Slashdot Mirror

← Back to Stories (view on slashdot.org)

Analysis of Linux Backdoor Used In Freenode Hack

Posted by Soulskill on from the silent-but-deadly dept.

An anonymous reader writes "A detailed analysis has been done of the Linux backdoor used in the freenode hack. It employed port knocking and encryption to provide security against others using it. This seems a little more sophisticated than your average black-hat hacker.

3 of 37 comments (clear)

  1. security methods can be used by both sides by Anonymous Coward · · Score: 5, Interesting

    So a common method of securing parts of systems (port knocking) was used by nefarious software to protect itself.

    "This seems a little more sophisticated than your average black-hat hacker."

    From the article...
    "Whilst the handshake and data security mechanisms are arguably well designed the persistence mechanism isn’t in any sense stealthy. This particular rootkit would be easily detectible using tools as Tripwire and Rootkit Hunter. ...
    While the techniques used are well engineered they are certainly not unique. For example netfilter hooks were discussed in the context of rootkits back in a 2003 Phrack article titled ‘Kernel Rootkit Experiences‘. Similarly port knocking and RC4 encryption for concealment and transport security are not highly sophisticated yet are sound approaches if developing a rootkit."

    Doesn't seem so special after all.

    1. Re:security methods can be used by both sides by grcumb · · Score: 5, Interesting

      Doesn't seem so special after all.

      Well, full marks for that clever little bit of sleight of hand that allowed them to set up persistent connectivity without hard-coding addresses. I like the way they use the combination of port and sequence number to determine the remote address, and packet window size to set the remote port. It was also pretty interesting that the software could take its sweet time between 'magic' packets, allowing it to obscure itself in incoming traffic.

      But yeah, it's a clever riff on well-known rootkit tools. And it's nothing that shouldn't have been discovered in a moderately well-run security environment. I mean, we are talking about an altered boot script, new rules running in iptables, and additional new binaries on the system. You would expect that sort of thing to be found before too long.

      But one thing I would very much like to know is how this rootkit got installed in the first place. There's nothing about that in TFA.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
    2. Re:security methods can be used by both sides by rtb61 · · Score: 3, Interesting

      They only thing special about this rootkit is that is clearly designed to be installed by an insider. The sort of thing that NSA financially or via extortion corrupted network security types, would install. I'll bet that many foreign countries will not be accepting their version of H1B when they come from the US, in network security jobs.

      --
      Chaos - everything, everywhere, everywhen