Xnote the new multi-purpose backdoor targets Linux servers and converts them into botnets

Xnote a new multi-purpose backdoor Linux trojan authored by ChinaZ, converts Linux systems into botnets

Security researchers at Dr.Web have discovered a new multi-purpose Linux Trojan that opens a backdoor on the target Linux machine and convert into a botnet.  The zombie Linux PC or entire network is then made to participate in DDoS attacks as directed by the trojan handlers/authors.

The researchers have named the malware as Xnote and they believe it to be authored or at least handled by a Chinese hacker group called ChinaZ.

The researchers have noted that the Xnote is delivered on the target computer through a brute force attack and once the brute force is successful, the malware establishes a SSL connection with the machine for further communications with the Command and Control server.

Once installed on the Linux driven machine, the trojan checks for a copy of itself on the machine. If the trojan finds a existing copy of itself already running on the machine, it makes a quiet exit leaving the predecessor to continue with its illicit work.

The working

The malware will only be installed in a system if it has been launched with superuser (root) privileges. During installation, the malware creates a copy of itself in the /bin/ directory in the form of a file called iptable6. The malware then tries to hide itself by deleting the original launch file.

Linux.BackDoor.Xnote.1 also searches the /etc/init.d/ directory for a script that starts with the line “#!/bin/bash” and adds another line to it so that the backdoor will be launched automatically.

The trojan then obtains configuration data by looking for special strings that point to the beginning of the encrypted configuration block, then decrypts it and starts sending queries to control servers on the list until it finds a responding server or until the list ends. Both the backdoor and the server use the library zlib to compress the packets they exchange.

It also adds a script that will launch it automatically each time after the machine is rebooted.

The backdoor contains a list of control servers within its body, and tries to contact them one by one. Once a connection to one of the servers is established, information is exchanged between them in compressed packets.

“First, Linux.BackDoor.Xnote.1 sends information about the infected system to the server. It then goes into standby mode and awaits further instructions. If the command involves carrying out some task, the backdoor creates a separate process that establishes its own connection to the server through which it gets all the necessary configuration data and sends the results of the executed task,” Dr.Web researchers explained.

“Thus, when commanded to do so, Linux.BackDoor.Xnote.1 can assign a unique ID to an infected machine, start a DDoS attack on a remote host with a specific address (it can mount SYN Flood, UDP Flood, HTTP Flood and NTP Amplification attacks), stop an attack, update its executable, write data to a file, or remove itself.”

The vicious nature of the malware can be noted from the fact that it can create, rename, run, delete files as well as accept additional files from the C&C server at its own accord. It can also create and delete directories, create a list of files and directories inside specified directory, and send directory size data to the server.

“In addition, the backdoor can run a shell with the specified environment variables and grant the C&C server access to the shell, start a SOCKS proxy on an infected computer, or start its own implementation of the portmap server,” the researchers noted.

The only saving grace for Linux users it that it will not launch itself if it doesnt have the root privileges in the target PC.

Resource : Dr.Web