“This post describes a backdoor that spawns a fully encrypted and integrity checked reverse shell that was found in our SSH honeypot,” states the report published by GoSecure.
“We named the backdoor ‘Chaos’, following the name the attacker gave it on the system. After more research, we found out this backdoor was originally part of the ‘sebd’ rootkit that was active around 2013.”
The Chaos backdoor was one of the components of the “sebd” Linux rootkit that appeared in the threat landscape back in 2013, researchers discovered a post on hackforums.net, where a user claims to know how the backdoor was made publicly available.
It seems that the source code of the backdoor was caught by a “researcher” that released it on the forum by changing the name of the backdoor in Chaos to trick members into believing that is was a new threat.
The malicious code is now being used by attackers in the wild to target Linux servers worldwide.
Researchers performed an Internet-wide scan using the handshake extracted from the client in order to determine the number of infected Linux servers and they discovered that this number is quite low, below the 150 marks.
The installation of the Chaos backdoor starts with the attacker downloading a file that pretended to be a jpg from http://xxx.xxx.xxx.29/cs/default2.jpg.
The file was currently a .tar archive containing the Chaos (ELF executable), the client (ELF executable), initrunlevels Shell script, the install Shell script.
“Chaos”, in the tar archive, is the actual backdoor that is installed on the victim’s system and the “Client” file is the client to connect to the installed backdoor.
The backdoor is not sophisticated is doesn’t rely on any exploits, it opens a raw socket on port 8338 on which it listens to commands.
“Any decent firewall would block incoming packets to any ports that have not explicitly been opened for operational purposes,” GoSecure experts say. “However, with Chaos using a raw socket, the backdoor can be triggered on ports running an existing legitimate service.”
To check if your system is infected experts suggest to run the following command as root:
and analyze the list the processes to determine which are legitimate ones that have listening raw sockets open.
“Because chaos doesn’t come alone but with at least one IRC Bot that has remote code execution capabilities, we advise infected hosts to be fully reinstalled from a trusted backup with a fresh set of credentials.” suggest experts to the owner of infected systems.
(Security Affairs – Chaos Backdoor, Linux Servers)