Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.



June 26, 2013
June 27, 2013
Infection Length:
15,472 bytes
Systems Affected:
Linux.Apaback is a Trojan horse that modifies network traffic and opens a back door on the compromised computer.

Antivirus Protection Dates

  • Initial Rapid Release version June 26, 2013 revision 007
  • Latest Rapid Release version June 26, 2013 revision 007
  • Initial Daily Certified version June 26, 2013 revision 017
  • Latest Daily Certified version June 26, 2013 revision 017
  • Initial Weekly Certified release date July 03, 2013
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
When the Trojan is executed, it attempts to replace a filter module for the Apache HTTP Server version 2.2 on Linux with its own code.

Once the threat is loaded, it performs the following actions:
  • Monitors HTTP requests from remote computers
  • Modifies outgoing traffic from compromised the HTTP server to remote computers
  • Checks for specific search engines to make sure that the malicious component of the Web page is not sent to them

The Trojan may also open a back door and allow a remote attacker to gain access to the compromised computer.
The following instructions pertain to Symantec AntiVirus for Linux.
  1. Update the virus definitions.
  2. Run a full system scan.

1. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions. For Symantec AntiVirus for Linux, LiveUpdate definitions are updated daily.
  • Downloading the definitions using Intelligent Updater. The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them.

2. To run a full system scan

To run a full system scan in Linux, open a command line and type the following:

sav manualscan --scan /

If any files are detected, follow the instructions displayed by your antivirus program.
Writeup By: Dumitru Stama