October 20, 2016
The Trojan, dubbed Linux.BackDoor.FakeFile.1, is apparently distributed as an archived PDF, Microsoft, or Open Office file.
Once launched, the Trojan saves itself to the folder .gconf/apps/gnome-common/gnome-common, located in the user’s home directory. It then searches for a hidden file, whose name matches the file name of the Trojan, and replaces the executable file with it. For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv .AnyName.pdf AnyName.pdf. If the file is not found, Linux.BackDoor.FakeFile.1 creates it and opens it in the program gedit.
Then the Trojan checks the name of the installed Linux distribution: if the name is something other than openSUSE, Linux.BackDoor.FakeFile.1 writes a command to the file <HOME>/.profile or the file <HOME>/.bash_profile that will cause the Trojan to launch automatically. It then retrieves the configuration data from its file and decrypts it. After that, the malware program launches two threads: the first shares information with the command and control (C&C) server, and the second monitors the duration of the connection. If the Trojan goes for more than 30 minutes without receiving instructions, the connection is broken.
Linux.BackDoor.FakeFile.1 can execute the following commands:
- Send the C&C server the quantity of messages transferred during the session;
- Send a list of the contents of the specified folder;
- Send the C&C server the specified file or a folder with all its contents;
- Delete a directory;
- Delete a file;
- Rename a folder;
- Remove itself;
- Launch a new copy of a process;
- Close the current session;
- Establish backconnect and run sh;
- Terminate backconnect;
- Open the executable file of the process for writing;
- Close the process file;
- Create a file or folder;
- Write the transmitted values to a file;
- Obtain the names, permissions, sizes, and creation dates of files in the specified directory;
- Set 777 privileges on the specified file;
- Terminate the backdoor’s operation.
Linux.BackDoor.FakeFile.1 does not require root privileges to operate—it can execute its malicious functions using the rights of the current user account from which it was launched. The signature for the Trojan is already in the Dr.Web for Linux database, and it is successfully detected and removed by Doctor Web anti-virus products.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.