Xnote a new multi-purpose backdoor Linux trojan authored by ChinaZ, converts Linux systems into botnetsThe working

The researchers have named the malware as Xnote and they believe it to be authored or at least handled by a Chinese hacker group called ChinaZ. The researchers have noted that the Xnote is delivered on the target computer through a brute force attack and once the brute force is successful, the malware establishes a SSL connection with the machine for further communications with the Command and Control server. Once installed on the Linux driven machine, the trojan checks for a copy of itself on the machine. If the trojan finds a existing copy of itself already running on the machine, it makes a quiet exit leaving the predecessor to continue with its illicit work.

The working

The malware will only be installed in a system if it has been launched with superuser (root) privileges. During installation, the malware creates a copy of itself in the /bin/ directory in the form of a file called iptable6. The malware then tries to hide itself by deleting the original launch file. Linux.BackDoor.Xnote.1 also searches the /etc/init.d/ directory for a script that starts with the line “#!/bin/bash” and adds another line to it so that the backdoor will be launched automatically. The trojan then obtains configuration data by looking for special strings that point to the beginning of the encrypted configuration block, then decrypts it and starts sending queries to control servers on the list until it finds a responding server or until the list ends. Both the backdoor and the server use the library zlib to compress the packets they exchange. It also adds a script that will launch it automatically each time after the machine is rebooted. The backdoor contains a list of control servers within its body, and tries to contact them one by one. Once a connection to one of the servers is established, information is exchanged between them in compressed packets. The vicious nature of the malware can be noted from the fact that it can create, rename, run, delete files as well as accept additional files from the C&C server at its own accord. It can also create and delete directories, create a list of files and directories inside specified directory, and send directory size data to the server. “Thus, when commanded to do so, Linux.BackDoor.Xnote.1 can assign a unique ID to an infected machine, start a DDoS attack on a remote host with a specific address (it can mount SYN Flood, UDP Flood, HTTP Flood and NTP Amplification attacks), stop an attack, update its executable, write data to a file, or remove itself.” The only saving grace for Linux users it that it will not launch itself if it doesnt have the root privileges in the target PC. Resource : Dr.Web