While investigating suspicious Domain Name System (DNS) requests for a financial institution, researchers at Kaspersky Labs have discovered a backdoor (which they’ve christened Shadowpad) in recently updated copies of two software suites designed for use on Linux and Unix systems. The software is produced by NetSarang Computer Inc, a developer of management tools whose server software is used by hundreds of companies worldwide.
The malware was installed to look as legit as possible, seemingly authenticated by official software signatures. The likelihood is that hackers penetrated NetSarang’s production operations to install the backdoor. ShadowPad gives attackers plenty of scope for gathering data and could be used repeatedly with other software components. The researchers have detected characteristics that suggest the culprits may be Chinese.
This vulnerability affects NetSarang’s Xmanager and Xshell products.It sends out regular information including the identity of the affected computer plus its user names and network details to a command-and-control server. NetSarang is investigating how the glitch occurred and has made appropriate adjustments to antivirus tools. It has also issued a further update to purge the offending software.