Linux.BackDoor.FakeFile.1, a new Linux backdoor in the wild

Security researchers at the security firm Doctor Web have spotted a new Linux backdoor dubbed Linux.BackDoor.FakeFile.1 in the wild.

Security firms continue to observe an increasing number of malware specifically designed to target Linux-based systems.

Linux, like any other Operating System, could be infected by malicious codes designed to compromise the hosts and gain the control over them.

Linux architectures are everywhere; it is quite easy for crooks to find vulnerable Linux servers exposed on the Internet or poorly designed Internet of Things devices that are not properly configured or protected.

It is normal for cyber criminals focus their efforts on hacking Linux systems too. Linux malware is a natural evolution of the threat landscape because the Linux OS is preferred platform within data centers, cloud infrastructure for businesses, and application servers.

Linux is also the core of Android devices and many other embedded systems.

The last malware observed in the wild is Linux.BackDoor.FakeFile.1, it was spotted by experts at security firm DrWeb.

The Linux.BackDoor.FakeFile.1 Trojan spreads through PDF, Microsoft, or Open Office documents.

When the victims launch trigger the execution of the malware, it saves itself to the folder .gconf/apps/gnome-common/gnome-common in the user’s home directory.

Then the Linux.BackDoor.FakeFile.1 search for a hidden file, whose name matches the file name of the malware, and replaces the executable file with its code.

“For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv .AnyName.pdf AnyName.pdf. If the file is not found, Linux.BackDoor.FakeFile.1 creates it and opens it in the program gedit.” reads the analysis published by DrWeb.