Showing posts from November, 2013

Linux Covert Channel Explains Why NSM Matters

I just read a post by Symantec titled Linux Back Door Uses Covert Communication Protocol . It describes a new covert channel on Linux systems. A relevant excerpt follows: [T]he attackers devised their own stealthy Linux back door to camouflage itself within the Secure Shell (SSH) and other server processes. This back door allowed an attacker to perform the usual functionality—such as executing remote commands—however, the back door did not open a network socket or attempt to connect to a command-and-control server (C&C). Rather, the back door code was injected into the SSH process to monitor network traffic and look for the following sequence of characters: colon, exclamation mark, semi-colon, period (“:!;.”). After seeing this pattern, the back door would parse the rest of the traffic and then extract commands which had been encrypted with Blowfish and Base64 encoded. :!;.UKJP9NP2PAO4 Figure. Example of injected command The attacker could then make normal connection re