November 20, 2014

Doctor Web security researchers have examined a dangerous malicious program for Linux. Added into the database under the name Linux.BackDoor.Fgt.1, the malware is designed to mount DDoS attacks.

After its launch on an infected device, Linux.BackDoor.Fgt.1 sends a request to one of Google's servers to determine whether the device is connected to the Internet and, if the response is affirmative, determines the device's IP and MAC addresses. Then Linux.BackDoor.Fgt.1 attempts to communicate with the command and control (C&C) server whose address is hardcoded in the backdoor's body, by sending information about its version to the server. In response, Linux.BackDoor.Fgt.1 expects to receive a block of data containing the command that is to be executed on the infected device. If the C&C server sends the instruction PING, the backdoor sends back PONG and continues to operate on the infected device. If the command DUP is received, Linux.BackDoor.Fgt.1 shuts down.

The backdoor incorporates a special routine to scan 256 random IP addresses in one loop. The scan cycle is initiated by the attackers. While generating IP addresses, Linux.BackDoor.Fgt.1 checks whether they fall within the address range used within the LAN—these addresses are ignored. If connection fails, Linux.BackDoor.Fgt.1 sends the information about the failure to the attackers' C&C server. If a connection is established, the malicious program tries to connect to a remote host port via Telnet and stands by for a login prompt. After sending a login from its generated list to the remote host, Linux.BackDoor.Fgt.1 begins to analyse the remote machine’s responses. If any of them contains a password request, the backdoor tries to log in by providing passwords found on its list. If successful, Linux.BackDoor.Fgt.1 forwards to the C&C server the IP address, login and password it used for remote host authorisation, and the target node is instructed to download a special script. The script is used to download and launch Linux.BackDoor.Fgt.1 on the compromised machine. It is noteworthy that the C&C server stores a large number of Linux.BackDoor.Fgt.1 executable files compiled for different Linux versions and distributions, including MIPS and SPARC server ports. Thus, the backdoor can infect not only Internet-connected servers and PCs running Linux, but also other devices, such as routers.

Linux.BackDoor.Fgt.1 can execute a number of intruder-issued commands, including the following:

• Determine the infected device's IP address;
• Start/stop IP scanning;
• Mount a DNS amplification attack on a specified host;
• Mount a UDP Flood attack on a specified host;
• Mount a SYN Flood attack on a specified node;
• Cease DDoS attacks;
• Shutdown the backdoor.

A definition for Linux.BackDoor.Fgt.1 that enables the anti-virus to detect and remove the program has been added to the Dr.Web virus database, so machines running Doctor Web anti-viruses for Linux are well protected from any danger.