Linux backdoor planted on company network to monitor traffic, steal data

Share this article:
The backdoor trojan, dubbed "Fokirtor," was discovered in June by Symantec researchers.
The backdoor trojan, dubbed "Fokirtor," was discovered in June by Symantec researchers.

While investigating the breach of a large internet hosting provider, researchers discovered a Linux backdoor capable of stealing login credentials from secure shell (SSH) connections.

Symantec researchers detected in June that the trojan, dubbed “Fokirtor,” was on the unnamed company's network. The May breach exposed the login credentials of customers, according to a Wednesday blog post by the security firm.

While passwords were hashed and salted by the company, Symantec revealed that by leveraging Fokirtor attackers could have accessed the encryption key that secured the organizations' internal communications.

The Fokirtor trojan targets users running the Linux operating system, an open source platform that is generally known to dispatch speedier patches given its community of tech-savvy users.  

“This backdoor allowed an attacker to perform the usual functionality – such as executing remote commands – however, the backdoor did not open a network socket or attempt to connect to a command-and-control server,” the blog post said, later adding that the trojan, instead, injected itself into the organization's SSH process to extract encrypted commands.

Fokirtor could ultimately allow an attacker to execute commands of their choosing and even collect data from individual SSH connections, like the connecting hostname, IP address, port and SSH key used to authenticate users.

On Friday, Satnam Narang, a researcher on the Symantec Security Response team, told SCMagazine.com via email that the attackers realized they would need the “sophisticated” trojan to conceal their access to the target's network.

“The attackers understood that the target environment was well protected, so they needed to find a means to avoid a potential security review in order to remain hidden,” Narang wrote. “Therefore, they crafted this stealthy backdoor to camouflage itself within the secure shell (SSH) and other processes."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Kevin Mitnick to sell zero-day exploits

Kevin Mitnick's new venture will develop and procure zero-day exploits, then sell them for $100,000 or more.

FBI warns of potential cyber attacks launched by ISIS hacktivists

Following U.S. military airstrikes in the Middle East, the FBI has issued a warning regarding possible cyber threats aimed at U.S. networks and critical infrastructure by hacktivists in support of ISIS.

Report: 75 million records compromised so far in 2014

Report: 75 million records compromised so far in ...

An updated report indicates that since this time last year, breaches have increased by 29.4 percent, with 568 breaches occurring this year.