- Apr 5, 2014
- 6,001
Most backdoor Trojans are created for Microsoft Windows; however, a few of them can infect Linux devices. This rare type of Trojan was investigated by Doctor Web’s specialists in October 2016.
The Trojan, dubbed Linux.BackDoor.FakeFile.1, is apparently distributed as an archived PDF, Microsoft, or Open Office file.
Once launched, the Trojan saves itself to the folder .gconf/apps/gnome-common/gnome-common, located in the user’s home directory. It then searches for a hidden file, whose name matches the file name of the Trojan, and replaces the executable file with it. For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv .AnyName.pdf AnyName.pdf. If the file is not found, Linux.BackDoor.FakeFile.1 creates it and opens it in the program gedit.
Then the Trojan checks the name of the installed Linux distribution: if the name is something other than openSUSE, Linux.BackDoor.FakeFile.1 writes a command to the file <HOME>/.profile or the file <HOME>/.bash_profile that will cause the Trojan to launch automatically. It then retrieves the configuration data from its file and decrypts it. After that, the malware program launches two threads: the first shares information with the command and control (C&C) server, and the second monitors the duration of the connection. If the Trojan goes for more than 30 minutes without receiving instructions, the connection is broken.
Linux.BackDoor.FakeFile.1 can execute the following commands:
The Trojan, dubbed Linux.BackDoor.FakeFile.1, is apparently distributed as an archived PDF, Microsoft, or Open Office file.
Once launched, the Trojan saves itself to the folder .gconf/apps/gnome-common/gnome-common, located in the user’s home directory. It then searches for a hidden file, whose name matches the file name of the Trojan, and replaces the executable file with it. For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv .AnyName.pdf AnyName.pdf. If the file is not found, Linux.BackDoor.FakeFile.1 creates it and opens it in the program gedit.
Then the Trojan checks the name of the installed Linux distribution: if the name is something other than openSUSE, Linux.BackDoor.FakeFile.1 writes a command to the file <HOME>/.profile or the file <HOME>/.bash_profile that will cause the Trojan to launch automatically. It then retrieves the configuration data from its file and decrypts it. After that, the malware program launches two threads: the first shares information with the command and control (C&C) server, and the second monitors the duration of the connection. If the Trojan goes for more than 30 minutes without receiving instructions, the connection is broken.
Linux.BackDoor.FakeFile.1 can execute the following commands:
- Send the C&C server the quantity of messages transferred during the session;
- Send a list of the contents of the specified folder;
- Send the C&C server the specified file or a folder with all its contents;
- Delete a directory;
- Delete a file;
- Rename a folder;
- Remove itself;
- Launch a new copy of a process;
- Close the current session;
- Establish backconnect and run sh;
- Terminate backconnect;
- Open the executable file of the process for writing;
- Close the process file;
- Create a file or folder;
- Write the transmitted values to a file;
- Obtain the names, permissions, sizes, and creation dates of files in the specified directory;
- Set 777 privileges on the specified file;
- Terminate the backdoor’s operation.
