Backdoor.Linux.SYSLOGK.A

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This Backdoor does the following:

• It operates as a bot component of a rootkit.
• It executes encoded instructions received from crafted network packets.
• It uses the following User Agents for producing traffic that mimics legitimate network activity.
  • POST /index.html HTTP/1.1
    Host: {Host}
    Content-Length: {Content-Length}
    Connection: keep-alive
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-URL encoded
• It uses the following User Agents for for sending encoded data.
  • GET /index.html HTTP/1.1
    Host: {Host}
    {Encoded Data}
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9
    Cookie: ID=
    Content-Length: {Content-Length}
    Connection: keep-alive
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
    Content-Type: application/x-www-form-urlencoded

It accepts the following parameters:

• m , --module
  • cb - enters in a loop receiving callback notifications for handling requests
  • proxy - acts as a proxy for executing commands in other machines
  • st - listens for one request and ends the execution
• -p , --protocol → fake protocols to implement fake services to mimic legitimate network traffic.
  • tcp
  • http
  • ssl
  • https
  • smtp
• -P , --port → allows user to specify fixed port