SpeakUp opens up a backdoor in Linux and Mac OS X, and no antivirus detect it.

For a long time, many thought it was only Windows that got infected. Never happen to Mac’s and definitive not to any Linux system. For us that are working in the IT sector known that this was not true, and the phrase “What can be locked can also be unlocked.” And now a new trojan called SpeakUp opens up a backdoor to OS X and Linux machines, and it is spreading quick.

SpeakUp uses several vulnerabilities in six different Linux distributions and Mac OS X, but it also manages to avoid detecting any of the antivirus systems found on VirusTotal. And that is of course very scary.

For two days ago it was said that over 85,000 servers so far have been infected, starting in East Asia and Latin America, and also including servers on Amazon’s AWS cloud, and it continues to spreading, not least because of its capacity to spread within an infected internal network.

So how is SpeakUp working.

1. using a vulnerability in ThinkPHP Remote Code Execution where it uploads a PHP shell that opens a back door in Perl using a command-injection technique to send commands via a GET.

2. SpeakUp injects a back door by retrieving the payload with an ibus script in Perl.

3. The script runs immediately using an HTTP request designed to run the pearl-based back door, pausing a few seconds, and deleting files to clean up all tracks.

Once your computer is infected with SpeakUp, it immediately signals to its C&C server that it has infected a new server and sends information about the server to the network that can now be remotely controlled by the perpetrators.

If you want to read more about SpeakUp, check out CheckPoint blog post by clicking here