Linux based Trojan gets a closer look

[InfoSec News <isn () c4i org>]

http://www.vnunet.com/News/1125305

By James Middleton 
07-09-2001
 
In light of the interest in the recently discovered Linux based Remote
Shell Trojan, vnunet.com has uncovered more details of the worm's
functionality in a bid to dispel any fear, uncertainty and doubt.

Security experts analysing the Trojan have said that it infects Linux
Executable and Linking Format (ELF) files, initially surfacing in the
/bin directory.

It should be noted, however, that infected ELF files will remain fully
functional so as to hide the infection.

The program displays some virus-like qualities such as
self-replication via email. It also installs a backdoor in the
infected host, listening on UDP port 5503 or higher.

An attacker could connect to this port via TCP and potentially take
control of the machine, as they would have shell access at the
permission level of the user executing the virus.

So far, no memory resident infection activities have been identified.

According to analysis, the Remote Shell Trojan does not appear to
apply any sophisticated stealth mechanisms: for example, file sizes
and file modification dates are changed during infection and can
easily be detected.

This means that host-based checksum tools deployed on mission critical
servers should be able to detect infection.

The scope of such tools should include file system locations commonly
used for the storage of executable binaries, such as /bin, /etc/bin,
and /usr/bin, and other common locations.

An infected system also creates a lockfile in reference to the back
door; this will appear as '/tmp/982235016-gtkrc-429249277'. The
presence of this lockfile is an indication of a potential infection
with the Remote Shell Trojan.

According to security firm Qualys, which claims discovery of the
virus, it commonly arrives via binary email attachments or downloaded
software.

Qualys said that the proliferation of Linux servers on the internet
mean that potentially, this virus could hit harder than Code Red, but
only if executed by unwary users.

A host infected with the Remote Shell Trojan could be: hijacked by the
attacker; employed as secondary attack platforms for further
intrusions within or external to an organisation; scrutinised for
information to be used in subsequent attacks and intrusions; scoured
for sensitive organisational data; or vandalised and/or destroyed in
order to cause financial and/or operational harm to an organisation.

Apparently organisations whose systems have been compromised by the
Remote Shell Trojan may now inadvertently fall foul of the Data
Protection Act, added Qualys.

More information and methodology for eliminating the virus can be
found here.

http://www.qualys.com/alert/remoteshell.html



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.