Re: Remote Shell Trojan: Threat, Origin and the Solution

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: 09/10/01


Message-Id: <200109092247.KAA25196@fep4-orange.clear.net.nz>
From: "Nick FitzGerald" <nick@virus-l.demon.co.uk>
To: bugtraq@securityfocus.com
Date: Mon, 10 Sep 2001 10:47:16 +1200
Subject: Re: Remote Shell Trojan: Threat, Origin and the Solution


"anonymous <rst@coders.com> wrote:

> At the 5th of September Qualys released a Security Warning regarding a Linux
> based virus. This virus was called the "Remote Shell Trojan" (RST) and it
> attacks Linux ELF binaries. It has replicating abilities: when run it will
> infect all binaries in /bin and the current working directory. Besides that
> it also spawns a process listening on UDP port 5503. When a properly crafted
> packet is received by this process it will connect back with a system shell.
<<snip>>

To the best of my knowledge, neither Qualys nor yourselves (or anyone
else) has provided samples of this virus to the usual antivirus
research community. You are more likely to have a fix for this virus
reach where it is needed through those established and now fairly
well-honed delivery systems than by posting to a public mailing list.

If you or Qualys wish to provide such samples to the antivirus
research community, please send the samples where you would normally
send virus samples. If you do not have a preferred vendor or
vendors, here is a list of the sample submission addresses of the
better known antivirus developers -- please choose the vendor(s) you
feel happy trusting such code to and supply them with a sample:

   Command Software <virus@commandcom.com>
   Computer Associates (US) <virus@cai.com>
   Computer Associates (Vet/IPE) <ipevirus@vet.com.au>
   DialogueScience (Dr.Web) <Antivir@dials.ru>
   Eset (NOD32) <trnka@eset.sk>
   F-Secure Corp. <samples@f-secure.com>
   Frisk Software <viruslab@complex.is>
   Kaspersky Labs <newvirus@avp.ru>
   Network Associates (US) <virus_research@nai.com>
   Norman (NVC) <analysis@norman.no>
   Sophos Plc. <support@sophos.com>
   Symantec <avsubmit@symantec.com>
   Trend Micro <virus_doctor@trendmicro.com>

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: "Bugbear" virus in Linux?
    ... >> Linux binaries if a system were accidentally booted with the floppy ... but that doesn't mean that the virus author has such ... a common means of propagation of DOS viruses ... BBSes, where they infect floppies, that get passed ...
    (comp.os.linux.misc)
  • Re: How secure are you
    ... Windows is running and doing whatever it takes to make ... users on Linux is to compromise on this advantage that they now ... So for a virus to propagate from one file to the next is ... > If Windows didn't have this feature, then a virus wouldn't be able to infect ...
    (alt.computer.security)
  • Re: Woohooo! Dell + Linux
    ... most of Windows users are running their home OS with the ... Just tell linux users to ride their ... > If a virus hits a windows box, it is a personal mishap, but one can buy ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: virusscanner
    ... Are there good virusscanners for Linux, ... box than you are on a Windows machine. ... email in which the virus was transmitted. ... Log in as root to download the "virus" ...
    (alt.os.linux.suse)
  • Re: freeware linux virus scanners
    ... Virus scanners don't work by reading the minds behind the code in the ... exists in the Linux world. ... when the security hole is discovered, not when a virus begins to roam. ... OpenOffice documents to turn off all scripting or give it free reins, ...
    (comp.os.linux.setup)