July 23, 2015
The backdoor that was named Linux.BackDoor.Dklkt.1 is supposedly of Chinese origin. Virus makers tried to create a multicomponent malicious program encompassing a large number of functional properties; for example, they wanted to equip it with functions typical of file managers, DDoS Trojans, proxy servers, and so on. However, not all of these plans were destined to see the light. Moreover, virus makers attempted to make a cross-platform program out of their creation; so that the executable file could be assembled both for Linux and Windows architectures. However, due to carelessness of cybercriminals, the disassembled code contains some strange constructions that have absolutely nothing to do with Linux.
Once launched, Linux.BackDoor.Dklkt.1 checks the folder from which it is run for the configuration file containing all operating settings. This file has three addresses of command and control servers; one of them is used by the backdoor, while the other two are stored for backup purposes. The configuration file is encrypted with Base64. After Linux.BackDoor.Dklkt.1 is activated, it tries to register itself in the system as a domain (system service). If the attempt fails, the backdoor terminates its work.
Once the malicious program is successfully run, it sends the server information on the infected system; at that, the transmitted data is compressed with LZO and encrypted with the Blowfish algorithm. In addition to that, every packet contains a checksum, so that the recipient could verify data integrity.
Then Linux.BackDoor.Dklkt.1 waits for incoming commands that can include launching a DDoS attack, starting SOCKS proxy server, running a specified application, rebooting the computer or turning it off. Other commands are either ignored or processed incorrectly. The following are commands that can be executed by Linux.BackDoor.Dklkt.1:
- SYN Flood
- HTTP Flood (POST/GET requests)
- ICMP Flood
- TCP Flood
- UDP Flood
The signature of Linux.BackDoor.Dklkt.1 has been added to Dr.Web virus databases. Thus, users of Dr.Web for Linux are under reliable protection.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.