Security companies are warning Linux users over a new and dangerous Trojan that may have originated in the UK.

The Trojan contains self-replicating virus-like capabilities and has similarities to the Windows-based Back Orifice tool, putting Linux boxes at risk of remote control.

The so-called Remote Shell Trojan spreads through email as well as replicating itself across the infected system. It installs a backdoor which listens for incoming connections on UDP port 5503 or higher, and allows remote attackers to connect to, and take control of, an infected system.

The Trojan is most dangerous if it is executed by a privileged user as it inherits the credentials of that user, effectively allowing it to take full control.

Qualys, the security firm claiming to have discovered the worm, said: "Once a system is infected, the Remote Shell Trojan calls home to a UK-based website."

The company explained that this would allow hackers to accumulate lists of infected servers which could be used "to construct chronic distributed denial of service attacks on specified targets".

Qualys also warned that the size and scope of the Trojan could be massive. Over 58 per cent of websites worldwide currently use Apache servers for which Linux is the most popular platform.

If the worm turns into an epidemic this gives it more potential for damage than Code Red, which affected Windows NT servers that account for just 25 per cent of website servers, according to Qualys.

http://www.vnunet.com/News/1125288