Internet Igors have stitched together a new Linux backdoor. Fortunately for internet hygiene the botnet agent – which packs a variety of powerful features – is faulty and only partially functional.
The backdoor, dubbed Dklkt-1 was designed to be a cross-platform nasty capable of infecting both Windows and Linux machines.
Cyber-criminals planned to equip the program with a large number of functions typical of SOCKS proxy servers, remote shells, file managers, and so on.
However, at the moment, the malware ignores the majority of incoming commands due to programming mistakes.
The Trojan – known by its creators as “DDoS Attacker for Gh0st(sweet version 1.0” – was carelessly put together. For one thing “the disassembled code contains some strange constructions that have absolutely nothing to do with Linux”, according to an advisory on the malware by Russian security software firm Doctor Web.
However, other elements of the malicious code suggest those behind the backdoor were far removed from rookie malware coders.
If successfully planted, the malware tries to register itself in the system as a daemon (system service). Thereafter it uses LZO compression and the Blowfish encryption algorithm to chat to command and control servers. Every packet contains a checksum, so that the recipient could verify data integrity.
Dklkt-1 waits for incoming commands that can include launching a DDoS attack, starting SOCKS proxy server, running a specified application, rebooting the computer, or turning it off. Other commands are either ignored or processed incorrectly.
The trojan – in its present form – basically lends compromised proxies to a variety of volumetric DDoS attacks (eg. SYN Flood, ICMP Flood and UDP Flood).
Detection for the Dklkt-1 Linux backdoor has been added to Dr.Web virus databases. Other security firms can be expected to follow suit.