A backdoor implant is an increasingly common mechanism for maintaining unauthorized access and control over a computer asset. The terms remote administration tool RAT and trojan downloader are often used synonymously with such implants. Once installed i.e. implanted on a system, the modern backdoor typically offers much more than simple i.e. command line access to a system.
Depending on the backdoor’s specialization and sophistication, it can also capture keystrokes, take screenshots, scrape memory for valuable information, search for files meeting certain criteria, query databases, download files and additional malware, exfiltrate data and files, and even serve as an attack platform.
Effectively, a backdoor implant affects loss of control over a computer asset.The tangible and intangible impacts of this loss of control vary based on respective backdoor capabilities, and may include the following: leakage of authentication credentials, loss of intellectual property, exposure of sensitive information, negative standing or reputation, and various levels of liability for actions executed on or from the compromised asset.
Recently Palo Alto Networks discovered a backdoor program md5: b826fb1253a52a3b53afa3b7543d7694, sha256: 6bedd1b0716fe7632188932451f75295346836545e6d2bfee1b56121e02ca110 that is used to control a linux operating system.This particular linux backdoor will install itself to “/usr/bin/btdaemon” and create a startup service at “/etc/init.d/bluetoothdaemon” with symbolic links so that it will run in any startup mode. The file contents are a simple bash script that runs the original btdaemon file.
The backdoor when run will create threads for each connection listed in its config file.The sample that was caught by our WildFire system contains 3 IP addresses in its config file. 188.8.131.52 || INTERCAN4024357D | Bongcheon-dong Kwanak-gu SEOUL | KR 184.108.40.206 || KORNET-KR | Korea Telecom | KR 220.127.116.11 || PCCWME-HK | FLAT 1405,14/F BLK A FUK KEUNG IND BLDG | HKFor each IP address the btdaemon service will attempt to make a connection on UDP ports 53, 80, 110, and 443.
Upon successful connection it will send the string “¡°MlCROS0FT|1.2 Apr 26 2014 02:37:05|Linux Kernel Version¡±” and will wait for an “Auth” packet from the server.If the backdoor receives a packet in the form of a “cmdType|cmdBody” it will check the cmdType list and execute the equivalent instruction. Valid instructions are between 0-9 and there functionality varies depending on the command. Read the rest of this article at: