embed this secret sequence within some otherwise legitimate traffic to avoid detection. The commands would be executed and the result sent back to the attacker. This back door code is not similar to any other Linux back door that Security Response has previously analysed. The fragmented file is a shared library and appears to hook a number of functions read, EVP_CipherInit, fork, ioctl, etc. . Once the code is activated, it can perform the following actions Execute any command the attacker submits through exec sh -c ' ATTACKER_COMMAND ' dev null 2 dev null Execute one of several preconfigured commands and retrieve output from those commands Retrieve the following data from individual SSH connections Connecting hostname, IP address, and port Username and password or SSH key Encrypt stolen data or command responses using blowfish, and then send to attacker To identify the presence of this back door on your network, look for traffic that contains the . string excluding quotes . Traffic which contains this string will not appear in SSH logs. Another identification method is to dump the SSHD process and search for the following strings within the dump where VALUE can be various values key VALUE dhost VALUE hbt 3600 sp VALUE sk VALUE dip VALUE Symantec protects customers by detecting this back door as Linux.Fokirtor.
Les mots clés de la revue de presse pour cet article : linux protocol
Les videos sur SecuObs pour les mots clés : linux protocol
Les mots clés pour les articles publiés sur SecuObs : linux protocol
Les éléments de la revue Twitter pour les mots clé : linux protocol
Les derniers articles du site "Symantec Connect Security Response Billets" :
- What you need to know about election apps and your personal data
- Microsoft Patch Tuesday April 2016
- New Adobe Flash Player exploit used by Magnitude and Nuclear exploit kits
- Latest Intelligence for March 2016
- New Flash zero-day exploited by attackers in the wild
- Samsam may signal a new trend of targeted ransomware
- Four tax scams to watch out for this tax season
- Most prevalent Android ransomware in the West arrives in Japan
- Taiwan targeted with new cyberespionage back door Trojan
- Seven Iranians charged in relation to cyberattacks against US
Menu > Articles de la revue de presse : - l'ensemble [ tous | francophone] - par mots clé [ tous] - par site [ tous] - le tagwall [ voir] - Top bi-hebdo de la revue de presse [ Voir]
Si vous voulez bloquer ce service sur vos fils RSS :
- avec iptables "iptables -A INPUT -s 88.190.17.190 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.190.17.190 to any 80"
- Nous contacter par mail
| Mini-Tagwall des articles publiés sur SecuObs : | | | | sécurité, exploit, windows, attaque, outil, microsoft, réseau, audit, metasploit, vulnérabilité, système, virus, internet, usbsploit, données, source, linux, protocol, présentation, scanne, réseaux, scanner, bluetooth, conférence, reverse, shell, meterpreter, vista, rootkit, détection, mobile, security, malicieux, engineering, téléphone, paquet, trames, https, noyau, utilisant, intel, wishmaster, google, sysun, libre |
| Mini-Tagwall de l'annuaire video : | | | | curit, security, biomet, metasploit, biometric, cking, password, windows, botnet, defcon, tutorial, crypt, xploit, exploit, lockpicking, linux, attack, wireshark, vmware, rootkit, conference, network, shmoocon, backtrack, virus, conficker, elcom, etter, elcomsoft, server, meterpreter, openvpn, ettercap, openbs, iphone, shell, openbsd, iptables, securitytube, deepsec, source, office, systm, openssh, radio |
| Mini-Tagwall des articles de la revue de presse : | | | | security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité |
| Mini-Tagwall des Tweets de la revue Twitter : | | | | security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack |
|
|
|
|
|
