Linux backdoor planted on company network to monitor traffic, steal data

Share this article:
The backdoor trojan, dubbed "Fokirtor," was discovered in June by Symantec researchers.
The backdoor trojan, dubbed "Fokirtor," was discovered in June by Symantec researchers.

While investigating the breach of a large internet hosting provider, researchers discovered a Linux backdoor capable of stealing login credentials from secure shell (SSH) connections.

Symantec researchers detected in June that the trojan, dubbed “Fokirtor,” was on the unnamed company's network. The May breach exposed the login credentials of customers, according to a Wednesday blog post by the security firm.

While passwords were hashed and salted by the company, Symantec revealed that by leveraging Fokirtor attackers could have accessed the encryption key that secured the organizations' internal communications.

The Fokirtor trojan targets users running the Linux operating system, an open source platform that is generally known to dispatch speedier patches given its community of tech-savvy users.  

“This backdoor allowed an attacker to perform the usual functionality – such as executing remote commands – however, the backdoor did not open a network socket or attempt to connect to a command-and-control server,” the blog post said, later adding that the trojan, instead, injected itself into the organization's SSH process to extract encrypted commands.

Fokirtor could ultimately allow an attacker to execute commands of their choosing and even collect data from individual SSH connections, like the connecting hostname, IP address, port and SSH key used to authenticate users.

On Friday, Satnam Narang, a researcher on the Symantec Security Response team, told SCMagazine.com via email that the attackers realized they would need the “sophisticated” trojan to conceal their access to the target's network.

“The attackers understood that the target environment was well protected, so they needed to find a means to avoid a potential security review in order to remain hidden,” Narang wrote. “Therefore, they crafted this stealthy backdoor to camouflage itself within the secure shell (SSH) and other processes."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

WikiLeaks makes FinFisher surveillance software available to public

Copies of controversial surveillance software, called "FinFisher," were made available for public scrutiny by WikiLeaks.

Researcher challenges reports that BlackPOS variant struck Home Depot

Nuix believes the malware found on Home Depot's systems belongs to a different threat family.

Documents reveal NSA plans to map every internet connected device in the ...

Documents provided by Edward Snowden reveal that the NSA is looking to build a near real-time map of every single internet-connected device in the world.