Today, we're going to discuss about a very important topic: a sophisticated Linux backdoor called Plague. If you're a IT security admin, it's really important for you to understand these advanced threats, especially ones that target core system components.
Think of this as a lesson in understanding how attackers try to stay hidden and bypass security controls.
Table of Contents
What is Plague?
First, let's understand what Plague is.
Plague is a malicious program (a "backdoor") specifically designed for Linux systems. Its main purpose is to allow attackers to secretly bypass system authentication.
This means an attacker can get into a system without needing a valid username and password, or by using a secret, hardcoded password.
It provides persistent SSH access for attackers. Persistent means it stays on the system even after reboots or updates.
Plague is Dangerous and Hard to Detect
Plague is very dangerous because it's extremely stealthy and hard to detect.
It has gone publicly unnoticed for a long time, and many antivirus engines do not flag it as malicious. It can hide on systems without being caught by common security tools.
Plague backdoor integrates deeply into the authentication stack. Plague targets PAM (Pluggable Authentication Modules), the foundational part of the Linux system.
It survives system updates. So, even if you update your system, Plague might still be there.
It leaves almost no forensic traces. Forensic traces are like digital footprints. Plague tries to erase them, making it very difficult to know an attacker was there.
How Does Plague Work?
Plague achieves its stealth and persistence through several clever techniques:
1. PAM-Based Backdoor
As you may already know, PAM is a framework that handles user authentication for many programs.
Plague is built as a malicious PAM module. It injects itself directly into the system's authentication process.
When a program like login or sshd asks PAM to authenticate a user, Plague can intercept this request and allow the attacker in.
2. Bypassing Authentication
Plague uses static, hardcoded passwords. These are secret passwords built into the backdoor itself, like "Mvi4Odm6tld7", "IpV57KNK32Ih", and "changeme".
An attacker can use one of these passwords to log in, bypassing the system's normal password checks.
3. Advanced Evasion Techniques
Anti-Debug Features:
Plague makes it difficult for security researchers to analyse it. It checks if its filename is libselinux.so.8 and if ld.so.preload is not present in environment variables.
This helps it evade debuggers and sandbox environments, which often use these mechanisms for analysis.
String Obfuscation:
The Plague backdoor hides important text and data inside its code. This makes it very hard to understand what the backdoor is doing just by looking at its code. It uses complex methods, including multiple layers of encryption (XOR, KSA/PRGA, DRBG).
Environment Tampering (Stealth):
Plague actively cleans up the runtime environment to remove evidence of an attacker's presence.
- It unsets environment variables like
SSH_CONNECTIONandSSH_CLIENT. - It redirects
HISTFILEto/dev/null. This prevents shell commands from being recorded in the user's history, erasing the attacker's footprint.
Hidden Session Artifacts:
It ensures that almost no audit trail or login metadata is retained.
Challenges in Detection
Because of these sophisticated features, Plague is exceptionally hard to detect using traditional security tools. This highlights the importance of:
- Proactive detection. You can't just wait for an alert; you need to actively hunt for these threats.
- YARA-based hunting. YARA rules are patterns used to identify malware.
- Behavioral analysis. This means looking at what programs do on the system, not just what they are.
Key Takeaways
- Core System Components are Targets: Attackers love to target fundamental parts of the operating system, like PAM, because they offer deep access and persistence. If they compromise PAM, they control authentication for the whole system.
- Stealth is Paramount: Modern backdoors go to extreme lengths to hide themselves. Learn about techniques like obfuscation, anti-debug, and environment tampering.
- Persistence is Key: Attackers want to stay on a system. Understanding how backdoors survive reboots and updates (like Plague integrating deeply into the authentication stack) is important.
- Traditional Tools May Fail: Don't rely solely on antivirus. Sophisticated threats like Plague can easily evade them. This is why proactive hunting, like using YARA rules and behavioral analysis, is so important.
- Forensics Matters: Even if a backdoor tries to erase its tracks, there might be subtle clues left behind, like the hardcoded passwords or specific flags (e.g.,
bkr=1). Learning to look for these "artifacts" is vital for incident response.
Understanding Plague helps us to know the advanced tactics used by threat actors and reinforces why we need to be vigilant and adaptable in our security practices.
Nextron Systems, a German-based security company, published an in-depth study about the Plague backdoor. If you're interested to know more about it, please check the following link:
Suggested Read:
2 comments
Fear porn? Advertising Nextron’s services?
Why not state how the malware infects the OS? Why not state how to remove it?
Should this article be labeled as a sponsored post?
It is NOT a sponsored post. We just wanted to spread awareness about this incident. Thanks for your comment.