7074741 2001-09-09 14:40 +0300  /79 rader/ kai takashi <rst@coders.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-09-09  23:04  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: incidents@securityfocus.com
Extern kopiemottagare: focus-virus@securityfocus.com
Extern kopiemottagare: vulnwatch@vulnwatch.org
Extern kopiemottagare: contribute@linuxsecurity.org
Externa svar till: rst@coders.com
Mottagare: Bugtraq (import) <19130>
Ärende: Remote Shell Trojan: Threat, Origin and the Solution
------------------------------------------------------------
Overview:
At the 5th of September Qualys released a Security Warning regarding
a Linux based virus. This virus was called  the "Remote Shell Trojan"
(RST) and it attacks Linux ELF binaries. It has replicating
abilities: when run it will infect all binaries in /bin and the
current working directory. Besides that it also spawns a process
listening on UDP port 5503. When a properly crafted packet is
received by this process it will connect back with a system shell.
Danger:
Very often viri are not seen as a real security threat for UNIX. A
virus can not infect binaries where the userID it is running under
has no write access to. Even under this situation viri can be a
threat for UNIX based operating- systems: Everytime a infected binary
is run it will infect all binaries in the current working
directory. It is not unthinkeble that a user with increased
privileges will later run a binary infected by the RST. In this way
the virus can transparently spread itself over the system. This is
especially the case in production environments of in an environment
where many users share files.  This process will get into a rapid
once the /bin binaries are infected. Every execution of normal system
commands like 'ls' will infect all binaries in the current working
directory. In spite of the theoretical immunity UNIX has is the
situation described here not unlikely to happen in many human
situations.  The backdoor process can give unpriviledged people
access to your system under the UserID the backdoor process is
running. Attackers can attempt to get higher privileges on the system
from there.
Origin:
RST was developed by us as a research project and intended only for
internal  use on our systems. Our goal was to analyse how a
non-priviledged virus could affect a system running Linux in a normal
work-environment. Things however didnt go as they were intended to
go. An infected binary accidentely leaked out our research lab and
came into the hands of so called "scriptkiddies". They infected their
own systems and other systems where they had access to. From this
point the virus seemed to spread in the wild. This should never have
happened and we truely apologize that it did.
Our main concern now is that the spread of this virus gets stopped
and that al the infected hosts get cleaned as soon as possible. As of
now the format of the specially crafted packet send to the listening
backdoor process is unknown to the public. But this might eventually
get reverse engineered in the future and RST can then be actively
abused by other people.
Solution:
We have created a set of utilities which can recursively detect and
remove the virus from the system. It also has the option to make
binaries IMMUNE for future infection by the RST. We put our best
effort in making these utilities as easy to use as possible. And we
STRONGLY RECOMMEND that you run these to see if you are infected and
to remove the RST from all the infected binaries. We especially
recommend that multiuser systems make their system immune for the RST
as the risks for these systems are much higher. Immunisation works by
increasing the size of  the text segment by 4096 bytes so that the
"hole" between the text and data segments is gone. After this there's
no space for the RST to add it self to the binary anymore.
The interface to these programs is simple and self-explanating. The
user can  decide wether he wants to automatically detect and remove
the RST on the system recursively or if he wants to apply the remover
on a per binary base. In this mode he can also get a individual
status report on wheter this binary is infected, immune or
innocent. Sample usage would be:
% perl Recurse.pl remove
For more information regarding this read the included documentation.
Conclusion:
Again we strongly recommand that anybody running Linux runs the
detector to see if their system is infected. Even if they do not
expect anything, they can always optionally immunise their
system. This is the only way we can fight the further spread of this
virus. Again we apologise for all the inconvenience this may have
caused. But maybe we can see it as a lesson that Linux and UNIX are
not immune for viri.
Regards,
        - anonymous
(7074741) /kai takashi <rst@coders.com>/--(Ombruten)
Bilaga (application/x-gzip) i text 7074742
7074742 2001-09-09 14:40 +0300  /24 rader/ kai takashi <rst@coders.com>
Bilagans filnamn: "kill_rst.tgz"
Importerad: 2001-09-09  23:04  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: incidents@securityfocus.com
Extern kopiemottagare: focus-virus@securityfocus.com
Extern kopiemottagare: vulnwatch@vulnwatch.org
Extern kopiemottagare: contribute@linuxsecurity.org
Externa svar till: rst@coders.com
Mottagare: Bugtraq (import) <19131>
Bilaga (text/plain) till text 7074741
Ärende: Bilaga (kill_rst.tgz) till: Remote Shell Trojan: Threat, Origin and the Solution
------------------------------------------------------------
 @X; í<kwÛÆ±ù*üc[dÌ·¾l稶Üë;nm¹î=,HD Á.D³ïoïÌì ?rÒbÛX$°;3;ïÝeó\ªÁW±
Ã{ðÚê_ýùÞþÁÑÑáÁðhÿ«áh4}Å?'Q¶Rù9c_åB¨ëúÝôþÚB#ÿ<(rÉûYòéqGÃáѺÜíßýÃѾÿþáþ½Cÿþèèà+6üô¤¬·ÿrù½;(d>Äé ãyây
äLª<ÔçÉb´fÄWü1Óª}«sâÍìVæ«Ù
AÂýçìkõq´ô{©X¤r¥yyÅóÄQûÖéË?ÿíÇá[ÆaÞU«ÃþézÀ9#uÂÞ{Þøj{àÐAÈ5!cÛ +¼Íò8U¬å¦,§S¦rñ³2Ôú§Ç¬Õ5ØFoÙ¿þÅZxÐú)hïO$âÏù\\ñð·â§á>Ïô&ô[ÑÏýKDæ'	ðóË A#-	á»_HÊÙ!û±wõÍEÈÙ4ó·0ªïí°ÖbÆs®_Æ315ã,I"ÿØvýIi)ý¤ÙºìçÊÎZ"«õSËæ8r$ÐÍ%OU¿a&ø1 5üûÜ¿äÄá8ME ½JVk<0åE
*!ÚÆ@Ò9°$ä_$Y&"ƱPðw±jÁ&Á>¼
ÖZ^ç³ÖRDët¬ñÙQðÔs÷ çø¿Á§"OY&\ʶÈx
 ÚØçñÿvK¤ TG3
8&:Võµ}
ñv1Ú0 8ç~¨oÇÌ
ZÊß)ïz¢³é·`[yÖG.ÕGõÖr\ÿ²#¼Sí뻬³|svçN7dub{»À½w(
`À/ïÚkÎygØÛ~O½¤E8ÀÈ·
 [£¡1ÿ?Ì`ʳÌKæ£|PM>fçÚ9ó°o5õsÛ°ëØA±ô'
3	ÌOC{X¥ÆÓÿà
%´jÆ÷{òßÔlþa»|ÿlÉÿÆã{ìüþAÿñþþQÿ}6ø½|unÙÜOã¬H|>1ËÅ4÷çûáj1þ½`@O¿»,VlæËzôf÷1¢Éc>êÛª Ã¨OcdÆ8Áìø;ð
ma¶dµÖbÃl5,rJ¢f¾BÊpÛh8Îô6!W
¸9<ÏËË|¥ø<SGí÷MàN]Üî²T¨^=4Un4ð¾Ó )
Ϲ/ÁíþìaýQOêÏ4ÇõgQª¤þ'ÑÊ<OWÁ/å C>õ@ØZíÎÔxKKhR=íÚD»6YÜÄLã§ËkxÀ¿BÁ§ÏÎØ7QÖñÈQ©§)àÄ®qeÊÓ)|Q$9
ñ?@åDDò%¹æ³$Ú_üeæLA¾òáCåý¾çð=Ãÿ¦3:¡'ŧ
j¢MEcTD¬
Øùe;ʺlØe¯Îξ¿xuvÞa»Ø°Ã¦@ û«1
agÏX^Íà;Ï8|ݾätNIDmüÒé²Q?òh2ÄN}`ß2ãØåìüâìïg6Å`ÈcæI¶q4Ur}O6Æß0aLØÚñáI|ßJùI|÷nGGÎz;I;yïÛ§NM¯~v¡U=
J&