Your IP: Unknown · Your Status: Unprotected Protected

Blog News

Exceptionally Stealthy And Powerful Linux-Based Trojan Could Be Possessing Victims For Years

Dec 15, 2014 · 3 min read

Exceptionally Stealthy And Powerful Linux-Based Trojan Could Be Possessing Victims For Years

An extremely stealthy trojan has been uncovered by researchers. Said trojan, which is for Linux systems, has been used by attackers to retrieve sensitive information and data not just from pharmaceutical companies but also governments around the world.

The malware, that is previously undiscovered, is a missing piece in a puzzle. It is tied to “Turla,” APT (a term used for ‘advanced persistent threat’) which was uncovered by Symantec and Kaspersky Lab. As far as it’s known, for at least four years the campaign targeted embassies, military, government institutions, pharmaceutical companies and research in over 45 countries around the world. The unknown attackers known to have infected over several hundred computers based on Windows OS by hitting on a variety of vulnerabilities, out of which two bugs were zero-day. According to Symantec the unknown attackers are most likely nation-state backed. The most notable fact about the malware was that it used a rootkit which made the malware extremely difficult to detect.

Moscow-based Kaspersky Lab’s researchers have detected malware that is Linux-based used in the same campaign. Just like recently uncovered Regin APT, Turla is put in the same league and ranked to be one of top-tier APTs. It’s suggested by the Linux component’s discovery that it is bigger than it was thought to be and could anticipate the discovery of even more infected systems.

Kurt Baumgartner, Kaspersky Lab specialist, told that the Turla operations have been executed in larger environments than they previously knew since all of the stuff that they have seen from Turla were windows based. Thus this puzzle piece just proves that they do not limit themselves.

The Linux trojan is very stealthy just like its Windows counterparts. It cannot be detected executing the ordinary Netstat command. In order of hiding itself, the backdoor idles until unusually crafted packets in their sequence numbers containing “magic numbers” are sent by attackers. There is possibility that the malware stayed hidden and idle on at least one victim computer for years, though this suspicion has not been confirmed by Kaspersky Lab yet. Arbitrary commands could be ran by the trojan although no elevated system privileges are required by it.

Baumgartner was concerned and at the same time marveled by that piece of code being so interesting due to the facts that this malware not only could run on Linux-based computers but also it could not be detected in the usual ways.

It could even be launched by a regular user that have limited privileges, allowing the trojan to not only intercept traffic but also run commands on machines that are infected. Capabilities include but are not limited to the ability to, under the control of attackers, communicate with servers and attackers having ability to run various commands of their choice, thanks to certain functions, as well as to perform remote management.

The Linux component, even after its uncovering, still remains a mystery. C and C++ programming languages were used in writing the underlying executable file which also contains code from libraries written in the past, a attribute giving the malicious file self-reliance. It’s also made hard to analyze or even reverse engineer for researchers due to the code being stripped of symbol information. This leaves a big question mark as the trojan may possess capabilities that have yet to be uncovered.

Administrators can check whether their Linux systems are infected with Turla by checking outgoing traffic for connections to or news-bbc.podzone[.]org, addresses of hardcoded command and control channels inside of the Linux trojan. A signature can be built by admins using a tool called YARA that is able to detect the strings “Remote VS is empty !” and “TREX_PID=%u”.

Having in mind how much of stealth and power the backdoor possess it would not be of a surprise for the discovery to open the gates to discoveries of more malware components or infections.

Baumgartner added that the research is still in the action and that at some point they expect to linger on something else because of the usage type of the backdoor.

Having in mind such powerful malware, your private data and sensitive information encryption at all times could be invaluable and we offer just that – invaluably strong encryption! We also offer great and rare to find features of our service such as no logs policy, Tor over VPN server and double VPN to keep you and your data as safe as it can be making it virtually impossible to decrypt!

Christina Craig
Christina Craig successVerified author

Christina is a community manager and the heart, the voice and the soul of NordVPN. She is always up for a conversation with our community of users and blog readers.

Subscribe to NordVPN blog