A multipurpose backdoor for Linux. Cybercriminals distribute it the same way as some other Trojans for Linux—by brute-forcing accounts to get access to an attacked system using the SSH protocol. There is a good reason to believe that some members of the Chinese hacker group called ChinaZ took part in the development of this Trojan. The malware is statically linked to all the necessary libraries (including C-ARES and ZLIB).
The Trojan supports the following launch options:
- “-v”—set the mode for debug messages output
- “–front”—if this option is not checked, standard input/output options will be used to forward the data to /dev/null
- “–noinstall”—do not install itself on the system
- “-h”—display the list of available parameters (the “some command : -v --front --noinstall -h” string is displayed)
Once it is launched, Linux.BackDoor.Xnote.1 attempts to block the “/tmp/.wq4sMLArXw” file to verify that the Trojan’s copy is not running. If the copy is running, the Trojan terminates its own work.
If the Trojan has root privileges, its installation can be performed in the system. During the installation, the Trojan creates its copy, saves it in the /bin/iptable6 file, and deletes the original file. Then Linux.BackDoor.Xnote.1 searches the /etc/init.d/ folder for scripts beginning with the “!#/bin/bash” string and adds after this string another one to ensure the backdoor’s launch.
Prior to establishing a connection to the command and control server, the Trojan searches the image of its own executable file for the “XXXXXXXXXXXXXXXX” string, which stands for the beginning of the configuration block. If the string is found, the backdoor decrypts next 0x15A bytes with the key 0x89 using the XOR algorithm. The configuration block contains “address and port” pairs of 5 command and control servers and looks as follows:
#pragma pack(push, 1)
struct st_config
{
_BYTE signature[16]; 'XXXXXXXXXXXXXXXX'
char szCnC1[64];
char szCnC2[64];
char szCnC3[64];
char szCnC4[64];
char szCnC5[64];
_WORD CnC1_port;
_WORD CnC2_port;
_WORD CnC3_port;
_WORD CnC4_port;
_WORD CnC5_port;
_BYTE payload2[16];
};
#pragma pack(pop)
Next, the Trojan starts to send requests to the command and control servers from the list trying to find an operating one or until there are no more servers on the list. Prior to exchanging packages, the Trojan and the command and control server compress the data using the ZLIB library.
The first package the Trojan sends the server is “LoginInfo”. It contains data about the infected system.
#pragma pack(push, 1)
struct st_logininfo
{
_BYTE cmd; // '0x67'
_DWORD dword1; // '0x9C'
_DWORD dword5; // '0x00'
_BYTE byte9[8];
_DWORD dword11; // '0x02'
_BYTE byte15[136];
_DWORD CpuSpeed;
_DWORD sockname;
char hostname[50];
_DWORD dword194; // '0'
_DWORD delay;
_BYTE XNote[50]; //data from '/etc/.Xserver_note' file
_BYTE CfgPayload[16]; //last 16 bytes of config
char szOS[64];
};
#pragma pack(pop)
The Trojan can execute the following commands:
- Get the UUID—infected computer’s unique identifier
- Process the specified files
- Update the Trojan’s executable file
- Launch the command interpreter using specified parameters
- Launch a SYN Flood attack
- Launch a UDP Flood attack
- Launch an HTTP Flood attack
- Launch an NTP Amplification attack
- Terminate a DDoS attack
- Enter the data into the “/etc/.Xserver_note” file
- Start a portmap server
- Start a proxy server
- Remove itself from the system
A child process is created if a command specifies a task to be carried out. This process establishes a separate connection to the command and control server, using which it receives all the necessary configuration data and sends the results of the task execution.
For example, if the Trojan receives a command to process files, it sends cybercriminals the information about the infected computer’s file system (total number of data blocks in the file system, number of spare blocks). Then the malware can perform the following actions:
- List files and directories inside the specified directory
- Send the file size data to the server
- Create a file to store the received data
- Receive a file
- Send a file to the command and control server
- Delete a file
- Delete a directory
- Signal the command and control server that the Trojan is ready to receive a file
- Create a directory
- Rename a file
- Run a file
Moreover, the backdoor can run a shell with the specified environment variables and grant the command and control server access to this shell.
"TERM=linux";
"SHELL=/bin/bash";
"PS1=\\[\\033[1;30m\\][\\[\\033[0;32m\\]\\u\\[\\033[1;32m\\]@\\[\\033[0;32m\\]\\h
\\[\\033[1;37m\\]\\W\\[\\033[1;30m\\]]\\[\\033[0m\\]# ";
"HISTFILE=/dev/null";
"HOME=/tmp";
"PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:./bin:/tmp:/tmp/bin";
In addition, the malware can start a SOCKS proxy on the infected machine or start its own implementation of the portmap server (the following commands can be executed: “Send data”, “Delete created portmap”, “Create portmap”).