Friday, February 22, 2013
Malicious code Sshdkit attacks Linux-servers
Trojan propagation mechanism is still not fully understood, but there are reasons to believe that this installation to a server by using a critical vulnerability. Last known specialists "Doctor Web" version of the malware has number 1.2.1, and one of the earliest - 1.0.3 - apply for a fairly long time.
After a successful installation in the Trojan embedded in the process sshd, intercepting the authentication function of the process. After installing the session and successfully entering the user name and password are sent to the remote server to the attacker through a protocol UDP. IP-address of the control center, "sewn up" in the body of the Trojan, but the server address command every two days regenerated. For this Linux.Sshdkit uses a peculiar algorithm for selecting the team name server.
Linux.Sshdkit special algorithm generates two DNS-name, and if they both refer to the same IP-address, that address is converted to a different IP, and to which the Trojan sends the stolen information.
Experts managed to catch one of the management servers Linux.Sshdkit using well-known method of sinkhole - thus received practical proof that the Trojan sends the stolen remote sites with the attacked server logins and passwords. One of the signs of infection may be the presence of the library / lib / libkeyutils * 20 to 35 KB.