A stealthy backdoor undetected by antimalware providers is giving unknown attackers complete control over at least 100 Linux servers that appear to be used in business production environments, warn researchers.
In a blog post published Wednesday, Montreal-based GeoSecure claimed that a piece of malware dubbed “Chaos” is infecting poorly secured systems by guessing weak passwords protecting secure shell application administrators use to remotely control Unix-based computers. Normally, firewalls in front of servers block such backdoors from communicating with the outside Internet. Chaos bypasses those protections by using what’s known as a “raw socket” to covertly monitor all data sent over the network.
“With Chaos using a raw socket, the backdoor can be triggered on ports running an existing legitimate service,” Sebastian Feldmann, a master’s degree student intern working for GoSecure, wrote. “As an example, a Webserver that would only expose SSH (22), HTTP (80), and HTTPS (443) would not be reachable via a traditional backdoor due to the fact that those services are in use, but with Chaos it becomes possible.”