[ISN] Linux based Trojan gets a closer look

From: InfoSec News (isnat_private)
Date: Mon Sep 10 2001 - 23:08:46 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - September 10th 2001"

    http://www.vnunet.com/News/1125305
    
    By James Middleton 
    07-09-2001
     
    In light of the interest in the recently discovered Linux based Remote
    Shell Trojan, vnunet.com has uncovered more details of the worm's
    functionality in a bid to dispel any fear, uncertainty and doubt.
    
    Security experts analysing the Trojan have said that it infects Linux
    Executable and Linking Format (ELF) files, initially surfacing in the
    /bin directory.
    
    It should be noted, however, that infected ELF files will remain fully
    functional so as to hide the infection.
    
    The program displays some virus-like qualities such as
    self-replication via email. It also installs a backdoor in the
    infected host, listening on UDP port 5503 or higher.
    
    An attacker could connect to this port via TCP and potentially take
    control of the machine, as they would have shell access at the
    permission level of the user executing the virus.
    
    So far, no memory resident infection activities have been identified.
    
    According to analysis, the Remote Shell Trojan does not appear to
    apply any sophisticated stealth mechanisms: for example, file sizes
    and file modification dates are changed during infection and can
    easily be detected.
    
    This means that host-based checksum tools deployed on mission critical
    servers should be able to detect infection.
    
    The scope of such tools should include file system locations commonly
    used for the storage of executable binaries, such as /bin, /etc/bin,
    and /usr/bin, and other common locations.
    
    An infected system also creates a lockfile in reference to the back
    door; this will appear as '/tmp/982235016-gtkrc-429249277'. The
    presence of this lockfile is an indication of a potential infection
    with the Remote Shell Trojan.
    
    According to security firm Qualys, which claims discovery of the
    virus, it commonly arrives via binary email attachments or downloaded
    software.
    
    Qualys said that the proliferation of Linux servers on the internet
    mean that potentially, this virus could hit harder than Code Red, but
    only if executed by unwary users.
    
    A host infected with the Remote Shell Trojan could be: hijacked by the
    attacker; employed as secondary attack platforms for further
    intrusions within or external to an organisation; scrutinised for
    information to be used in subsequent attacks and intrusions; scoured
    for sensitive organisational data; or vandalised and/or destroyed in
    order to cause financial and/or operational harm to an organisation.
    
    Apparently organisations whose systems have been compromised by the
    Remote Shell Trojan may now inadvertently fall foul of the Data
    Protection Act, added Qualys.
    
    More information and methodology for eliminating the virus can be
    found here.
    
    http://www.qualys.com/alert/remoteshell.html
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Sep 11 2001 - 01:46:08 PDT