I've been hearing a lot about the Fokirtor Trojan, which creates a backdoor into Linux systems. How can I prevent,...
detect and mitigate this threat?
The Fokirtor Trojan is a variety of malware that targets Linux systems. While Symantec Corp. rates its risk level as very low, others have commented that Fokirtor looks like a well-constructed threat. Though it seems to rely on another payload to gain a foothold on a target system, once it does, it steals sensitive data and encrypts it for exfiltration, making outbound detection a challenge. Based on what the Trojan is able to steal, Fokirtor gives its controller the option of performing additional data thefts.
Preventing Fokirtor from installing itself on a Linux system appears to be difficult, given that a Symantec report revealed that one compromised company was generally well protected when it was attacked. One of the key issues victims are likely to encounter is stopping the attacker from getting root access or from executing unapproved code. Assuming that a zero day was used in the attack for the initial access to the system and then was used to get root access, additional host-based security measures would be prudent.
Detecting Fokirtor might be more difficult than detecting other Linux backdoors because it opens a new port via which it can both receive commands and connect to a command-and-control system. Analyzing the network traffic for the command-and-control communication with an intrusion prevention or intrusion detection system could effectively help detect the threat.
Mitigating the threat of Fokirtor can be done through analysis of network traffic or additional host-based security, such as using SELinux or AppArmor to prevent unapproved code from executing on a system. File integrity monitoring tools -- a competitive security market segment with competitors such as Trustwave, LogRhythm, NetIQ, Tripwire, AlienVault, OSSEC and others -- could also be used to detect changes to files on the system and generate alerts when unauthorized changes are detected. Other steps, such as mounting file systems as read-only for binaries and prohibiting execution from all other file systems, can help protect a Linux system, but this might add complexity that could be avoided with a file integrity monitoring tool.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email! (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Social engineering emails targeted at customer service staff have led to the spread of the August malware. Expert Nick Lewis explains how to identify...continue reading
Android apps infected with Gooligan malware enable attackers to compromise the security of Google accounts. Expert Nick Lewis explains how users can ...continue reading
A malvertising campaign by the AdGholas group has been found spreading the Stegano exploit kit. Expert Nick Lewis explains how web advertisements are...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.