Security Incidents mailing list archives

Re: Remote Shell Trojan: Threat, Origin and the Solution

From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Mon, 10 Sep 2001 10:47:16 +1200

"anonymous <rst () coders com> wrote:

At the 5th of September Qualys released a Security Warning regarding a Linux
based virus. This virus was called  the "Remote Shell Trojan" (RST) and it
attacks Linux ELF binaries. It has replicating abilities: when run it will
infect all binaries in /bin and the current working directory. Besides that
it also spawns a process listening on UDP port 5503. When a properly crafted
packet is received by this process it will connect back with a system shell.

<<snip>>

To the best of my knowledge, neither Qualys nor yourselves (or anyone 
else) has provided samples of this virus to the usual antivirus 
research community.  You are more likely to have a fix for this virus 
reach where it is needed through those established and now fairly 
well-honed delivery systems than by posting to a public mailing list.

If you or Qualys wish to provide such samples to the antivirus 
research community, please send the samples where you would normally 
send virus samples.  If you do not have a preferred vendor or 
vendors, here is a list of the sample submission addresses of the 
better known antivirus developers -- please choose the vendor(s) you 
feel happy trusting such code to and supply them with a sample:

   Command Software               <virus () commandcom com>
   Computer Associates (US)       <virus () cai com>
   Computer Associates (Vet/IPE)  <ipevirus () vet com au>
   DialogueScience (Dr.Web)       <Antivir () dials ru>
   Eset (NOD32)                   <trnka () eset sk>
   F-Secure Corp.                 <samples () f-secure com>
   Frisk Software                 <viruslab () complex is>
   Kaspersky Labs                 <newvirus () avp ru>
   Network Associates (US)        <virus_research () nai com>
   Norman (NVC)                   <analysis () norman no>
   Sophos Plc.                    <support () sophos com>
   Symantec                       <avsubmit () symantec com>
   Trend Micro                    <virus_doctor () trendmicro com>



-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Remote Shell Trojan: Threat, Origin and the Solution kai takashi (Sep 10)
- Re: Remote Shell Trojan: Threat, Origin and the Solution Nick FitzGerald (Sep 10)
- Re: Remote Shell Trojan: Threat, Origin and the Solution Kevin Gagel (Sep 10)
  - Re: Remote Shell Trojan: Threat, Origin and the Solution Patrick Andry (Sep 10)
- <Possible follow-ups>
- RE: Remote Shell Trojan: Threat, Origin and the Solution John Stauffacher (Sep 10)
  - RE: Remote Shell Trojan: Threat, Origin and the Solution Matt Block (Sep 10)
    - RE: Remote Shell Trojan: Threat, Origin and the Solution Jonathan Rickman (Sep 10)