A newly observed Linux backdoor Trojan can perform its nefarious activities without root access, by using the privileges of the current user, Doctor Web security researchers have discovered.
Dubbed Linux.BackDoor.FakeFile.1, the malware is being distributed as an archived PDF, Microsoft, or Open Office file, the security researchers say. As soon as it has been launched, the Trojan would save itself to the user’s home directory, in the .gconf/apps/gnome-common/gnome-common folder.
Next, the malware searchers for a hidden file that matches its name, and replaces that file with itself. However, if the malware doesn’t find the hidden file, it creates it and then opens it using gedit, Doctor Web researchers reveal.
“For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv .AnyName.pdf AnyName.pdf,” the security researchers note.
The next step is to check the name of the installed Linux distribution, which allows the malware to write a command to the file <HOME>/.profile or the file <HOME>/.bash_profile to launch automatically, but only if it runs on distributions other than openSUSE. Only after this step has been completed the Trojan retrieves the configuration data from its file and decrypts it.
Next, the malicious program launches two threads, one destined to share information with the command and control (C&C) server, while the other meant to monitor the duration of the connection. Thus, if the Trojan doesn’t receive instructions within 30 minutes, the connection is terminated.
Once installed on a compromised system, the backdoor can execute a multitude of commands: send to the C&C server the quantity of messages transferred during the session; send a list with the contents of the specified folder; send a specified file or a folder with all its contents; delete a directory; delete a file; rename a folder; remove itself; launch a new copy of a process; and close the current session.
Other operations supported by the malware include: establish backconnect and run sh; terminate backconnect; open the executable file of the process for writing; close the process file; create a file or folder; write the transmitted values to a file; obtain the names, permissions, sizes, and creation dates of files in the specified directory; set 777 privileges on the specified file. The backdoor can also terminate its own operation upon command.
Related: Fysbis Backdoor Preferred by Pawn Storm Group to Target Linux
Related: Multipurpose “Xunpes” Trojan Targeting Linux Systems