Once installed on the Linux driven machine, the trojan checks for a copy of itself on the machine.
The malware then tries to hide itself by deleting the original launch file.
Both the backdoor and the server use the library zlib to compress the packets they exchange.
It also adds a script that will launch it automatically each time after the machine is rebooted.
Once a connection to one of the servers is established, information is exchanged between them in compressed packets.
First, Linux.BackDoor.Xnote.1 sends information about the infected system to the server.
It then goes into standby mode and awaits further instructions.
Resource :Dr.Web
Read More
source: www.techworm.net
