Mac OS X trojan encryption routines found in a Linux backdoor

March 28, 2012 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

We were working on some information related to the C&C protocol used on the http://labs.alienvault.com/labs/index.php/2012/alienvault-research-used-as-lure-in-targeted-attacks/ [no longer available] Mac OS X trojan we discovered last week. ESET already did a great job http://blog.eset.com/2012/03/28/osxlamadai-a-the-mac-payload [no longer available]and you can read all the information there. As ESET said, the C&C protocol is using AES and XOR to encrypt all the underlying communications. For the XOR cypher they are using hardcoded keys:

They also add a SHA1 hash to every packet to authenticate and check the integrity of the communication.

So based on the encryption method, we have found another backdoor that uses the same underlying encryption with the same keys on a Linux backdoor that has been around at least since lately 1999 (based on VirusTotal submissions).

This can indicate that they are taking advantage of some code published in some underground forums or maybe the same guys have been using this backdoor to maintain persistence on Linux systems.

The file in question is this one:

https://www.virustotal.com/file/a3ffc25db2403b3f70719b151b106e53b3abbf1f81c9147a40664605b5b573d7/analysis/

The backdoor:

- It check first that has enough privileges to run (it requires root privileges).

- Then it writes the PID number to a file under /dev/hdsmat.

- Forks the process and change the process name to ‘-bash’.

- Opens a raw socket, SOCKET (PF_INET, SOCK_RAW, IPPROTO_TCP)

- This is some kind of portknocking technique so it waits for a packet that contains the following string:

- Once it receives that packet, it opens a connection to the machine that sent the pack using port 3133.

- The following communication will use the same XOR/AES underlying encryption to exchange data.

Based on a post published lately last year, it seems that they found a similar backdoor that was uploaded to the system after a successful SSH bruteforcing attack. The backdoor they talk about doesn’t have the underlying encryption but it uses the same “portknocking” code.

Maybe someone recognizes parts of this code and points us to an already know backdoor.

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

TAGS:

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL