Перейти к содержимому

- - - - -

Doctor Web examines new backdoor for Linux

  • Please log in to reply
Нет ответов в данной теме

#1 Mr.Pr



  • Posters
  • 251 Сообщений:

Отправлено 24 Октябрь 2016 - 21:20

October 20, 2016


Most backdoor Trojans are created for Microsoft Windows; however, a few of them can infect Linux devices. This rare type of Trojan was investigated by Doctor Web’s specialists in October 2016.


The Trojan, dubbed Linux.BackDoor.FakeFile.1, is apparently distributed as an archived PDF, Microsoft, or Open Office file.


Once launched, the Trojan saves itself to the folder .gconf/apps/gnome-common/gnome-common, located in the user’s home directory. It then searches for a hidden file, whose name matches the file name of the Trojan, and replaces the executable file with it. For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv .AnyName.pdf AnyName.pdf. If the file is not found, Linux.BackDoor.FakeFile.1 creates it and opens it in the program gedit.


Then the Trojan checks the name of the installed Linux distribution: if the name is something other than openSUSE, Linux.BackDoor.FakeFile.1 writes a command to the file <HOME>/.profile or the file <HOME>/.bash_profile that will cause the Trojan to launch automatically. It then retrieves the configuration data from its file and decrypts it. After that, the malware program launches two threads: the first shares information with the command and control (C&C) server, and the second monitors the duration of the connection. If the Trojan goes for more than 30 minutes without receiving instructions, the connection is broken.


Linux.BackDoor.FakeFile.1 can execute the following commands:

  • Send the C&C server the quantity of messages transferred during the session;
  • Send a list of the contents of the specified folder;
  • Send the C&C server the specified file or a folder with all its contents;
  • Delete a directory;
  • Delete a file;
  • Rename a folder;
  • Remove itself;
  • Launch a new copy of a process;
  • Close the current session;
  • Establish backconnect and run sh;
  • Terminate backconnect;
  • Open the executable file of the process for writing;
  • Close the process file;
  • Create a file or folder;
  • Write the transmitted values to a file;
  • Obtain the names, permissions, sizes, and creation dates of files in the specified directory;
  • Set 777 privileges on the specified file;
  • Terminate the backdoor’s operation.

Linux.BackDoor.FakeFile.1 does not require root privileges to operate—it can execute its malicious functions using the rights of the current user account from which it was launched. The signature for the Trojan is already in the Dr.Web for Linux database, and it is successfully detected and removed by Doctor Web anti-virus products.


More about this Trojan



Source: Click Here!

Сообщение было изменено Mr.Pr: 24 Октябрь 2016 - 21:20

“The security industry in that case becomes bullshit, because people believe in those products and use them in their corporate environments without understanding that those products are just following others,”  - Boris Sharov


DrWeb Gallery for your Avatars: Click

My Telegram ID: @MrlPr


Best Regards,


Читают тему: 1

0 пользователей, 1 гостей, 0 скрытых