Chinese backdoor aimed at Windows and Linux systems

Doctor Web security researchers have examined the new Linux.BackDoor.Dklkt.1 backdoor against Linux operating systems. The creators of this malicious program planned to equip it with a wide range of functions, but their implementation turned out to be problematic - at the moment not all components of the program work as they should.

The backdoor named by Doctor Web as Linux.BackDoor.Dklkt.1 probably comes from China. The virus writers tried to create a multi-component malicious program containing a large amount of functionality, including they wanted to equip it with features typical for file managers, DDoS Trojans, proxy servers, etc. However, not all of these plans were successful. What's more, the virus writers tried to create a cross-platform program so that the executable file could be mounted in both the Linux and Windows architecture. Meanwhile, by carelessness of cybercriminals, disassembled code contains a few unusual designs that do not work on Linux.

After running Linux.BackDoor.Dklkt.1 checks the folder from which it was launched for the presence of a configuration file containing all the necessary settings for the virus to work. This file contains three addresses of the control and management servers, one of which is used by the backdoor, while the other two are stored as backup servers. The configuration file is encrypted using the Base64 algorithm. When Linux.BackDoor.Dklkt.1 is activated, it attempts to register itself in the system as a domain (system service). If this attempt fails, the backdoor finishes its work.

When the malicious program successfully starts, it sends information about the infected system to the control and management server; what's more, the data sent is subjected to VOC compression and encrypted with the Blowfish algorithm. In addition, each packet contains a checksum, so the recipient can verify the integrity of the data.

Next, Linux.BackDoor.Dklkt.1 is waiting for upcoming commands that may include a command to launch a DDoS attack, start the SOCKS proxy server, run a specific application, restart the computer, or disable it. Other commands are ignored or processed incorrectly. Linux.BackDoor.Dklkt.1 can compile the following DDoS attacks:

  • SYN Flood
  • HTTP Flood (POST / GET requests)
  • ICMP Flood
  • TCP Flood
  • UDP Flood

The Linux.BackDoor.Dklkt.1 signature has been added to the Dr.Web virus databases. Thus, users of Dr.Web Anti-virus for Linux are protected against this threat.

source: Doctor Web



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.