Cloud Snooper
Cloud Snooper is a piece of malware that targets Linux servers exclusively, and, despite its name, it is not limited to infecting cloud servers. One of the unique things that cybersecurity experts discovered about the Cloud Snooper shows that cybercriminals are experimenting with new techniques to receive commands from their control server – one of the most inventive features in some recent malware is the use of the DNS protocol to receive commands, but the authors of the Cloud Snooper have introduced a fancy new technique.
Network Ports and Their Usage
Software that communicates with the Internet usually has a dedicated port that it uses to transmit data – 80 for HTTP, 443 for HTTPS, 21 for FTP, etc. Programs are able to utilize any ports between 1 and 65535. Windows services tend to stick to ports between 49152 to 65535, while the preferred ports of UNIX-based systems have some variety. These default ports fall in the so-called 'ephemeral range' that the operating system prefers to use, but there is nothing to stop an application from using, for example, port 1111, port 2222, etc. It is seen as legitimate traffic, and trying to filter it out manually may cause certain software to malfunction.
Another thing worth noting about ports is that every connection made to a remote server's destination port (e.g., 80) will result in a source port being assigned to the other end – so, for example, when you attempt to open Google.com, your network traffic may be marked with the source port 54188 by the remote server. This is the little communication quirk that the Cloud Snooper malware uses to receive commands and keep its operations hidden from firewalls.
Fake, Corrupted Linux Driver 'snd_floppy' is Commanded via Port Pings
The Cloud Snooper implant often poses as a fake Linux driver titled 'snd_floppy.' The 'snd' prefix is used for audio drivers mostly, but you can rest assured that 'snd_floppy' is not a legitimate driver service. Once active, the Cloud Snooper implant listens for pings that use a specific port number, and, as you can guess, probably, these pings come from the attacker. Keep in mind that the network packet sent by the attacker does not need to contain any command or details – it just needs to reach the infected host via a specific port number. Firewalls are likely to ignore a random empty packet sent to port 6060, and this is exactly what allows Cloud Snooper to receive commands even if the infected host is protected by a firewall, or another tool used to monitor network traffic.
Some of the general commands that the Cloud Snooper implant is able to utilize, rely on the following port numbers:
- 8080 – captures traffic from port 8080 and redirects it to port 2053 that may allow the malware to spy on it.
- 9999 – stops the implant and deletes its components.
- 6060 – a malicious payload can be hidden inside the fake 'snd_floppy' driver, and ping to port 6060 will command it to unpack and execute the malicious program.
There is a minor chance that a legitimate service may trigger the Cloud Snooper implant by using one of the pre-configured port accidentally, but this is, probably, a minor risk that the attackers consider to be non-important.
The advanced techniques that Cloud Snooper uses to communicate with a control server are just one of the many good reasons why it is recommended to invest in a reliable Linux security tool.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.