Security firms continue to observe an increasing number of malware specifically designed to target Linux-based systems.
Linux, like any other Operating System, could be infected by malicious codes designed to compromise the hosts and gain the control over them.
Linux architectures are everywhere; it is quite easy for crooks to find vulnerable Linux servers exposed on the Internet or poorly designed Internet of Things devices that are not properly configured or protected.
It is normal for cyber criminals focus their efforts on hacking Linux systems too. Linux malware is a natural evolution of the threat landscape because the Linux OS is preferred platform within data centers, cloud infrastructure for businesses, and application servers.
Linux is also the core of Android devices and many other embedded systems.
The last malware observed in the wild is Linux.BackDoor.FakeFile.1, it was spotted by experts at security firm DrWeb.
The Linux.BackDoor.FakeFile.1 Trojan spreads through PDF, Microsoft, or Open Office documents.
When the victims launch trigger the execution of the malware, it saves itself to the folder .gconf/apps/gnome-common/gnome-common in the user’s home directory.
Then the Linux.BackDoor.FakeFile.1 search for a hidden file, whose name matches the file name of the malware, and replaces the executable file with its code.
“For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv .AnyName.pdf AnyName.pdf. If the file is not found, Linux.BackDoor.FakeFile.1 creates it and opens it in the program gedit.” reads the analysis published by DrWeb.
The malware checks the installed Linux distribution, for every distro that is not the openSUSE, it writes a command to the file <HOME>/.profile or the file <HOME>/.bash_profile to gain persistence. The next step it the retrieving of the configuration data from its file and its decryption, then the Trojan launches the following threads:
Below the complete list of the Linux.BackDoor.FakeFile.1 abilities:
The researchers from DrWeb highlighted that the Linux.BackDoor.FakeFile.1 does not require root privileges to work, it operates with the current user rights.
Technical details of this Linux backdoor are available here.
(Security Affairs – Linux Backdoor, malware)