Problem solve Get help with specific problems with your technologies, process and projects.

Fokirtor Trojan: How to avoid infection, boost Linux security

The Fokirtor Trojan creates a dangerous backdoor in Linux systems. Learn how to keep enterprise Linux systems from being infiltrated and compromised.

I've been hearing a lot about the Fokirtor Trojan, which creates a backdoor into Linux systems. How can I prevent, detect and mitigate this threat?

The Fokirtor Trojan is a variety of malware that targets Linux systems. While Symantec Corp. rates its risk level as very low, others have commented that Fokirtor looks like a well-constructed threat. Though it seems to rely on another payload to gain a foothold on a target system, once it does, it steals sensitive data and encrypts it for exfiltration, making outbound detection a challenge. Based on what the Trojan is able to steal, Fokirtor gives its controller the option of performing additional data thefts.

Preventing Fokirtor from installing itself on a Linux system appears to be difficult, given that a Symantec report revealed that one compromised company was generally well protected when it was attacked. One of the key issues victims are likely to encounter is stopping the attacker from getting root access or from executing unapproved code. Assuming that a zero day was used in the attack for the initial access to the system and then was used to get root access, additional host-based security measures would be prudent.

Detecting Fokirtor might be more difficult than detecting other Linux backdoors because it opens a new port via which it can both receive commands and connect to a command-and-control system. Analyzing the network traffic for the command-and-control communication with an intrusion prevention or intrusion detection system could effectively help detect the threat.

Mitigating the threat of Fokirtor can be done through analysis of network traffic or additional host-based security, such as using SELinux or AppArmor to prevent unapproved code from executing on a system. File integrity monitoring tools -- a competitive security market segment with competitors such as Trustwave, LogRhythm, NetIQ, Tripwire, AlienVault, OSSEC and others -- could also be used to detect changes to files on the system and generate alerts when unauthorized changes are detected. Other steps, such as mounting file systems as read-only for binaries and prohibiting execution from all other file systems, can help protect a Linux system, but this might add complexity that could be avoided with a file integrity monitoring tool.

Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email! (All questions are anonymous.)

This was last published in June 2014

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.