A new backdoor for broad spectrum Linux

Security researchers from Doctor Web, a antivirus company, examined a complex, multi-tasking backdoor for Linux. This malicious program can execute numerous cybercriminal commands, such as performing DDoS attacks, as well as performing a wide range of other malicious tasks.

To spread a new backdoor for Linux, called Linux.BackDoor.Xnote.1 , criminals run a brute force attack to establish an SSH connection to the target machine. Doctor Web security analysts suppose that this is behind the Chinese ChinaZ hacker group.

When Linux.BackDoor.Xnote.1 gets to the machine, it checks if its copy is already running on the infected system. If so, the backdoor interrupts its installation. The malicious program will be installed on the system when it has been run with the root administrator privileges. During installation, the malicious program creates its copy in the / bin / directory in the form of a file named iptable6. It then deletes the original file that was used to run the virus. Linux.BackDoor.Xnote.1 also searches in /etc/init.d/ for a script that starts with the line "#! / Bin / bash" and adds another line to it so that the backdoor can be started automatically.

The program uses the following procedure to exchange data with the C2 management server. To obtain configuration data, it looks for a special entry in its code - the entry points to the beginning of an encrypted configuration block, then decrypts it and starts sending requests to management servers from its list, until it finds a server responding to the query, or until the list is over. Both the backdoor and the server use the zlib library to compress packages they exchange among themselves.

First, Linux.BackDoor.Xnote.1 sends information about the infected system to the server. It then goes into standby mode and waits for further instructions. If the command involves performing an assignment, the backdoor creates a separate process that establishes its own connection to the server, thus obtaining all the necessary configuration data and sending the results of the completed task. Hence, at the time of receiving the command, Linux.BackDoor.Xnote.1 can assign a unique ID to the infected machine, start a DDoS attack on a remote host with a specific address (it can launch SYN Flood, UDP Flood, HTTP Flood and NTP Amplification attacks), stop the attack , update your executable file, enter data into a file, or delete yourself from the system. Backdoor can also do many file operations. By receiving the appropriate command, Linux.BackDoor.Xnote.1 sends information about the infected computer's file system (the total number of data blocks in the file system and the number of free blocks) to the server and waits for other commands, which may include:

  • List files and directories inside the specified directory.
  • Sending directory size data to the server.
  • Creating a file in which the received data can be collected.
  • Accepting a file.
  • Send a file to the management server (C & C).
  • Delete a file.
  • Delete a directory.
  • Signalizing to the server that the file is ready.
  • Creating a directory.
  • Changing the file name.
  • Starting the file.

In addition, the backdoor can run a shell (shell) process with specific environment variables and give the C & C server access to that shell, run a SOCKS proxy on an infected computer, or run its own implementation on the portmap server. The signature of this malicious program has been added to the Dr.Web virus database, which is why systems protected by Dr.Web Anti-Hacker for Linux are not exposed to the new backdoor.

source: Dr. Web, FireEye

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.