Remote Shell Trojan b

From: Qualys, Inc. (researchat_private)
Date: Wed Jan 09 2002 - 23:09:29 PST

  • Next message: Chris Russel: "new codered worm penetrates content-filtering"

                     Qualys Security Alert QSA-2002-01-01
                       "Remote Shell Trojan b" (RST.b)
    
    
    
    Release Date: 
    -------------
    January 9, 2002
    
    
    Platforms Affected:
    -------------------
    This new Remote Shell Trojan RST.b identified and examined by 
    Qualys has been verified to affect various Linux platforms. 
    Qualys researchers have concluded that the backdoor functionality 
    of this new Trojan can be triggered at any UDP port, which makes 
    it particularly easy to launch arbitrary commands on infected 
    machines.
    
    
    Applications Affected:
    ----------------------
    The Remote Shell Trojan RST.b - named by Qualys due to its 
    backdoor functionality - is different in its activation and 
    backdoor functionality from the Remote Shell Trojan identified 
    earlier by Qualys in http://www.qualys.com/alert/remoteshell.html . 
    It shows self-replicating capabilities and has been observed to 
    infect Linux ELF (Executable and Linking Format) binary executable 
    programs. Based upon appropriate permissions, the Remote Shell 
    Trojan RST.b begins its replication activities in the current 
    working directory and in the /bin directory.
    
    
    Technical Description:
    ----------------------
    The Remote Shell Trojan RST.b operates as both a self-replicating 
    program and a remote control backdoor program. Once a host has 
    been infected - commonly initiated through the execution of binary 
    email attachments or downloaded software - the Remote Shell Trojan 
    RST.b then initiates a virus-like self replication process that 
    infects additional executable binaries in the current working 
    directory and in the /bin directory. No memory resident infection 
    activities have been identified so far.
    
    
    The Infection Process:
    ----------------------
    The infection method used by RST.b is a well-known parasite 
    technique for ELF. It will insert 4096 Bytes physically into the 
    file between the text and data segments. It then modifies the 
    appropriate headers of the binary to account for the change in 
    binary structure. The entry point of the binary is modified to jump 
    to the location of the parasite. Once any executable binary has been 
    infected and is launched, the Remote Shell Trojan code will be 
    executed. After calling ptrace to prevent analysis and debugging, 
    RST.b then issues the HTTP GET request 
    "GET /~telcom69/gov.php HTTP/1.0" to port 80 on the host 
    207.66.155.21 (ns1.xoasis.com). The requested content does not 
    appear to exist on this host. Additionally, the infected machine 
    will be turned into a network sniffer by turning on the promiscuous 
    flags on ppp0 and eth0 and the backdoor process will be created. 
    The installed backdoor process assumes the credentials of the 
    infected program and will remain active even after termination of 
    the "host" program. In some instances, due to a programming error 
    in the backdoor process, it will terminate together with the 
    termination of the "host" program.
    
    The Backdoor Process:
    ---------------------
    As the infection process turns an infected machine into promiscuous 
    mode, it is listening for specially crafted UDP packets on any port. 
    An earlier posting on securityfocus.com on this new Trojan has 
    indicated the protocol to be EGP, which is incorrect after careful 
    analysis of the binary. To activate the backdoor, an attacker needs 
    to send a UDP packet containing the three-byte ASCII string "DOM" at 
    a specific offset. Additionally, the packet contains an activation 
    code, determining the type of action from the backdoor process. 
    This could be either: 
    
    1) A response UDP packet containing the three-byte ASCII string 
    "DOM" sent to port 0x1111 (4369) of the attacker’s host.  This 
    provides a simple way querying for infected systems on the Internet.
    2) The execution of any command contained within the packet by 
    passing it to /bin/sh -c. This provides an attacker execution of 
    arbitrary commands on the target system at the credential- and 
    permissions-level of infected binary program that has been launched.
    
    Qualys security researchers have been able to simulate the client 
    portion for communicating with the backdoor process, however it is 
    likely that one or more client programs are in use by attackers. 
    
    Remote Shell Trojan RST.b has functionalities that have previously 
    been seen in Trojans and viruses affecting other operating systems 
    including Microsoft Windows. The specific components include the 
    virus-like file infector, adding 4,096 bytes for the bootstrap 
    segment and Trojan code. It is important to note that infected 
    ELF binary files remain fully functional. Also the Remote Shell 
    Trojan RST.b does not appear to apply any sophisticated stealth 
    mechanisms; for example, file sizes and file modification dates 
    are changed during infection and can easily be detected.
    
    
    Scope & Impact:
    ---------------
    Hosts infected with the Remote Shell Trojan RST.b can be:
    
    ·  Hijacked by the attacker
    ·  Employed as secondary attack platforms for further 
       intrusions within or external to an organization
    ·  Scrutinized for information to be used in subsequent attacks 
       and intrusions
    ·  Scoured for sensitive organizational data
    ·  Vandalized and/or destroyed in order to cause financial 
       and/or operational harm to an organization
    
    
    Mitigating Factors:
    -------------------
    The replication process of the Remote Shell Program RST.b can 
    only effect binary files within the access privileges of the 
    user who launched the originally infected program.
    
    Hosts and networks protected by firewalls can be infected by 
    the Remote Shell Trojan RST.b through careless security policy 
    and practice regarding email attachments and downloaded software. 
    However, in current versions of the Trojan, attackers cannot 
    establish communication with the backdoor process if, for example, 
    a dynamic packet-filtering firewall effectively prohibits 
    uninitiated inbound UDP traffic at any port.
    
    Hosts equipped with checksum-based administration tools such as 
    tripwire can be configured to identify binaries that have been 
    altered by the propagation and infection activities of the 
    Remote Shell Trojan RST.b.
    
    
    Recommendations:
    ----------------
    
    Administrators should take measures to review and perhaps 
    reassess current perimeter firewall policies, particularly 
    with regard to uninitiated inbound UDP communications.
    
    Organizational security policies relating to email attachments 
    and downloaded software should be reiterated to staff and employees.
    
    The Remote Shell Trojan RST.b changes file dates upon infection, 
    therefore administrators can examine file dates to determine 
    whether a binary file has been affected.
    
    Because the Remote Shell Trojan RST.b changes the size and 
    content of files during infection, host-based checksum tools 
    should be deployed to mission-critical servers. The scope of 
    such tools should include file system locations commonly used 
    for the storage of executable binaries, such /bin, /etc/bin, 
    and /usr/bin and other common locations.
    
    When an infected binary is launched, the resident backdoor 
    process is created with the name of the infected host program. 
    The process table should be examined to determine whether 
    unexpected processes (e.g., ls) are present. 
    
    On an infected system, the backdoor process creates lock 
    files /dev/hdx1 and /dev/hdx2. The presence of such lock files 
    is an indication for a potential infection with Remote Shell 
    Trojan RST.b.
    
    Outgoing UDP packets containing the three-byte ASCII string 
    "DOM" with destination port 0x1111 (4369) indicate a 
    potentially active backdoor process.
    
    Administrators, security officers, and concerned users may 
    freely download Qualys-developed Remote Shell Trojan RST.b 
    detection and cleaning tools from the Qualys web site at 
    https://www.qualys.com/forms/remoteshellb.html
    
    
    Detection & Repair Procedures:
    ------------------------------
    Identification and cleaning tools are available from 
    Qualys Inc. at https://www.qualys.com/forms/remoteshellb.html. 
    In addition, users may request a free perimeter vulnerability 
    scan from Qualys at the same address.
    
    The Qualys tool rstb_detector uses the following syntax: 
    rstb_detector host [source_port dest_port] [-r n]
    It takes an IP address as a command line parameter and probes 
    the requested system for the Remote Shell Trojan RST.b backdoor.
    Optional parameters allow specifying the source and destination 
    UDP ports (default ports are 53) to be used by the detector to 
    query for RST.b. Finally, there is an option -r which allows to 
    specify the number of simultaneous UDP query packets being sent 
    by the detector (the default value of n is set to 1). This 
    option is particularly useful within highly congested networks.
    
    The Qualys tool rstb_cleaner takes an infected file name as a 
    command line parameter and creates a cleansed version of the 
    infected file.  The tool also accepts wildcard parameters 
    (e.g. /bin/*). Cleaned copies of the file are created in the 
    source directory with the extension .clean. Source files are 
    left unchanged.
    
    Qualys has developed, tested and deployed a Remote Shell 
    Trojan RST.b vulnerability detection signature within its 
    QualysGuard online vulnerability assessment platform.
    
    
    Technical Data:
    ---------------
    QualysGuard Vulnerability ID:
    1023
    
    CVE Identifier:
    CAN-1999-0660
    
    Supplementary Information & Resources:
    An earlier posting on securityfocus.com from December 27, 2001 
    on Remote Shell Trojan RST.b had inaccuracies in the analysis 
    as well as lack of detection and cleaning capabilities. No 
    other resources regarding the Remote Shell Trojan RST.b are 
    known at present.
    
    At this time, the Remote Shell Trojan RST.b source code is not 
    known to be available.
    
    
    Acknowledgements:
    -----------------
    The Qualys security research team has worked with security 
    researchers around the world to isolate and analyze this 
    Trojan. Qualys has security researchers at multiple sites 
    to identify new threats and vulnerabilities as they emerge.
    
    
    Qualys Contact Information:
    ---------------------------
    1600 Bridge Parkway, Suite 201
    Redwood Shores, CA 94065
    tel. 650.801.6100
    fax. 650.801.6101
    email. researchat_private
    http://www.qualys.com
    
    
    Disclaimer:
    -----------
    CONFIDENTIAL AND PROPRIETARY INFORMATION Qualys provides 
    this Security Advisory "As Is" without any warranty of any 
    kind. Qualys makes no warranty that this Security Advisory 
    or any associated information contained herein will identify 
    every vulnerability in your network or host systems, or that 
    the suggested solutions and advice provided in this report, 
    together with the results of any associated procedures or 
    recommendations contained herein, will be error-free or complete. 
    Qualys shall not be responsible or liable for the accuracy, 
    usefulness, or availability of any information transmitted 
    in this report, and shall not be responsible or liable for 
    any use or application of the information contained in 
    this report.
    
    QSA-2002-01-01
    
    
    
    (c) 2002, Qualys, Inc.  All rights reserved.
    
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jan 10 2002 - 09:16:45 PST