Doctor Web examines new backdoor for Linux
October 20, 2016
The Trojan, dubbed Linux.BackDoor.FakeFile.1, is apparently distributed as an archived PDF, Microsoft, or Open Office file.
Once launched, the Trojan saves itself to the folder .gconf/apps/gnome-common/gnome-common, located in the user’s home directory. It then searches for a hidden file, whose name matches the file name of the Trojan, and replaces the executable file with it. For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv .AnyName.pdf AnyName.pdf. If the file is not found, Linux.BackDoor.FakeFile.1 creates it and opens it in the program gedit.
Then the Trojan checks the name of the installed Linux distribution: if the name is something other than openSUSE, Linux.BackDoor.FakeFile.1 writes a command to the file <HOME>/.profile or the file <HOME>/.bash_profile that will cause the Trojan to launch automatically. It then retrieves the configuration data from its file and decrypts it. After that, the malware program launches two threads: the first shares information with the command and control (C&C) server, and the second monitors the duration of the connection. If the Trojan goes for more than 30 minutes without receiving instructions, the connection is broken.
Linux.BackDoor.FakeFile.1 can execute the following commands:
- Send the C&C server the quantity of messages transferred during the session;
- Send a list of the contents of the specified folder;
- Send the C&C server the specified file or a folder with all its contents;
- Delete a directory;
- Delete a file;
- Rename a folder;
- Remove itself;
- Launch a new copy of a process;
- Close the current session;
- Establish backconnect and run sh;
- Terminate backconnect;
- Open the executable file of the process for writing;
- Close the process file;
- Create a file or folder;
- Write the transmitted values to a file;
- Obtain the names, permissions, sizes, and creation dates of files in the specified directory;
- Set 777 privileges on the specified file;
- Terminate the backdoor’s operation.
Linux.BackDoor.FakeFile.1 does not require root privileges to operate—it can execute its malicious functions using the rights of the current user account from which it was launched. The signature for the Trojan is already in the Dr.Web for Linux database, and it is successfully detected and removed by Doctor Web anti-virus products.
Your opinion counts
Sign in or register to comment on our news posts and take advantage of other benefits available to registered users. You will be awarded one Dr.Webling per comment. You can exchange your Dr.Weblings for gift certificates that can be used to purchase Dr.Web at a discount.