Analysis of the Linux backdoor used in freenode IRC network compromise

[SirGod]

Background

freenode is a large IRC network providing services to Free and Open Source Software communities, and in September the freenode staff team blogged about a potential compromise of an IRC server. NCC Group’s Cyber Defence Operations team provided pro bono digital forensic and reverse engineering services to assist the freenode infrastructure team with their incident response activities.

In this post we discuss a subset of the information we documented about one of the components involved in the compromise, specifically a Linux backdoor with some interesting functionality and features.

One difficulty all attackers face after compromising a system is how to retain control over a long period of time in a stealthy manner.

Backdoor tools which listen for incoming connections can be easily identified by a port scan or by listing open sockets.

Tools which periodically connect outbound to a server are usually limited to a small number of addresses or a predictable domain generation algorithm.

The backdoor discussed in this post avoids these issues by using a novel method for recognising specially generated incoming packets, bypassing most typical host firewalls and enabling the attacker to change IP address without losing access.

Articol full (sursa) :

https://www.nccgroup.com/en/blog/2014/10/analysis-of-the-linux-backdoor-used-in-freenode-irc-network-compromise/

[Nytro]

Da, misto ideea cu modulul de kernel care urmareste "pachete magice" in PREROUTING.