Recent Posts

Recent Blog Posts

The PhishLabs Blog

Backdoor found in popular Linux distro

Posted by R.A.I.D. on Feb 23, '16

The Kaiten bot was distributed in some Linux Mint ISO downloads. Here are the IOCs.

Linux_logo.pngAccording to reports from the Linux Mint Blog, hackers created a backdoored version of the Linux Mint distribution's ISO files and then compromised the Linux Mint website to change the download links to point the hacked versions hosted in Bulgaria.

The "Mint Team," maintainers of the distro and operators of the hacked web site, say that the links were only active on February 20th, 2016.  These were listed under download "mirror" sites; direct HTTP downloads from Mint Team servers and torrents were not affected.  Only backdoored versions of the "Cinnamon" edition were identified, not the "MATE" or "Xfce" editions, which use different default desktop environments.

The Mint Team has reposted hash sums for valid ISO images; however, Linux Mint forum users reported invalid hashes for downloads from at least two other mirrors, the University of Canterbury and Xnet.  PhishLabs R.A.I.D. has confirmed that the reported MD5 hash value of these downloads (7d590864618866c225ede058f1ba61f0) matches an ISO that does contain the backdoor.

The window of exposure may be longer than just the day of February 20, 2016.  The file that indicates a backdoored system is timestamped on February 19, and the files from the other mirrors may have been active as late as the early morning on February 21.  Simply looking for indicators based on the February 20 date may not be enough to identify all incidents.

The backdoored disk images, which can be used to run a "live" version of Linux Mint version 17.3 from a removable disk or to install the operating system to a hard disk, contain a copy of the Kaiten bot.  Kaiten is one of the two most widely distributed DDoS bots compiled for the Linux platform.  It is written in the C programming language and compiled into an ELF format executable program.  Various versions of its source code can be easily located on the Internet.

Upon start, Kaiten attempts to connect to one or more IRC (Internet Relay Chat) servers and registers itself with a particular "channel" or chat room to which it will listen for commands.  In addition to TCP SYN floods and spoofed and non-spoofed YDP floods, the Kaiten bot provides backdoor download and execute functionality through the GET and SH commands, respectively.  In this case, the bot executes commands with root/superuser (UID 0) privileges.

Kaiten is also known as Tsunami, ktx, and STD.  Recent versions are most commonly associated with a DDoS threat actor handles "Loonies Squad" and "Shitty Squad".  In recent attacks, versions of the perl-based DDoS tool and backdoor "SERVIDOR", a.k.a. "w0rmb0t", were discovered installed alongside copies of Kaiten.

In a related item, the Mint Team confirms that the user database for the official Linux Mint forums web site was leaked online on February 21, 2016.  Usernames, email addresses, encrypted forum passwords, and any personal information entered into forum user profiles or posts by forum users has been compromised.  Linux Mint forum users are advices to change their passwords.

A threat actor on a popular Dark Web cybercriminal marketplace has claimed credit for the attack.  Timelines and details regarding the leaked user database support this actor's claims.

Indicators of Compromise

IP addresses

 A backdoored ISO file was known to have been hosted at this IP address:

5.104.175.212

This IP address is allocated to Verdina.net, a hosting provider, and geolocated to a data center in Sofia, Bulgaria.

Hashes

The following identifies the backdoored ISO file hosted at the IP address above:

Filename: linuxmint-17.3-cinnamon-64bit.iso
MD5: 7d590864618866c225ede058f1ba61f0
SHA-1: cd6def080ec08bc0d6159a7168f2f85800eb93c1
SHA-256: 3723794a04602987ddbf3a8deb4044cf071ab086244c7f908293b081e38dcd82

Host-based IOCs

 Machines running a backdoored version of the ISO image from a removable disk in "LiveCD" mode will have the following file, which is not part of the official distribution:

File: /var/lib/man.cy

MD5: 9bc3f9009fcdad9a26c652eb8ef9a89f

SHA-1: 6fbc376a0133942572b00bbd016fcad6ea1b0faf

SHA-256: b3b40059aa95d260b1c2df5a071cdc8b508c59ddcc75b88b11b94fb32dda35e0

Network-based IOCs

The version of Kaiten distributed in the backdoored ISO image file is configured to attempt connections to IRC on port 6667/tcp on the following servers:

  • absentvodka.com
  • mintylinux.com
  • mylittlerepo.com
  • kernel-org.org
  • absentvodka.com

Upon connection, the bot joins the C2 IRC channel "#mint" using the password "bleh" and awaits commands.

PhishLabs R.A.I.D. has confirmed that the open source snort rules published by Emerging Threats for Kaiten reliably detect IRC traffic to/from the version of Kaiten distributed with the backdoored ISO image files in this case. 

Topics: DDoS, Botnet, Hacked

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Posts by Topic

see all