New Trojan Attacks Linux Servers
The Xnote trojan hides itself on the target system and will launch a variety of attacks on command.
The Dr. Web security group has announced the discovery of a multipurpose trojan that targets Linux server systems. The trojan, which is known as Xnote, is designed to implement several botnet-style attacks. Xnote does not break into a system by itself but is, instead, delivered to the victim’s computer after the attackers have already established a root SSL connection by other means.
Once in place, Xnote takes several steps to conceal itself, such as making a copy of itself and deleting the original. Once it settles in, Xnote then sends information about the victim’s system to a remote command and control server and waits for further instructions. If instructed to do so, Xnote can launch a SYN Flood, UDP Flood, HTTP Flood, or NTP Amplification attack. Xnote can also create and rename file and directories, accept files from the command and control server, start a SOCKS proxy, and communicate with the remote server through a hidden shell.
Researchers suspect Xnote was created by the Chinese hacker group ChinaZ.