http://www.vnunet.com/News/1125305 By James Middleton 07-09-2001 In light of the interest in the recently discovered Linux based Remote Shell Trojan, vnunet.com has uncovered more details of the worm's functionality in a bid to dispel any fear, uncertainty and doubt. Security experts analysing the Trojan have said that it infects Linux Executable and Linking Format (ELF) files, initially surfacing in the /bin directory. It should be noted, however, that infected ELF files will remain fully functional so as to hide the infection. The program displays some virus-like qualities such as self-replication via email. It also installs a backdoor in the infected host, listening on UDP port 5503 or higher. An attacker could connect to this port via TCP and potentially take control of the machine, as they would have shell access at the permission level of the user executing the virus. So far, no memory resident infection activities have been identified. According to analysis, the Remote Shell Trojan does not appear to apply any sophisticated stealth mechanisms: for example, file sizes and file modification dates are changed during infection and can easily be detected. This means that host-based checksum tools deployed on mission critical servers should be able to detect infection. The scope of such tools should include file system locations commonly used for the storage of executable binaries, such as /bin, /etc/bin, and /usr/bin, and other common locations. An infected system also creates a lockfile in reference to the back door; this will appear as '/tmp/982235016-gtkrc-429249277'. The presence of this lockfile is an indication of a potential infection with the Remote Shell Trojan. According to security firm Qualys, which claims discovery of the virus, it commonly arrives via binary email attachments or downloaded software. Qualys said that the proliferation of Linux servers on the internet mean that potentially, this virus could hit harder than Code Red, but only if executed by unwary users. A host infected with the Remote Shell Trojan could be: hijacked by the attacker; employed as secondary attack platforms for further intrusions within or external to an organisation; scrutinised for information to be used in subsequent attacks and intrusions; scoured for sensitive organisational data; or vandalised and/or destroyed in order to cause financial and/or operational harm to an organisation. Apparently organisations whose systems have been compromised by the Remote Shell Trojan may now inadvertently fall foul of the Data Protection Act, added Qualys. More information and methodology for eliminating the virus can be found here. http://www.qualys.com/alert/remoteshell.html - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Sep 11 2001 - 01:46:08 PDT