New Linux Backdoor Discovered – Linux.BackDoor.Dklkt.1
Doctor Web security researchers have examined a new backdoor targeting Linux operating systems. From the beginning, it became quite clear that creators of this malicious program planned to equip it with wide variety of powerful features, but bringing all their intentions to life proved rather problematic—at the moment, not all of the program’s components work as they should.
The backdoor that was named Linux.BackDoor.Dklkt.1 is supposedly of Chinese origin. Virus makers tried to create a multicomponent malicious program encompassing a large number of functional properties; for example, they wanted to equip it with functions typical of file managers, DDoS Trojans, proxy servers, and so on. However, not all of these plans were destined to see the light. Moreover, virus makers attempted to make a cross-platform program out of their creation; so that the executable file could be assembled both for Linux and Windows architectures. However, due to carelessness of cybercriminals, the disassembled code contains some strange constructions that have absolutely nothing to do with Linux.
Once launched, Linux.BackDoor.Dklkt.1 checks the folder from which it is run for the configuration file containing all operating settings. This file has three addresses of command and control servers; one of them is used by the backdoor, while the other two are stored for backup purposes. The configuration file is encrypted with Base64. After Linux.BackDoor.Dklkt.1 is activated, it tries to register itself in the system as a domain (system service). If the attempt fails, the backdoor terminates its work.
Once the malicious program is successfully run, it sends the server information on the infected system; at that, the transmitted data is compressed with LZO and encrypted with the Blowfish algorithm. In addition to that, every packet contains a checksum, so that the recipient could verify data integrity.
Then Linux.BackDoor.Dklkt.1 waits for incoming commands that can include launching a DDoS attack, starting SOCKS proxy server, running a specified application, rebooting the computer or turning it off. Other commands are either ignored or processed incorrectly. The following are commands that can be executed by Linux.BackDoor.Dklkt.1:
- SYN Flood
- HTTP Flood (POST/GET requests)
- ICMP Flood
- TCP Flood
- UDP Flood
Microsoft Windows OS:
- If the operating system (OS) can be loaded (either normally or in safe mode), download the curing utility Dr.Web CureIt! and run a full scan of your computer and the removable media you use.
- If you can’t load the OS, change the BIOS settings to load your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk or the Dr.Web® LiveDiskrecording utility onto a USB drive and prepare the relevant media. After booting up with this media, run a full scan and cure whatever threats have been detected.
- If your OS has been locked by malware from the Trojan.Winlock family, use our unlocking service. If you failed to find the unlock code, follow the instructions provided in Section 2.
- On the loaded OS, run a full scan of all disk partitions using the Dr.Web Anti-virus for Linux.
Mac OS X:
Run a full system scan using the free Dr.Web Light Scanner for Mac OS X. You can download it from the Apple App Store.
- If the mobile device is operating normally, download and install the free anti-virus Dr.Web for AndroidLight. Perform a full system scan and carry out the recommendations for removing any detected threats.
- If the mobile device has been locked by Android.Locker ransomware (the screen will be telling you that you have broken some law or demanding a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
- Start your smart phone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device or contact its manufacturer);
- Once you have activated safe mode, install the free anti-virus Dr.Web for Android Light onto the infected handheld and perform a full scan of the system; follow the steps recommended for neutralising the threats that have been detected;
- Switch off your device and turn it on as normal.