Malware News Doctor Web examines new backdoor for Linux

omidomi

Level 71
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,008
Most backdoor Trojans are created for Microsoft Windows; however, a few of them can infect Linux devices. This rare type of Trojan was investigated by Doctor Web’s specialists in October 2016.

The Trojan, dubbed Linux.BackDoor.FakeFile.1, is apparently distributed as an archived PDF, Microsoft, or Open Office file.

Once launched, the Trojan saves itself to the folder .gconf/apps/gnome-common/gnome-common, located in the user’s home directory. It then searches for a hidden file, whose name matches the file name of the Trojan, and replaces the executable file with it. For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv .AnyName.pdf AnyName.pdf. If the file is not found, Linux.BackDoor.FakeFile.1 creates it and opens it in the program gedit.

Then the Trojan checks the name of the installed Linux distribution: if the name is something other than openSUSE, Linux.BackDoor.FakeFile.1 writes a command to the file <HOME>/.profile or the file <HOME>/.bash_profile that will cause the Trojan to launch automatically. It then retrieves the configuration data from its file and decrypts it. After that, the malware program launches two threads: the first shares information with the command and control (C&C) server, and the second monitors the duration of the connection. If the Trojan goes for more than 30 minutes without receiving instructions, the connection is broken.

Linux.BackDoor.FakeFile.1 can execute the following commands:

  • Send the C&C server the quantity of messages transferred during the session;
  • Send a list of the contents of the specified folder;
  • Send the C&C server the specified file or a folder with all its contents;
  • Delete a directory;
  • Delete a file;
  • Rename a folder;
  • Remove itself;
  • Launch a new copy of a process;
  • Close the current session;
  • Establish backconnect and run sh;
  • Terminate backconnect;
  • Open the executable file of the process for writing;
  • Close the process file;
  • Create a file or folder;
  • Write the transmitted values to a file;
  • Obtain the names, permissions, sizes, and creation dates of files in the specified directory;
  • Set 777 privileges on the specified file;
  • Terminate the backdoor’s operation.
Linux.BackDoor.FakeFile.1 does not require root privileges to operate—it can execute its malicious functions using the rights of the current user account from which it was launched.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top