Qualys Security Alert QSA-2001-09-01
"Remote Shell Trojan"
Release Date:
-------------
September 5, 2001
Platforms Affected:
-------------------
The Remote Shell Trojan identified and examined by Qualys has been
verified to affect various Linux platforms. However, Qualys
researchers have concluded that the backdoor functionality of the
trojan could be adapted to all variants of UNIX, all Microsoft
Windows platforms, and other operating systems.
Applications Affected:
----------------------
The Remote Shell Trojan - named by Qualys due to its backdoor
functionality - has self-replicating capabilities and has been
observed to infect Linux ELF (Executable and Linking Format) binary
executable programs. On Linux systems, the Remote Shell Trojan
typically begins its replication activities in the current working
directory and in the /bin directory.
Technical Description:
----------------------
The Remote Shell Trojan operates as both a self-replicating program
and a remote control backdoor program. Once a host has been
infected - commonly initiated through the execution of binary email
attachments or downloaded software - the Remote Shell Trojan then
initiates a virus-like self replication process that infects
additional executable binaries in the current working directory and
in the /bin directory. No memory resident infection activities have
been identified so far.
Once any executable binary has been infected and is being launched,
the Remote Shell Trojan code will be executed and a backdoor process
will be created. This backdoor process assumes the credentials of
the infected program and will remain active even after termination
of the "host" program
The backdoor process is listening on UDP port 5503 or higher for any
incoming requests. If a remote attacker connects to this port with a
specially crafted packet containing the attacker's source IP address
and a port number, the backdoor responds by establishing a
TCP connection to the originating attacker's system. This TCP session
provides the attacker access to a shell on the target system at the
credential- and permissions-level of the originally infected binary
program.
Qualys security researchers have been able to simulate the client
portion for communicating with the backdoor process, however it is
likely that one or more client programs are in use by attackers.
Remote Shell Trojan has functionalities that have previously been
seen in trojans and viruses affecting other operating systems
including Microsoft Windows. The specific components include the
virus-like file infector, adding 4,096 bytes for the bootstrap
segment and appending 2,877 bytes of trojan code. It is important
to note that infected ELF binary files remain fully functional.
Also the Remote Shell Trojan does not appear to apply any
sophisticated stealth mechanisms; for example, file sizes and file
modification dates are changed during infection and can easily be
detected.
The backdoor process of Remote Shell Trojan also issues an HTTP GET
request to port 80 on the host 212.15.64.41 (orinoco.portland.co.uk).
This host does not appear to return any meaningful results upon
such a request.
Scope & Impact:
---------------
Hosts infected with the Remote Shell Trojan can be:
* Hijacked by the attacker
* Employed as secondary attack platforms for further intrusions
within or external to an organization
* Scrutinized for information to be used in subsequent attacks and
intrusions
* Scoured for sensitive organizational data
* Vandalized and/or destroyed in order to cause financial and/or
operational harm to an organization
Mitigating Factors:
-------------------
The replication process of the Remote Shell Program can only effect
binary files within the access privileges of the user who launched
the originally infected program.
Hosts and networks protected by firewalls can be infected by the
Remote Shell Trojan through careless security policy and practice
regarding email attachments and downloaded software. However, in
current versions of the trojan, attackers cannot establish
communication with the backdoor process if, for example, a dynamic
packet-filtering firewall effectively prohibits uninitiated inbound
UDP traffic from port 5503 and above.
Hosts equipped with checksum-based administration tools such as
tripwire can be configured to identify binaries that have been
altered by the propagation and infection activities of the Remote
Shell Trojan.
Recommendations:
----------------
Administrators should take measures to review and perhaps reassess
current perimeter firewall policies, particularly with regard to
uninitiated inbound UDP communications.
Organizational security policies relating to email attachments and
downloaded software should be reiterated to staff and employees.
The Remote Shell Trojan changes file dates upon infection,
therefore administrators can examine file dates to determine
whether a binary file has been affected.
Because the Remote Shell Trojan changes the size and content of
files during infection, host-based checksum tools should be
deployed to mission-critical servers. The scope of such tools should
include file system locations commonly used for the storage of
executable binaries, such /bin, /etc/bin, and /usr/bin and other
common locations.
When an infected binary is launched, the resident backdoor process
is created with the name of the infected host program. The
process table should be examined to determine whether unexpected
processes (e.g., ls) are present.
On an infected system, the backdoor process creates a lockfile
/tmp/982235016-gtkrc-429249277. The presence of this lockfile is
an indication for a potential infection with Remote Shell Trojan.
Administrators, security officers, and concerned users may freely
download Qualys-developed Remote Shell Trojan detection and
cleaning tools from the Qualys web site at
http://www.qualys.com/form_remoteshell.html
Detection & Repair Procedures:
------------------------------
Identification and cleaning tools are available from Qualys Inc. at
http://www.qualys.com/form_remoteshell.html. In addition, users may
request a free perimeter vulnerability scan from Qualys at the same
address.
The Qualys tool rst_detector takes an IP address as a command line
parameter and probes the requested machine for the Remote Shell
Trojan backdoor. An optional parameter allows probing for Remote
Shell Trojan on any port other than 5503.
The Qualys tool rst_cleaner takes an infected file name as a
command line parameter and creates a cleansed version of the
infected file. The tool also accepts wildcard parameters (e.g.
/bin/*). Cleaned copies of the file are created in the source
directory with the extension .clean. Source files are left unchanged.
Qualys has developed, tested and deployed a Remote Shell Trojan
vulnerability detection signature within its QualysGuard online
vulnerability assessment platform.
Technical Data:
---------------
QualysGuard Vulnerability ID:
1019, 1020
CVE Identifier:
CAN-1999-0660
Supplementary Information & Resources:
No other resources regarding the Remote Shell Trojan are known at
present.
At this time, the Remote Shell Trojan source code is not known to
be available.
Acknowledgements:
-----------------
This Trojan was identified in Europe by the Qualys security research
team. Qualys has security researchers at multiple sites around the
world to identify new threats and vulnerabilities as they emerge.
Qualys Contact Information:
1326 Chesapeake Terrace
Sunnyvale, CA 94089
tel. 408.747.6000
fax. 408.747.5255
email: researchat_private
http://www.qualys.com
Disclaimer:
-----------
CONFIDENTIAL AND PROPRIETARY INFORMATION Qualys provides this
Security Advisory "As Is" without any warranty of any kind. Qualys
makes no warranty that this Security Advisory or any associated
information contained herein will identify every vulnerability in
your network or host systems, or that the suggested solutions and
advice provided in this report, together with the results of any
associated procedures or recommendations contained herein, will be
error-free or complete. Qualys shall not be responsible or liable
for the accuracy, usefulness, or availability of any information
transmitted in this report, and shall not be responsible or liable
for any use or application of the information contained in this
report.
© 2001, Qualys, Inc. All rights reserved.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 13:41:00 PDT