According to the researchers, the different variants of three distinct Trojans they found seem all to have been created by the same person.
Most of these Trojans are created to carry out DDoS attacks via a number of protocols and requests - they are capable of launching SYN, UDP, TCP and ping flooding, as well as of mounting DNS and NTP amplification attacks.
There are variants that target Linux ARM distributions, others that infect servers and desktops running 32-bit versions of Ubuntu and CentOS, others still that target 64-bit versions of Linux.
Once on a target machine, the Trojans first make sure that they will be started automatically each time the machine is rebooted, then they collect information about the system's hardware and software (CPU model, available memory, OS version, etc.).
The information is then sent in encrypted from to the remote C&C server, from which the malware then receives commands on what to do next, i.e. which target to attack, and updates.
"The command servers facilitating control over the Trojans are located mainly in the territory of China, and the corresponding DDoS attacks are directed mainly against Chinese websites," they noted. Infected Linux machines, on the other hand, are not located only in China, so be careful.