Dec 092014
 

Until this morning, like countless others I too labored under the blissful illusion that Netstat was the panacea for all my Linux security concerns.

Alas, that feeling of comfort has disappeared since the discovery of an extremely stealthy Netstat-defying Turla Linux trojan.

The dangers of the Linux Turla trojan including hidden network communications, arbitrary remote command execution and remote management should send a shiver up the spines of server administrators.

The Turla trojan was previously known to attack Windows based computers only via a hard to detect rootkit.

Turla Strikes Penguin

Security experts describe the Linux Turla trojan as a C/C++ executable statically linked against multiple libraries.

It seems much of the trojan’s code is based on public sources combined with some functionalities from the attackers.

Early analysis of this Linux trojan suggests that the Turla cd00r-based malware maintains stealth without needing elevated privileges while running arbitrary remote commands.

To the great distress of Linux system administrators, the trojan can’t be discovered via the popular command line Netstat tool that displays network connections for TCP (incoming and outgoing).

The folks at Kaspersky Labs say the trojan uses techniques that don’t require root access. This means it can more freely run on more victim hosts.

Apparently, even if a regular user with limited privileges launches it, the Turla Linux trojan can continue to intercept incoming packets and run incoming commands on the system.

Turla Linux – Key Features

Executable Characteristics

ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, stripped

Statically Linked Libraries
glibc2.3.2 – the GNU C library
openssl v0.9.6 – an older OpenSSL library
libpcap – tcpdump’s network capture library

Command & Control
Hardcoded C&C, known Turla activity: news-bbc.podzone.org
The domain has the following pDNS IP: 80.248.65.183

 Posted by at 2:19 pm

Sorry, the comment form is closed at this time.