Xnote a new multi-purpose backdoor Linux trojan authored by ChinaZ, converts Linux systems into botnets
Security researchers at Dr.Web have discovered a new multi-purpose Linux Trojan that opens a backdoor on the target Linux machine and convert into a botnet. The zombie Linux PC or entire network is then made to participate in DDoS attacks as directed by the trojan handlers/authors.
The researchers have named the malware as Xnote and they believe it to be authored or at least handled by a Chinese hacker group called ChinaZ.
The researchers have noted that the Xnote is delivered on the target computer through a brute force attack and once the brute force is successful, the malware establishes a SSL connection with the machine for further communications with the Command and Control server.
Once installed on the Linux driven machine, the trojan checks for a copy of itself on the machine. If the trojan finds a existing copy of itself already running on the machine, it makes a quiet exit leaving the predecessor to continue with its illicit work.
Security researchers with Russian anti-virus company Doctor Web have examined a complex, multi-purpose backdoor for Linux. This malicious program can execute various commands issued by intruders such as to mount DDoS attacks and to perform a wide range of other malicious tasks.
To spread the new Linux backdoor, dubbed Linux.BackDoor.Xnote.1, criminals mount a brute force attack to establish an SSL connection with a target machine. Doctor Web security researchers believe that the Chinese hacker group ChinaZ may be behind this backdoor.
Once Linux.BackDoor.Xnote.1 gets in, it checks to see whether its copy is already running in the infected system. If it is, the backdoor exits. The malware will only be installed in a system if it has been launched with superuser (root) privileges. During installation, the malware creates a copy of itself in the /bin/ directory in the form of a file called iptable6. It then deletes the original file that was used to launch it. Linux.BackDoor.Xnote.1 also searches the /etc/init.d/ directory for a script that starts with the line "#!/bin/bash" and adds another line to it so that the backdoor will be launched automatically.
The program uses the following routine to exchange data with the intruders' control server. To obtain configuration data, the backdoor looks for a special string in its body—the string points to the beginning of the encrypted configuration block, then decrypts it and starts sending queries to control servers on the list until it finds a responding server or until the list ends. Both the backdoor and the server use the library zlib to compress the packets they exchange.
First, Linux.BackDoor.Xnote.1 sends information about the infected system to the server. It then goes into standby mode and awaits further instructions. If the command involves carrying out some task, the backdoor creates a separate process that establishes its own connection to the server through which it gets all the necessary configuration data and sends the results of the executed task.
Thus, when commanded to do so, Linux.BackDoor.Xnote.1 can assign a unique ID to an infected machine, start a DDoS attack on a remote host with a specific address (it can mount SYN Flood, UDP Flood, HTTP Flood and NTP Amplification attacks), stop an attack, update its executable, write data to a file, or remove itself. The backdoor can also perform a number of actions with files. Having received the appropriate command, Linux.BackDoor.Xnote.1 sends information about the file system of the infected computer (the total number of data blocks in the file system and the number of free blocks) to the server and stands by for other directives which can include:
- List files and directories inside the specified directory.
- Send directory size data to the server.
- Create a file in which received data can be stored.
- Accept a file.
- Send a file to the command and control (C&C) server.
- Delete a file.
- Delete a directory.
- Signal the server that it is ready to accept a file.
- Create a directory.
- Rename a file.
- Run a file.