Raw sockets backdoor gives attackers complete control of some Linux servers

Share this…

“Chaos” gives attackers, and follow-on attackers, full control over infected boxes. A stealthy backdoor undetected by antimalware providers is giving unknown attackers complete control over at least 100 Linux servers that appear to be used in business production environments, warn researchers.

In a blog post published Wednesday, Montreal-based GoSecure claimed that a piece of malware dubbed “Chaos” is infecting poorly secured systems by guessing weak passwords protecting secure shell application administrators use to remotely control Unix-based computers. The secure shell, or SSH, accounts being compromised run as root, and this is how the backdoor is able to get such access as well. Normally, firewalls in front of servers block such backdoors from communicating with the outside Internet. Once installed, Chaos bypasses those protections by using what’s known as a “raw socket” to covertly monitor all data sent over the network.

“With Chaos using a raw socket, the backdoor can be triggered on ports running an existing legitimate service,” Sebastian Feldmann, a master’s degree student intern working for GoSecure, wrote. “As an example, a Webserver that would only expose SSH (22), HTTP (80), and HTTPS (443) would not be reachable via a traditional backdoor due to the fact that those services are in use, but with Chaos it becomes possible.”

Once installed, Chaos allows malware operators anywhere in the world to gain complete control over the server via a reverse shell. The attacker can use their privileged perch to exfiltrate sensitive data, move further inside the compromised network, or as a proxy to conceal hacks on computers outside the network. To activate the backdoor, attackers send a weakly encrypted password to one of the ports of the infected machine.

GoSecure researchers said the password was easy for them to crack because it was hardcoded into the malware using the ancient DES encryption scheme. That means that infected systems aren’t accessible only to the people who originally planted Chaos but by anyone who, like GoSecure, invests the modest resources required to crack the password. The researchers performed an Internet-wide scan on January 19 and detected 101 machines that were infected.

Apathy is malware’s best friend

They reported their findings to the Canadian Cyber Incident Response Center in hopes of getting the affected organizations to disinfect their systems. A scan on Wednesday, however, showed that 98 servers remained infected. The compromised systems were located in a variety of big-name hosting services, including Cloudbuilders, Rackspace, Digital Ocean, Linode, Comcast, and OVH.

As the researchers dug further into Chaos, they discovered that the malware was nothing more than a renamed version of a backdoor that was included in a rootkit known as SEBD—short for Simple Encrypted Backdoor for Linux—which was publicly released in 2013. Despite its availability for more than five years, this VirusTotal query indicates that none of the 58 most widely used anti-malware services detect it. GoSecure further noted that the attackers are bundling Chaos with malware for a botnet that’s being used to mine the cryptocurrency known as Monero.

The key weakness that allows Chaos to spread is the use of a weak password to protect SSH. Best practices call for SSH to be protected with a cryptographic key and a strong password. Wednesday’s blog post provides a set of indicators that administrators can use to determine if any of their systems are compromised. Besides disinfecting affected servers, admins should make sure their SSH apps are adequately protected to prevent similar attacks from succeeding again.