Malware writers create faulty cross-platform malware

Malware could infect both Linux and Windows but luckily fails to do anything scary. .

Malware writers create faulty cross-platform malware
Malware writers create faulty cross-platform malware

Security researchers have detected new malware that has been designed to be a backdoor into Linux systems and can also cross-infect Windows machine. However, the malware is also so badly designed that it fails to work as effectively as it should.

Dubbed Linux.BackDoor.Dklkt.1, the Trojan was discovered by IT security company Dr. Web. The researchers said the backdoor was possibly of Chinese origin and its creators planned to equip the program with a large number of functions typical of SOCKS proxy servers, remote shells, file managers, and so on.

However, the virus developers also neglected to ensure the malware responded to several commands to commence. It put this down to poor design of the malware.

The Trojan, which refers to itself as “DDoS Attacker for Gh0st (sweet version 1.0)”, has been created in such a way that its executable file could be assembled both for Linux and Windows architectures. Once launched, Linux.BackDoor.Dklkt.1 checks the folder from which it is run for the configuration file.

One parameter, ‘Config' indicates the path to the configuration file (in Linux) or to the system registry branch where configuration data is stored (in Windows).

“The configuration file contains three addresses of command and control servers; one of them is used by the backdoor, while the other two are stored for backup purposes,” said the researchers in an advisory.

After the malware is activated, it tries to register itself in the system as a daemon (system service). If the attempt fails, the backdoor terminates its work.

Once the malicious program is successfully run, it sends the server a packet with the information on the infected system and backdoor's parameters. It uses LZO compression and the Blowfish encryption algorithm to communicate with command and control servers.

Once this packet is sent, the Trojan stands ready to receive incoming commands, according to the researchers. But the firm noted that several commands, such as update itself, receive user data and remove itself, are ignored by the malware. Among the commands that do work include change remark, open shell, run an application, start proxy, exit, reboot and turn off a computer.

However, the researchers said the Trojan could still launch distributed denial-of-service (DDoS) attacks such as SYN Flood, HTTP Flood (POST/GET request), ICMP Flood, TCP Flood, and UDP Flood. But a Drv Flood attack has not been implemented by the malware.

Ken Munro of Pen Test Partners, told SCMagazineUK.com that the malware “appears to be a bit of a mash-up and not fully completed. It doesn't seem to offer a particularly unique selling point over existing Trojans”.

“For example Kaiten had most of this functionality in 2006 ( https://www.symantec.com/security_response/writeup.jsp?docid=2006-021417-0144-99&tabid=2 ) except for the encrypted communications,” he added.

“Typically, it would be easier, quicker and more portable to write it in perl, as this is present on most Linux machines. Writing in C/C++ does obscure the code somewhat but does not defeat a determined reverse engineer."

Dave Larson, chief technical officer at Corero Network Security, said that the Trojan capitalises on vulnerable Linux (and seemingly Windows) servers as a command and control program for executing flood-based DDoS attacks at target victims.

“The fact that another vulnerability has been identified, and yet another tool has been created to launch DDoS attacks is not really news at all. DDoS attack motivations are wide ranging, and the means to execute an attack are easier than ever before,” he said.

Catalin Cosoi, chief security strategist at Bitdefender told SCMagazineUK.com he could only speculate as to why the Trojan was released into the wild before it was finished.

“It could either be an accident or a deliberate attempt at testing the response time and detection from security vendors. Hackers could have also made a rookie mistake and uploaded their samples in a multi-engine virus scanner such as Virustotal to test detection during development. What we have here might not be the production-ready tool but rather an interim stage in development,” he said.

He added that it was possible that the code was stitched together from various sources and serve more as a proof-of-concept rather than an actual fully functional threat. Cosoi said that infecting Windows may not have been a desired feature.

“It would have been much more effective for malware writers to build the backdoor in Java, for instance, if cross-platform functionality was desired. We presume that the debug information in the code is just artefacts or decoy information,” he said.

Mark Williams, CREST Certified Penetration Tester told SCMagazineUK.com that while a faulty backdoor may not work as the malicious developers intended, “the poor code could cause a target system to become unstable, just another aspect of infections to consider”.

“Companies should review their security practises to ensure that infections of this nature are properly prevented. Ensuring that operators work under the principle of least privilege, untrusted software is never executed and that known vulnerabilities are managed through Penetration Testing exercises and rigorous patching policies,” he said.