Q

Fokirtor Trojan: How to avoid infection, boost Linux security

The Fokirtor Trojan creates a dangerous backdoor in Linux systems. Learn how to keep enterprise Linux systems from being infiltrated and compromised.

I've been hearing a lot about the Fokirtor Trojan, which creates a backdoor into Linux systems. How can I prevent, detect and mitigate this threat?

The Fokirtor Trojan is a variety of malware that targets Linux systems. While Symantec Corp. rates its risk level as very low, others have commented that Fokirtor looks like a well-constructed threat. Though it seems to rely on another payload to gain a foothold on a target system, once it does, it steals sensitive data and encrypts it for exfiltration, making outbound detection a challenge. Based on what the Trojan is able to steal, Fokirtor gives its controller the option of performing additional data thefts.

Preventing Fokirtor from installing itself on a Linux system appears to be difficult, given that a Symantec report revealed that one compromised company was generally well protected when it was attacked. One of the key issues victims are likely to encounter is stopping the attacker from getting root access or from executing unapproved code. Assuming that a zero day was used in the attack for the initial access to the system and then was used to get root access, additional host-based security measures would be prudent.

Detecting Fokirtor might be more difficult than detecting other Linux backdoors because it opens a new port via which it can both receive commands and connect to a command-and-control system. Analyzing the network traffic for the command-and-control communication with an intrusion prevention or intrusion detection system could effectively help detect the threat.

Mitigating the threat of Fokirtor can be done through analysis of network traffic or additional host-based security, such as using SELinux or AppArmor to prevent unapproved code from executing on a system. File integrity monitoring tools -- a competitive security market segment with competitors such as Trustwave, LogRhythm, NetIQ, Tripwire, AlienVault, OSSEC and others -- could also be used to detect changes to files on the system and generate alerts when unauthorized changes are detected. Other steps, such as mounting file systems as read-only for binaries and prohibiting execution from all other file systems, can help protect a Linux system, but this might add complexity that could be avoided with a file integrity monitoring tool.

Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email! (All questions are anonymous.)

This was first published in June 2014

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close