Two stealthy Linux malware samples uncovered, following in Windows variants' tracks

Two new variants of malware targeting government and business targets have been unearthed.
Written by Liam Tung, Contributing Writer

Security researchers have uncovered two Linux variants of a complex piece of Windows malware, which is known to have previously targeted embassies, the military, and pharmaceutical companies.

The new Linux malware follows the discovery of a family of Windows malware known as Turla, which researchers at Kaspersky and Symantec uncovered earlier this year. The malware is thought to be government-created and originating from Russia.

Turla for Windows infected several hundred computers in more than 45 countries, according to Kaspersky. The malware relied on social engineering techniques, such as booby trapped PDFs, to target users. Watering hole websites - selected due to the profile of the site's typical visitors - were also used. The Windows Turla attacks exploited at least two zero-day flaws affecting Windows and Adobe Reader.

The new, related Linux samples provide the attackers "broader system support at victim websites", according to Kaspersky researchers Kurt Baumgartner and Costing Raiu, who suspect the component was "running for years at a victim site".

The sample is capable of hidden network communications, arbitrary remote command execution, and remote management.

The link to the Windows Turla campaign comes via the Linux sample sharing the same hardcoded and command-and-control domain.

However, the Linux malware is based on an old and publicly available proof-of-concept backdoor known as 'cd00r.c', developed by hackers at phenoelit.org to solve the visibility 'problem' of standard backdoors. As phenoelit.org noted at the time, cd00r.c could be used for attack or defence.

"Standard backdoors and remote access services have one major problem: The ports they are listening on are visible on the system console as well as from outside (by port scanning)," phenoelit.org explains.

"The approach of cd00r.c is to provide remote access to the system without showing an open port all the time. This is done by using a sniffer on the specified interface to capture all kinds of packets. The sniffer is not running in promiscuous mode to prevent a kernel message in syslog and detection by programs like AntiSniff."

As Kaspersky's Baumgartner and Raiu explain, whoever wrote the Linux module borrowed the concept to enable remote command executions, but instead of using 'magic' SYN packets to run stealthy commands, opted for 'magic' TCP/UDP packets.

"In simple terms, it checks for an ACK number in the TCP header, or the second byte from the UDP packet body," they said.

"If such a packet is received and the condition check is successful, execution jumps to the packet payload contents, and it creates a regular socket. The backdoor handles this socket as a file with read/write operations. It's not the typical recv/send used in this code. It uses this new socket to connect to the source address of the 'magic packets'. Then it reports its own PID and IP to the remote address, and starts an endless loop for receiving remote commands. When a command arrives, it is executed with a '/bin/sh -c' script."

Turla is one of a handful of malware families suspected to have been developed by government agencies around the world. The US is suspected to have built malware Stuxnet, Flame, and the recently outed Regin, while Russia is thought to behind malicious app the Red October and Spain is believed to have created The Mask.

Security vendors were criticised for not releasing information about Regin despite being aware of the malware for several years. Symantec released details about the malware on a Sunday, ahead of an independent report by The Intercept.

Security veteran Bruce Schneier recently argued that antivirus vendors have a responsibility to disclose what they know about suspected government malware even if they have an incomplete picture of it.

"Right now, antivirus companies are probably sitting on incomplete stories about a dozen more varieties of government-grade malware. But they shouldn't. We want, and need, our antivirus companies to tell us everything they can about these threats as soon as they know them, and not wait until the release of a political story makes it impossible for them to remain silent," Schneier said.

Read more on this story

Editorial standards