Linux.BackDoor.FakeFile.1, a new Linux backdoor in the wild

Pierluigi Paganini October 23, 2016

Security researchers at the security firm Doctor Web have spotted a new Linux backdoor dubbed Linux.BackDoor.FakeFile.1 in the wild.

Security firms continue to observe an increasing number of malware specifically designed to target Linux-based systems.

Linux, like any other Operating System, could be infected by malicious codes designed to compromise the hosts and gain the control over them.

Linux architectures are everywhere; it is quite easy for crooks to find vulnerable Linux servers exposed on the Internet or poorly designed Internet of Things devices that are not properly configured or protected.

It is normal for cyber criminals focus their efforts on hacking Linux systems too. Linux malware is a natural evolution of the threat landscape because the Linux OS is preferred platform within data centers, cloud infrastructure for businesses, and application servers.

Linux is also the core of Android devices and many other embedded systems.

The last malware observed in the wild is Linux.BackDoor.FakeFile.1, it was spotted by experts at security firm DrWeb.

The Linux.BackDoor.FakeFile.1 Trojan spreads through PDF, Microsoft, or Open Office documents.

When the victims launch trigger the execution of the malware, it saves itself to the folder .gconf/apps/gnome-common/gnome-common in the user’s home directory.

Then the Linux.BackDoor.FakeFile.1 search for a hidden file, whose name matches the file name of the malware, and replaces the executable file with its code.

“For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv .AnyName.pdf AnyName.pdf. If the file is not found, Linux.BackDoor.FakeFile.1 creates it and opens it in the program gedit.” reads the analysis published by DrWeb.

linux backdoor Linux.BackDoor.FakeFile.1

The malware checks the installed Linux distribution, for every distro that is not the openSUSE, it writes a command to the file <HOME>/.profile or the file <HOME>/.bash_profile to gain persistence. The next step it the retrieving of the configuration data from its file and its decryption, then the Trojan launches the following threads:

  • A first thread shares communicate with the command and control (C&C) server.
  • A second thread monitors the duration of the connection that will be shut down after 30 minutes without activity.

Below the complete list of the Linux.BackDoor.FakeFile.1 abilities:

  • Send the C&C server the quantity of messages transferred during the session;
  • Send a list of the contents of the specified folder;
  • Send the C&C server the specified file or a folder with all its contents;
  • Delete a directory;
  • Delete a file;
  • Rename a folder;
  • Remove itself;
  • Launch a new copy of a process;
  • Close the current session;
  • Establish backconnect and run sh;
  • Terminate backconnect;
  • Open the executable file of the process for writing;
  • Close the process file;
  • Create a file or folder;
  • Write the transmitted values to a file;
  • Obtain the names, permissions, sizes, and creation dates of files in the specified directory;
  • Set 777 privileges on the specified file;
  • Terminate the backdoor’s operation.

The researchers from DrWeb highlighted that the Linux.BackDoor.FakeFile.1 does not require root privileges to work, it operates with the current user rights.

Technical details of this Linux backdoor are available here.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Linux Backdoor, malware)

you might also like

leave a comment