Re: RST.B .... can anyone shed some light?

From: Rick Moen (rick_at_linuxmafia.com)
Date: 01/17/05


Date: Mon, 17 Jan 2005 00:23:16 GMT

twism78@gmail.com wrote:

> My name is Dave Rosendahl, and unfortunately it seems one of my
> company's servers has been hit by the RST.B virus.

No, it wasn't. RST.B (Remote Shell Trojan, variant B), in itself, lacks
the ability to break into anything. Judging by your account, someone
_ran_ it on your local system, thereby appending it to one or more
binary. (You haven't bothered to tell us why you believe the thing to
be present, or where.)

If you mean you detected it in a privileged system binary, then whoever
put it there must have done so using a privileged login. For example,
an intruder who broke in using other means might have installed a
rootkit that included a copy of RST.B, installing the latter as a
modification to system binaries in order to keep its (RST.B's) UDP-based
backdoor access open.

If all you have is some fool running a RST.B-infected binary in his own
home directory, it's pretty much a non-problem. (He's injured only
himself, really.) On the other hand, if it's in something with
system-level authority (root-user or similar), then you need to worry:

As always with rootkits and other post-attack tools, what you as the
sysadmin should be thinking about is not the post-attack tools but
rather...

o recovery from the root compromise
o prevention of repeats
o hardening the system against similar attacks
o defence in depth
o identification of the attacker (optional)
o detection of future incursions

That's my laundry-list from my old IDG security article,
http://security.itworld.com/4352/LWD000829hacking/pfindex.html

My analysis of all known Linux malware, including RST:
http://linuxmafia.com/~rick/faq/index.php?page=virus#virus5

-- 
Cheers,                                      Hardware:  The part you kick.
Rick Moen                                    Software:  The part you boot.
rick@linuxmafia.com


Relevant Pages

  • Re: VM Rootkits: The Next Big Threat? (PC Magazine)
    ... subvert the os in a very particular way... ... Penetration happens "before" the rootkit is used. ... why do people have so much trouble with the concept of indirect attacks? ... more machines? ...
    (alt.comp.anti-virus)
  • Re: Sony CD installs kernel extensions on Macs
    ... > don't know until someone figures out what those kernel extensions do; ... > Reading recent reports of a Sony rootkit, ... >, and then promptly exits. ... I'm not a big fan of anyone installing kernel extensions ...
    (rec.music.classical.recordings)
  • Re: Best antivirus
    ... I've not been able to discover any problems resulting from installing ... of undetectable rootkit is pretty far fetched, ... the sony rootkit was able to be abused by malware... ... there is a potential problem with the toolbar option. ...
    (alt.comp.anti-virus)
  • Re: Windows XP SP2 and Security Tools
    ... > linux is giving me trouble with installing GTK+2.0 with all the Libraries it requires that also require libraries. ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • Re: nouser - rootkit ?
    ... The first kiddie roots the machine, installs a rootkit, but doesn't fix ... A subsequent cracker roots it again, installing a different rootkit. ... It is not a feint, just the fact the rooting a box doesn't necessarily fix ...
    (Incidents)