New multi-purpose backdoor targets Linux servers

A new multi-purpose Linux Trojan that opens a backdoor on the target machine and can make it participate in DDoS attacks has been discovered and analyzed by Dr. Web researchers, who believe that the Chinese hacker group ChinaZ might be behind it.

The malware, dubbed Xnote, gets delivered on the target computer after the attackers mount a successful brute force attack and establish an SSL connection with the machine.

The Trojan first checks whether a copy of the same malware is already running on the machine. If it does, the newcomer will yield the floor and exit.

Xnote tries to hide by making a copy of itself and deleting the original launch file, and assures its persistence by adding a script that will launch it automatically each time after the machine is rebooted.

The backdoor contains a list of control servers within its body, and tries to contact them one by one. Once a connection to one of the servers is established, information is exchanged between them in compressed packets.

“First, Linux.BackDoor.Xnote.1 sends information about the infected system to the server. It then goes into standby mode and awaits further instructions. If the command involves carrying out some task, the backdoor creates a separate process that establishes its own connection to the server through which it gets all the necessary configuration data and sends the results of the executed task,” the researchers explained.

“Thus, when commanded to do so, Linux.BackDoor.Xnote.1 can assign a unique ID to an infected machine, start a DDoS attack on a remote host with a specific address (it can mount SYN Flood, UDP Flood, HTTP Flood and NTP Amplification attacks), stop an attack, update its executable, write data to a file, or remove itself.”

The malware can also create, rename, run, delete files as well as accept additional files from the C&C server. It can create and delete directories, create a list of files and directories inside specified directory, and send directory size data to the server.

“In addition, the backdoor can run a shell with the specified environment variables and grant the C&C server access to the shell, start a SOCKS proxy on an infected computer, or start its own implementation of the portmap server,” the researchers noted.

It’s also good to know that Xnote gets installed on a target machine only if it’s been launched with root privileges.