I've been hearing a lot about the Fokirtor Trojan, which creates a backdoor into Linux systems. How can I prevent,...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
detect and mitigate this threat?
The Fokirtor Trojan is a variety of malware that targets Linux systems. While Symantec Corp. rates its risk level as very low, others have commented that Fokirtor looks like a well-constructed threat. Though it seems to rely on another payload to gain a foothold on a target system, once it does, it steals sensitive data and encrypts it for exfiltration, making outbound detection a challenge. Based on what the Trojan is able to steal, Fokirtor gives its controller the option of performing additional data thefts.
Preventing Fokirtor from installing itself on a Linux system appears to be difficult, given that a Symantec report revealed that one compromised company was generally well protected when it was attacked. One of the key issues victims are likely to encounter is stopping the attacker from getting root access or from executing unapproved code. Assuming that a zero day was used in the attack for the initial access to the system and then was used to get root access, additional host-based security measures would be prudent.
Detecting Fokirtor might be more difficult than detecting other Linux backdoors because it opens a new port via which it can both receive commands and connect to a command-and-control system. Analyzing the network traffic for the command-and-control communication with an intrusion prevention or intrusion detection system could effectively help detect the threat.
Mitigating the threat of Fokirtor can be done through analysis of network traffic or additional host-based security, such as using SELinux or AppArmor to prevent unapproved code from executing on a system. File integrity monitoring tools -- a competitive security market segment with competitors such as Trustwave, LogRhythm, NetIQ, Tripwire, AlienVault, OSSEC and others -- could also be used to detect changes to files on the system and generate alerts when unauthorized changes are detected. Other steps, such as mounting file systems as read-only for binaries and prohibiting execution from all other file systems, can help protect a Linux system, but this might add complexity that could be avoided with a file integrity monitoring tool.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email! (All questions are anonymous.)
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
A recent version of the iSpy keylogger has the ability to steal passwords and record Skype chats. Expert Nick Lewis explains how it works and how to ...continue reading
IoT botnet DDoS attacks have been growing in volume and impact. Expert Nick Lewis explains how you can ensure your internet-connected devices are ...continue reading
A new type of macro malware has the ability to evade the detection of virtual machines and sandbox environments. Expert Nick Lewis explains how to ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.