Re: Remote Shell Trojan: Threat, Origin and the Solution

From: Kevin Gagel (Gagel@cnc.bc.ca)
Date: 09/10/01


Message-ID: <3B9CDD69.497A9D34@cnc.bc.ca>
Date: Mon, 10 Sep 2001 08:34:01 -0700
From: Kevin Gagel <Gagel@cnc.bc.ca>
To: rst@coders.com
Subject: Re: Remote Shell Trojan: Threat, Origin and the Solution

Has any expert c programers examined the c code to see if it actually
does what the remarks say?
I am suspicious of anything that is posted anonymously no matter how
well it's documented. I
don't know C well enough to tell if the documentation is accurately
portraying what the code is
really doing.

If it's not then this a one very well crafted "socially engineered"
virus...

> RST was developed by us as a research project and intended only for internal

> go as they were intended to go. An infected binary accidentely leaked out our

> the public. But this might eventually get reverse engineered in the future and
> RST can then be actively abused by other people.
>
> Solution:
>
> We have created a set of utilities which can recursively detect and remove the
> virus from the system. It also has the option to make binaries IMMUNE for future

> % perl Recurse.pl remove
>
> For more information regarding this read the included documentation.
>
> Conclusion:

> Regards,
> - anonymous
>
> ------------------------------------------------------------------------
> Name: kill_rst.tgz
> kill_rst.tgz Type: WinZip File (application/x-compressed)
> Encoding: base64
> Description: Kill the beast!

-- 
=============================
Kevin W. Gagel
Network Administrator
College of New Caledonia
gagel@cnc.bc.ca
(250)561-5848 loc. 448
=============================
--------------------------------
The College of New Caledonia
Visit us at http://www.cnc.bc.ca
--------------------------------

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com