We were working on some information related to the C&C protocol used on the http://labs.alienvault.com/labs/index.php/2012/alienvault-research-used-as-lure-in-targeted-attacks/ [no longer available] Mac OS X trojan we discovered last week. ESET already did a great job http://blog.eset.com/2012/03/28/osxlamadai-a-the-mac-payload [no longer available]and you can read all the information there. As ESET said, the C&C protocol is using AES and XOR to encrypt all the underlying communications. For the XOR cypher they are using hardcoded keys:
They also add a SHA1 hash to every packet to authenticate and check the integrity of the communication.
So based on the encryption method, we have found another backdoor that uses the same underlying encryption with the same keys on a Linux backdoor that has been around at least since lately 1999 (based on VirusTotal submissions).
This can indicate that they are taking advantage of some code published in some underground forums or maybe the same guys have been using this backdoor to maintain persistence on Linux systems.
The file in question is this one:
https://www.virustotal.com/file/a3ffc25db2403b3f70719b151b106e53b3abbf1f81c9147a40664605b5b573d7/analysis/
The backdoor:
- It check first that has enough privileges to run (it requires root privileges).
- Then it writes the PID number to a file under /dev/hdsmat.
- Forks the process and change the process name to ‘-bash’.
- Opens a raw socket, SOCKET (PF_INET, SOCK_RAW, IPPROTO_TCP)
- This is some kind of portknocking technique so it waits for a packet that contains the following string:
- Once it receives that packet, it opens a connection to the machine that sent the pack using port 3133.
- The following communication will use the same XOR/AES underlying encryption to exchange data.
Based on a post published lately last year, it seems that they found a similar backdoor that was uploaded to the system after a successful SSH bruteforcing attack. The backdoor they talk about doesn’t have the underlying encryption but it uses the same “portknocking” code.
Maybe someone recognizes parts of this code and points us to an already know backdoor.
