January 10, 2002

Qualys: New Linux trojan found

Author: JT Smith

Cari Jaquet writes:
Qualys, Inc., a leader in Managed Vulnerability Assessment, announces the detection and analysis of a new and potentially dangerous Remote Shell Trojan, referenced as RST.b, with backdoor and self-replicating functionality. Machines can become infected through binary email attachment or downloaded files.

RST.b then installs a backdoor that listens for network traffic coming through any UDP port, making this trojan different and significantly more dangerous than the Remote Shell Trojan identified earlier by Qualys in September 2001. RST.b detection and cleansing tools are available at https://www.qualys.com/forms/remoteshellb.html.

Once infected with RST.b, systems start listening for network traffic on any UDP port. To activate the backdoor, attackers send specially-crafted UDP packets to launch arbitrary commands, scouring the system for sensitive data, vandalizing or completely destroying the files on the infected host. RST.b also has self-replicating capabilities, making it likely to spread across binary files on the infected host, a function that has previously been used in trojans and viruses affecting other operating systems, including Microsoft Windows. Another dangerous aspect of RST.b is that it allows hackers to query the Internet and find infected systems, increasing the speed and likelihood of exposure.

"As a leading provider of security threat management solutions, SecurityFocus alerts the community about potentially dangerous network threats," said Ryan Russell, Incident Analyst for SecurityFocus. ?SecurityFocus appreciates the contribution Qualys has made to the community by providing the analysis required to combat the RST.b virus as well as their diligence in developing tools to help organizations eliminate exposed or infected systems."

"The most significant worry with RST.b is its unique ability to receive and execute payloads through the network, making it a threat to even the most secured hosts," explained Gerhard Eschelbeck, Vice President of Engineering at Qualys."On a positive note, during our analysis, we discovered programming errors in the virus trojan code that limit RST.b capabilities to self-replicate as efficiently as intended,? Eschelbeck continued.

For more information about Qualys, please visit http://www.qualys.com.

Click Here!