Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Qualys scanner detects rst.b trojan?

From: Scott Manley <smanley () qualys com>
Date: Tue, 16 Sep 2003 12:01:05 -0700
ned wrote:

Hi
I recently had an infection on one of my machines with the linux rst.b trojan. Qualys has a more or less detailed analysis of the code, and provides a remote detection tool here. https://www.qualys.com/forms/remoteshellb.html But even though I saw the running trojan process, knew the port of it and it was listening for incoming connections, Qualys' remote detection tool told me my host was clean. Did anyone run over the same behaviour? Is there a working remote detection utility? 

Ned - thanks for the infected binaries.
What you have here is 2 different linux viruses, neither of them appears to be a vanilla rst.b
One is the OSF virus, it is a 8192 byte package which attaches to ELF files in a similar manner to RST, on execution it forks and tries to debug itself - and exits if it can't. It then tries to infect up to 200 files in the local directory and in /bin, before launching a backdoor on port 29369. It doesn't do any of the raw socket stealth communication that RST uses, so the remote detection method we use in the code does not flag this as the RST.B trojan. However, a signature has been developed for the Qualysguard scanner and will be released soon.
The local detection tools still detect the infection since they operate based upon detecting the changes to the ELF structure which the viruses perform during the infection process.
The second file also gets flagged as an RST virus, however I've not managed to observe it doing anything else other than infecting a few test files. I don't see any raw sockets or otherwise, we'll look a little harder, our test setup may not be RST friendly, we'll look at a few other avenues. But it appears that there is nothign to detect - again this would explain why the tools can't detect a backdoor, because it doesn't exist. 

Scott Manley
Vulnerability Engineer
Qualys Inc.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: