Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


Posts Tagged ‘backdoor’
January 6th, 2015

Linux DDoS Trojan hiding itself with an embedded rootkit

10867127_1516649011939387_257681840_nAt the end of September 2014, a new threat for the Linux operating system dubbed XOR.DDoS forming a botnet for distributed denial-of-service attacks was reported by the MalwareMustDie! group. The post mentioned the initial intrusion of SSH connection, static properties of related Linux executable and encryption methods used. Later, we realized that the installation process is customized to a victim’s Linux environment for the sake of running an additional rootkit component. In this blog post, we will describe the installation steps, the rootkit itself, and the communication protocol for getting attack commands.

Installation Script & Infection Vector

The infection starts by an attempt to brute force SSH login credentials of the root user. If successful, attackers gain access to the compromised machine, then install the Trojan usually via a shell script. The script contains procedures like main, check, compiler, uncompress, setup, generate, upload, checkbuild, etc. and variables like __host_32__, __host_64__, __kernel__, __remote__, etc. The main procedure decrypts and selects the C&C server based on the architecture of the system.

In the requests below, iid parameter is the MD5 hash of the name of the kernel version. The script first lists all the modules running on the current system by the command lsmod. Then it takes the last one and extracts its name and the parameter vermagic. In one of our cases, the testing environment runs under “3.8.0-19-generic\ SMP\ mod_unload\ modversions\ 686\ “, which has the MD5 hash equal to CE74BF62ACFE944B2167248DD0674977.  Read more…

January 17th, 2014

Has the NSA installed spyware on your new computer before you opened the box?

nsaAn article in German magazine Der Spiegel stated that the NSA is capable of installing backdoors on devices by Juniper Networks (firewall manufacturer), Cisco and Huawei (giant network device manufacturers), and also, Dell. According to the article, a special hacking team intercepted some new computer deliveries to secretly install spyware in these machines. Der Spiegel did not reveal how they got access to this information, although it’s public that they have access to secret information leaked by the former NSA contractor, Edward Snowden.

The magazine has access to secret documents describing a method of direct attack on an end-user device called “interdiction.” If a person was being investigated and bought a new computer, the Tailored Access Operations division (TAO) of the NSA could have access to it. They collect online information using a tool called XKeyscore, like the British journal The Guardian revealed last July. They also are able to redirect the internet traffic to their own servers. Der Spiegel said that this redirection occured with high success (50%) when people were browsing the professional network LinkedIn.

But I’m not interesting enough…

Ok. You’ll say that you’re not included in the “interesting” people to be investigated by the NSA. What you need to know, quickly, is that there are tons of spyware and behavior monitoring tools being distributed all over the world. Our team detected more than 6 million of them disguised as toolbars for browsers. These nasties monitor everything from your browser habits to your personal information.

Similar to NSA, some “security companies” do this dirty job of monitoring. Did you read about avast! BrowserCleaner yet? You can get rid of spyware toolbars using this tool inside avast! Antivirus products, or you can download the standalone version here. Learn more about it in this blog entry. And, of course, do not forget to alert your friends and family.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.

Categories: General Tags: , , , ,
August 27th, 2013

Linux Trojan “Hand of Thief” ungloved

A new threat for the Linux platform was first mentioned on August 7th by RSA researchers, where it was dubbed Hand of Thief.  The two main capabilities of this Trojan are form-grabbing of Linux-specific browsers and entering a victim’s computer by a back-door. Moreover, it is empowered with features like anti-virtualization and anti-monitoring. With the level of overall sophistication Hand of Thief displays, it can be compared to infamous non-Windows threats such as the FlashBack Trojan for MacOsX platform discovered last year or Trojan Obad for Android from recent times.

A detailed analysis uncovers the following structure of the initial file with all parts after the dropper being encrypted (hexadecimal number displays starting offset of a block):


Read more…