[22582] in bugtraq
Remote Shell Trojan: Threat, Origin and the Solution
daemon@ATHENA.MIT.EDU (kai takashi)
Sun Sep 9 16:58:43 2001
From: kai takashi <rst@coders.com>
Reply-To: rst@coders.com
To: bugtraq@securityfocus.com
Date: Sun, 9 Sep 2001 14:40:27 +0300
Content-Type: Multipart/Mixed;
boundary="Boundary-=_nWlrBbmQBhCDarzOwKkYHIDdqSCD"
Cc: incidents@securityfocus.com, focus-virus@securityfocus.com,
vulnwatch@vulnwatch.org, contribute@linuxsecurity.org
MIME-Version: 1.0
Message-Id: <01090914541500.08399@bandit>
--Boundary-=_nWlrBbmQBhCDarzOwKkYHIDdqSCD
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
Overview:
At the 5th of September Qualys released a Security Warning regarding a Linux
based virus. This virus was called the "Remote Shell Trojan" (RST) and it
attacks Linux ELF binaries. It has replicating abilities: when run it will
infect all binaries in /bin and the current working directory. Besides that
it also spawns a process listening on UDP port 5503. When a properly crafted
packet is received by this process it will connect back with a system shell.
Danger:
Very often viri are not seen as a real security threat for UNIX. A virus can
not infect binaries where the userID it is running under has no write access
to. Even under this situation viri can be a threat for UNIX based operating-
systems: Everytime a infected binary is run it will infect all binaries in the
current working directory. It is not unthinkeble that a user with increased
privileges will later run a binary infected by the RST. In this way the virus
can transparently spread itself over the system. This is especially the case
in production environments of in an environment where many users share files.
This process will get into a rapid once the /bin binaries are infected. Every
execution of normal system commands like 'ls' will infect all binaries in the
current working directory. In spite of the theoretical immunity UNIX has is
the situation described here not unlikely to happen in many human situations.
The backdoor process can give unpriviledged people access to your system under
the UserID the backdoor process is running. Attackers can attempt to get higher
privileges on the system from there.
Origin:
RST was developed by us as a research project and intended only for internal
use on our systems. Our goal was to analyse how a non-priviledged virus could
affect a system running Linux in a normal work-environment. Things however didnt
go as they were intended to go. An infected binary accidentely leaked out our
research lab and came into the hands of so called "scriptkiddies". They infected
their own systems and other systems where they had access to. From this point
the virus seemed to spread in the wild. This should never have happened and we
truely apologize that it did.
Our main concern now is that the spread of this virus gets stopped and that al
the infected hosts get cleaned as soon as possible. As of now the format of the
specially crafted packet send to the listening backdoor process is unknown to
the public. But this might eventually get reverse engineered in the future and
RST can then be actively abused by other people.
Solution:
We have created a set of utilities which can recursively detect and remove the
virus from the system. It also has the option to make binaries IMMUNE for future
infection by the RST. We put our best effort in making these utilities as easy
to use as possible. And we STRONGLY RECOMMEND that you run these to see if you
are infected and to remove the RST from all the infected binaries. We especially
recommend that multiuser systems make their system immune for the RST as the risks
for these systems are much higher. Immunisation works by increasing the size of
the text segment by 4096 bytes so that the "hole" between the text and data segments
is gone. After this there's no space for the RST to add it self to the binary anymore.
The interface to these programs is simple and self-explanating. The user can
decide wether he wants to automatically detect and remove the RST on the system
recursively or if he wants to apply the remover on a per binary base. In this
mode he can also get a individual status report on wheter this binary is infected,
immune or innocent. Sample usage would be:
% perl Recurse.pl remove
For more information regarding this read the included documentation.
Conclusion:
Again we strongly recommand that anybody running Linux runs the detector to see
if their system is infected. Even if they do not expect anything, they can always
optionally immunise their system. This is the only way we can fight the further
spread of this virus. Again we apologise for all the inconvenience this may have
caused. But maybe we can see it as a lesson that Linux and UNIX are not immune
for viri.
Regards,
- anonymous
--Boundary-=_nWlrBbmQBhCDarzOwKkYHIDdqSCD
Content-Type: application/x-gzip;
name="kill_rst.tgz"
Content-Transfer-Encoding: base64
Content-Description: Kill the beast!
Content-Disposition: attachment; filename="kill_rst.tgz"
H4sIAEBYmzsAA+08a3fbxrH5KvyKFWNbZMy3Hr6RbOeottzrEztubbnuPYmPDggsSEQgFsEuRLOt
72/vzOwDAB+SEz9y0mLbWCSwOzM7792dZRjzi1yqwVefsQ2HB8N7h4fwl9rqX/353v7B0dHhwfBo
/6vhaDQeH33FDj8nUbYVUvk5Y1/lQqjr+t30/g/aQiP/lzwocsn7WfLpcQxHw+HRutzt3/3D0b6W
//7h/r1DlP/+6OjgKzb89KSst/9y+X+9OyhkPpjE6SDjeeJ5heRMqjwO1InnyWLCtGbEV/wxj9OI
B6p9q3PizZfsVuar2YUSF0HC/ZTn7AFr9QeXcZK09HuRqVikcqWLeXnF84mQHJDEUfvW6cs//+3H
4VvGf2Gt3lWrw/7pesAYOYsjdcLee96tC/hqe5/g0EHIFRA1gCEeY9uQjgArvM3yOFWs5aaULJke
HqdTpnLxs58y1Af6HqfHrNU12EZv2b/+xVoDeND6KQVo7xlPJOLP+Vxc8Rvwj7fip+EfgT6ez4v0
JvQHW9HP/UtE5icJAx3w85jLDyBBIy0J4Rq7gV9If8qP2a0h+7F39ZbNRcjZjwQ0jPO3MKrv7bDW
YsZzrl/GkomUMxExNeMsEkkiFoD/2Hb9SWkp/aSO2brsDOfKzloiq531U8vmOHKfJNDNJU9VvwRh
JvgxIBg1/Pvcv+TE4ThNRQC9SlZrPDDlnEWFKoAh2sZAhhbSObAk5JFfJIpZJiLGAbEfUPB3sWoP
wSbBPrwN1lqXXucas9ZSROt0iKzx2RdRnPDUn3P3IOf4Er/BpyJPWZEmXMq2yHgKANrY5/H/dkuQ
HaSgVJZHMx6QCpY4kRuaJh46VvWRtQx9hfELHYN2MQOS2o4woDjnfoioAW/HzAlayt8pGu96orPp
txhgW3nWRy7VR/US1nIUDlz/siO8U+3ru6yzfHN/dudOiTdkF3ViDH97EbvAjr13lQ4oDWDAL+/a
a855k2fY24B+j40fgk+9GqRFkjjAyLcNAJBboxaSoTH/PxvMi2AGyg6zHMxL5qOcfFCOTRM+Zufa
jB6TOfOwbzUbmvVz27CP69iNQYax9CcJD38zCcxPQ5AXmntYpcbT/+CfIAEltGqGxvd7h/Lf1Gz+
h2G7H3weHJT/HRxsyf/G43uQ7Jn8H/4ZQf/x/v5Rk/99iTb4hr18dW4D2dxP46xIfAU+McvFNPfn
HvuG4X9qBjEH/g+9YEBPh8KcBRC/uyxWbObLevRmEfcxosljHD7qG9uqoMOoT2NkxoM4isHs+Dvw
kQptFweNYZC2ZBq11ptiw5JsNSxySqJmvkLKA3CRmNsQGGg4zvQ2IVcJiLg5PM/LkMt8pfg8UxJH
7fdN4E5d3O6yVKhePTRVAW4ENPC+jtMgKSDPuS/B7Yj+7GH9URJP6s+KNIbH9WdRkKqk/ogn0cqD
PE9XwS/lAEMTPvVA2IafF1oC7Q7O1HhLkK1LaFI97dpEuzZZ3MRMhOOny2t4ipzAiL9CwZOnz87Y
N1HW8chRF6mMpyngxK5xl2UYytMpfBBRJDmIIJPxP0DlRBKCRPIlueazJNofX/xlFuZMQYyUHAaE
vvLhQ+X9Gb7n8A89w/8GA6YzOqEnxacgapyiTUVjVEQMf6wN2PllO8q6bNhlr87Ovr94dXbeYbsP
2LDDpgJAAPurkDENYWfPnlhezeA7zx04fN2+g+R0GU5JRG380umyUZcBPxDyaAUyDsROfWDfMuPY
5ez84uzvZ482kxDFYBrIEQacmGPmSbYCnHEPNFVyfZYGTzYDxt8wYUzY2vGD4Ul8341Ki/lJfPdu
R0fOf3o7lUk7GZl5m+/bp06DTa9+dqFVgT0gSiYA89IE6Pcr3DU64BCZ7zfyeA0VTdpNBexooaLv
dsEd1Ln73XffoZrv1AAasoxIQsECPwnQyWI+Q5mw1nFI3Ax9gPcKnuWsVyVFP7rLyieonvIfHUe2
BfTwATsYfntkCDZ5+fCEAd2vZnyx6DrzlejRSkMH2pEe5BZQ8yG4gUQj8tIaMyufDYzcDIIwltMg
/LvbJ/En4/cTlPKS6XzQUl+1PpHHYNF+wog4ICxGJ05Bwg8CkRO3QFRzXNtBOIOFLE9hBOcYTQyk
GFfEIgcEJgBlfu7LWEFoUMxMa7RuP4YLd0cV49l9sGo6FWW1Hq3LDq7TTzc/IqrijPdkdZo4LfcB
OwGSxAZ15k/9OO0aUP6ViEPr2HUERsdtfKCbLYb6vhlC2UDGc0yeIS4tyxiyNoRcDoZiuR44LLTr
YjGhrOoY6FXN+f8650y9FzlQ92udb2WNOyI1xCV9iBsXpeJB32N2UunZG9G6XEfeLPGXryAYF9IF
XnxEfCknLqmHZf9atlOG0Qq4/6woOvp8YXT0wXF09GUD6ehLRNLRFwulo08eS0dfMJj+nhHQ7Y1F
7daZVPHcx8jsXKqBcsxu48ZE12DqnFSHmfi45lIYDGvdlC5YID9UEoO+ThPIZ+PujIZBG7/bArYF
c17fkeluhLJxCEQYCMlLVu4o7bpBUZQUctaGVZIozOQrTnd4YnzxaKMzRqdIOzugIM5zdslXyjy4
sC4Sv4dSue8BaJjSvWC6xtMGMz8nTfsRH77VvMUuiQiqDkT64CCDIs9RteEdKSy+w46gJ5HiSQLu
Qs+l4lGlKPLAiR29DjlERLnuaqrkrzqaCg+QgaVVdykUjLoV5BQftXsDEkJINUCjTFKA0NcxVxl1
A2YTfLegNp0BrUveMgGab9jlMCLfug6T3aCrKwFuiIN/weTjQqudjrv4XlYX9i4rSQGvj3vYWvNp
66Eed6vAvkjUlSovAtr61//cFIqnoCboV4zRl6LCDWra8BSoZ112B5907q8J6JOG9I2gP01Ir4O+
LqRvJOLzhfQVff88Ib2C5DOH9HU+f2xIr0P8o4X0D4joTs+qYfb+1vXsqVnIunU4qIxd3Jodttra
9nUGjOArasrMtuln19WKw8rI9+zU9Der2m12vd3SOOxTMhOSEZvTeDuET+cGtU53dapxYl5Sikhh
JRSLlJ6+3wSbTGIDVC20Vajm5ZzP4d2HofR2IEmAWFlAKrfj3mISslMXSm8EYajOI5LMo9cvN0hm
p7po/TX8XbOuwmqOzgs/SHPkb9McuU1zXqHmGApWlcc8dvMz329SIdOtL2dOjTZq0Xq/FbFul1JJ
yXWCKoEYadkJrUKhnGfDbIy46lLLZksZg1fEeg2MyhSkolzMQcH1PHoPATrQhnNhk6XiEiWy8PPQ
itUlvJW9qXKTCsd1KWPoQyJHrrLnOFh17yWt6LieFMHlbt032U2R3bUtE5d6+3Haxg9+Pg26OoP+
Bj5f/fjWJFI2r3LZtMhqHhUHgjvdLzXLLh1M6cltye6LjOcUQx6y+3gY/hCXS4Rm+BZCghtyeuXH
CSV6boQ81gsN12fEyr0aV6ZDmzSbj6RWho+ZKx2ZufIRkp9/09B9RhnnxmTVFuFU+x+UqAjNAPi1
OhCISDXUjSAOcVXDg8t6gYtZu2AVTGFSQTP3pVR8vgLDfN3qikQGgdRXIm6TREZvyzUcnkgWjsGO
EiccdsgWvgRTTqp71qgWCPQBOyy1wqTOESwVLnHRdYnuAvgQheR3cOcR2SEQeFqRzZ6k3pTkkn9p
RyHuOkKvdmug5tng2/8Zj/cPh6Oj3lRd5kHvYPzt+ODb8b17rS57cfHy8ZuXnQ5o6Eq0qa9vLQow
F6734fm7WCqzMq6EGYVbvZfaOejHVdppcltox9jFVfsOPqH03Lgh/I51ODv4oZ/ojPkBe3Lx5uWz
R9/bgIMnjjDzLjwHv//se1gy0MD1icFSW+TtFo0oiXcW9uzs5fkuO7VFFqiguHse0CmtPa3dpGO7
u1VmlAs74kSpbQZuBRJyc11jZ2KBu/xWq1XuQ3+2wDo0MO8AD7R19UlFdxGbFgCF8fU9is2oyDjw
5ICsYx3mio//hr3A7e9FLHF5SNoIhsGdyZKelJq+C14cNw1II8mCxm+7rJXfnbQ6nVL/I0OtVBDl
IWlovU7J0VmNv01RgpZjQPMAQxbS3r4tO85ZAmAwIy1gOl/uXGvYMJOn8yzhlJjqYwep7KqxdLBm
LnIRq2AGhutopj+wApCcjY/JF9Rq7nD1UAnnevjKiTIE1o7pQF13CFpvdAwfIVFZ5clpymh2VMEg
AhAlOBXLgg1T36ltJ+FXs8YyiIYaj1WU2/LYEo+aYuoEK+ztbAIy2grEbqRth2Bm/t7kpNUVIDPA
WXkesb5LiDyuny7Q9swGQPsEaLVKYqU2AMFpQUESUtk8sWLSwixlROA/WkoryYp5UGGRk1XNVSGj
6yuv/gqj1z3RBrijTXCrZ66L66CX0DaK72CDXdgztu0lpn8cy6Fsta4oGNdHHXp7k2X119MdwIib
chsZvmM2oNdBG75pIBuGfRmDNZW/x2XkeeESoduh2ZY3/lbjENmKg96p7wHVCxXd/Y+z08fPzz5P
jdn19X9DfO3q/w7vHWH932g4bur/vkTzzjH120N728O8IBDzDHKNLluKYg8vBXA2ja8gVygP6HVW
jVG87/0xi16b5pq1fwzimGR+Dhw32P9ojDW/1v73h2j/R/Cosf8v0PwkOabIsPO1t4OFVLm38/WH
NOjGHpGzoPtDqYqv4ryQrsKIGnX7MGjTIGC6CJ31cMk7z3CJ/kGDt9H3Naamtq6ppHCtbBdri10W
LD+c6C14g4zIp9mwE9Yf0LcD+z2fs170qSZ4anbburjwZHt4hY+VVzn3aHmH0zO33HBn1UrFnCVD
FuknzNyu6LObmhm7rfV6AFaky7kARmNC5ueQ9ytOCvGxjKX//d4G8x/WrP+fFFOV+7/05378yW8A
X3//F1K9e6Py/vch+v/9w3Hj/79Ik8XkZ/AMx7SeVBzrg8Gl6N2tY3Y+g6WD6rIXVIpBHgN96SuR
UImo57244vlVzBfHnneq93sO1Qy3e17xDFzcBBLGvxZ+skRnAMFF4s0qeAcOKlZL9sbPabMs51Nf
1+L67FmcFu+8CXUlf90HKrAUiHw37vziQQi8JGytDWS3WBtcXoeojZXnK+UHl1IDLqsO8Eohe6rv
reQ8S2IsyUEKJhDRFLw9ZgvcJ0e/Giu2AOft6SBRvywLbMHb0443tsZnIXKKPWGcwxgBS0j2Jy7j
kMpgfeXFCEcKJjN/gcUobvcyiaXidg/x9eO/sEzkih0eDvf77A1SRF3R0y9ZkPsRLPu8DGbIFW4t
ADIO+XrIJktTpGs3RfUcsIopxUlMYAg8AWn5ZpOSSWQi5PSP/XTKcxDp37D8SgCGFNkfMz/ntOKU
HMlAoqmoWFp5KlIXCjqvf3j69z47NWIL/NQrC81L5uk7wMi2QvL86WOkEidhNlGLFE8nUUKpOWw1
m8aeEn12hssS3UVvtcaq0AtjIhZw4urFX6WKad0ye5HptOfp6YPAz7DeTMVzHLV2y0dWVYFtUQWY
ineNBjxVdse4SIHm9JLTdizVoxMLtETiNMjJWDxY9F9BVj5FXiHaxFfQCQnxy5olS6guJAbdB0Rm
+3lhqotJDF6gN71T0DmzXS0zqsWJleRJxOhGV3mmYywP/s/plIoOIEnHgTYwBtStUC8FGU8BhUhx
G4JKl/UNospTI+s5XhLCmYK8ZqhPdPbe986rukpTxd1vXY/Fcj+Lsfo+0LpC9ua47rtL01inSCL0
akXsqcjnqKVayWGBCzSEaGeXsPBN5N5HCTQFFuqyTH0GM+Mi5woPa3WCiWZBWodaHIPiInedooI3
CPJ4AsIj5mjFQMISOtqZ+Rlu08epZtusmOPJox1NXONkyKHQF/aIeyhlXLMDKKM+4RQrSLnIEnfq
AtBhhZ9brpAZEXGvtSGqTZBL0wTTJreKckR8plgfwaLcZvEUJlTV3tphoT77xO0EDu5GBxdwN5io
ooMP+RVPwD5JpcF7GE9jkkkg5meSVEqFdhwoR90Ajul74wpvJSSMfsgCFcBNEvz9C/gyFfAW0VCp
H8YmjgdDgAIS116VY8Z3iSIJPT/S6mFnYF2Ujiqo7VbPUEt6FcUnK0qn0p0+hXGYKm8qmL4xudQH
UG4qyELwbqdr9+9QdDEWDqJ2QDC9xHkXCmfoOe4k/oQ4E+BldjIfZPuMNB50VAobPluoeZm6jENI
AWULqeSlM0FViHMmFqllHkEVtAVknzjvDaoJTsRpVp890fJFk8YrKJ5zQRg65nqS1vVoxQAbDI2/
kTPkOEuJWTOsm9V2YG5lL7in8gJ54GciEVOsVSAPCq4ZWIsKBVLGIgOMdQFog95v13HXHNfr20GR
plFTBnpLF32yzCDSbjnxytsZaKdCKurrbh3hWbQQFA8zIWUMHh2kJ7XnWZg7saAZ9hTMK32pCd/M
hG/J09BWXJZZwCYrLNLLFGWjBFGXFRPIXyDBKJSe0RzsTzFgYAq+AjEhwas3nLhjvvnpCZg02SCF
Ccw0MHyCe6ffvvAnhdQWqZVAu5M+8zybDYIFv+FaYBi+6BY9wxobmDd00FkV/lwDqGlAx8Brv+Th
lqSkVp4WjHUWLio9NamTvXKsF690jwuPQJz7fvr8+esfzio/ruGVZ13VYPkGOUh2BDOWwLcowpSL
3K7dPwC+lXMAvBCel5CFYChbkTypKHt1/vLFD39+9n/s5dmjF8+fn/3wWOsTOF0K3xokmgGnGnp4
7lUjmdZAUa0bQdHoohGIUTWlLBNamEoZq8ErYLTjVpfnRaJiyjKsBRO/tKkbv1b5QRKL03A5j+Wl
9MwLyUu/gFEdS/S10wfxUNyTOsKhN5TIbZPT2O0YKjECxSD9rRWJQt9KFZMUpdm2ZiLhLZCRWnBb
r4EjV+t2pQcmMBUpSiNSNj2kcLNHqSTkP0F9jhgLQsyDGCVCtuzZ3i9fzgWFqvOZdtR5hAB0L2CF
2fMi05R0HEM0Iagef5clfkqZJvlYneah/nshR38O2kIGhU7Qx+wJaSmUAI9har42GkftRjyJwqsa
FIbCqA4zy0z6Zu/uC1pLwAczT0yMXero0S/zULKXanNDH4J5cQgRMiwwo9LnxbB6QnNBYc+4Y3eZ
Nls17XpGuShM6zO6PnvlE7+ocAu0BT3/hIMruc1WNrMM2Z73BMajPBAwOVbUs3IJSdjJv2sboYvw
oCAiKFA5qDuI8pHAN1L7rVO8DolmKxVE7Sn91I9JFE0YSJcTES5Xwj5807ahJYT6RAbtxdGKVcl6
iqp/PAgDZyhM5U+mRbzEZcG0q19q1kMOLz3t40gddF4p64Zb5urkETEdwtx/oeUXUTzQrp6OcbxN
IRDMxfLBhFapraR0OBBRgfqY61QcI42/JJcPawuMDzoGwcMJt7jJwSmdxOEv15DOAks1C5HDlB/b
taW5GIpocRnXx580QtHKrrdT2Vxs9gGb1rSmNa1pTWta05rWtKY1rWlNa1rTmta0pjWtaU1rWtOa
1rSmNa1pTWta05rWtKY1rWn/ze3fRioB/QB4AAA=
--Boundary-=_nWlrBbmQBhCDarzOwKkYHIDdqSCD--
