Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Your tickets

Profile

Linux.BackDoor.Hook.1

Added to Dr.Web virus database:2017-11-15
Virus description was added:2017-11-20

SHA1:

  • e43fd0752b8c03ffae628a6b83e2a03944f11f4e

A backdoor for Linux operating systems. It was detected in the libz library. During its operation, the Trojan intercepts calling of the following system functions: __libc_start_main, sscanf, __syslog_chk, fopen, and fgets. It is initialized in __libc_start_main; the main code is located in the sscanf function. It operates only with binary files that ensure data transfers via the SSH protocol. It fails to operate if the launched file name is the same as /usr/sbin/sshds. For external connection, it doesn’t use a currently open socket. Instead it uses the first open socket out of 1,024. After this, the socket is moved to the zero descriptor, and the remaining 1,023 are shut down.

The connection protocol is encrypted using the RC4 algorithm; strings are also encrypted. The backdoor can execute the following commands:

CommandActionArguments
execRun a binary fileFile name
tcpConnect to host:porthost, port
upDownload a fileFile name

News about the Trojan

Curing recommendations


Linux

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2018

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040