The Fokirtor Trojan is a variety of malware that targets Linux systems. While Symantec Corp. rates its risk level as very low, others have commented that Fokirtor looks like a well-constructed threat. Though it seems to rely on another payload to gain a foothold on a target system, once it does, it steals sensitive data and encrypts it for exfiltration, making outbound detection a challenge. Based on what the Trojan is able to steal, Fokirtor gives its controller the option of performing additional data thefts.
Preventing Fokirtor from installing itself on a Linux system appears to be difficult, given that a Symantec report revealed that one compromised company was generally well protected when it was attacked. One of the key issues victims are likely to encounter is stopping the attacker from getting root access or from executing unapproved code. Assuming that a zero day was used in the attack for the initial access to the system and then was used to get root access, additional host-based security measures would be prudent.
Detecting Fokirtor might be more difficult than detecting other Linux backdoors because it opens a new port via which it can both receive commands and connect to a command-and-control system. Analyzing the network traffic for the command-and-control communication with an intrusion prevention or intrusion detection system could effectively help detect the threat.
Mitigating the threat of Fokirtor can be done through analysis of network traffic or additional host-based security, such as using SELinux or AppArmor to prevent unapproved code from executing on a system. File integrity monitoring tools -- a competitive security market segment with competitors such as Trustwave, LogRhythm, NetIQ, Tripwire, AlienVault, OSSEC and others -- could also be used to detect changes to files on the system and generate alerts when unauthorized changes are detected. Other steps, such as mounting file systems as read-only for binaries and prohibiting execution from all other file systems, can help protect a Linux system, but this might add complexity that could be avoided with a file integrity monitoring tool.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email! (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Island hopping attacks create enterprise risk by threatening their business affiliates. Here's how to create an incident response plan to mitigate ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading