Until this morning, like countless others I too labored under the blissful illusion that Netstat was the panacea for all my Linux security concerns.
Alas, that feeling of comfort has disappeared since the discovery of an extremely stealthy Netstat-defying Turla Linux trojan.
The dangers of the Linux Turla trojan including hidden network communications, arbitrary remote command execution and remote management should send a shiver up the spines of server administrators.
The Turla trojan was previously known to attack Windows based computers only via a hard to detect rootkit.
Turla Strikes Penguin
Security experts describe the Linux Turla trojan as a C/C++ executable statically linked against multiple libraries.
It seems much of the trojan’s code is based on public sources combined with some functionalities from the attackers.
Early analysis of this Linux trojan suggests that the Turla cd00r-based malware maintains stealth without needing elevated privileges while running arbitrary remote commands.
To the great distress of Linux system administrators, the trojan can’t be discovered via the popular command line Netstat tool that displays network connections for TCP (incoming and outgoing).
The folks at Kaspersky Labs say the trojan uses techniques that don’t require root access. This means it can more freely run on more victim hosts.
Apparently, even if a regular user with limited privileges launches it, the Turla Linux trojan can continue to intercept incoming packets and run incoming commands on the system.
Turla Linux – Key Features
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, stripped
Statically Linked Libraries
glibc2.3.2 – the GNU C library
openssl v0.9.6 – an older OpenSSL library
libpcap – tcpdump’s network capture library
Command & Control
Hardcoded C&C, known Turla activity: news-bbc.podzone.org
The domain has the following pDNS IP: 126.96.36.199