[ISN] New Linux Backdoor Virus Gains Smarts

From: InfoSec News (isnat_private)
Date: Tue Jan 08 2002 - 00:52:44 PST

  • Next message: InfoSec News: "[ISN] Texas Lottery's Web site defaced by hackers"

    By Brian McWilliams, Newsbytes
    05 Jan 2002, 4:17 AM CST
    A new and more dangerous version of a remote-control virus that
    targets computers running the Linux operating system may be in the
    wild, but security experts do not expect the malicious code to spread
    According to preliminary analyses, the virus appears to be a "smarter"  
    variant of the Remote Shell Trojan (RST), discovered last September,
    that infects programs written for Linux, an alternative to Microsoft's
    Managed security provider Qualys obtained a copy of one new variant
    last month from an "outside source," according to Gerhard Eschelbeck,
    vice president of engineering. Qualys will release a detailed
    advisory, along with detection and cleaning tools next week for the
    new virus, which it has labeled RST.b.
    Like the initial RST, the new variant identified by Qualys is designed
    to infect binary files in the Linux Executable and Linking Format
    (ELF) and create a "back door" on an infected system that gives a
    remote attacker full control.
    But Eschelbeck said RST.b is more dangerous than its predecessor
    because it contains a payload that turns the infected machine into a
    network "sniffer" that enables the virus to identify and use any open
    port for communication.
    "The sniffer function allows the backdoor process to listen for any
    types of packets coming from any type of UDP port. This is an
    interesting but dangerous methodology we have not seen before," he
    Qualys' findings differ somewhat from a separate analysis of a new RST
    variant identified last month by an independent security researcher
    who uses the nickname Lockdown.
    According to Lockdown's analysis, the virus relies on the less common
    exterior gateway protocol (EGP) instead of the user datagram protocol
    (UDP). Lockdown said he discovered the virus on a "wargame box," a
    system used for hacking experiments.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 05:55:32 PST