Qualys Security Alert QSA-2002-01-01
"Remote Shell Trojan b" (RST.b)
January 9, 2002
This new Remote Shell Trojan RST.b identified and examined by
Qualys has been verified to affect various Linux platforms.
Qualys researchers have concluded that the backdoor functionality
of this new Trojan can be triggered at any UDP port, which makes
it particularly easy to launch arbitrary commands on infected
The Remote Shell Trojan RST.b - named by Qualys due to its
backdoor functionality - is different in its activation and
backdoor functionality from the Remote Shell Trojan identified
earlier by Qualys in http://www.qualys.com/alert/remoteshell.html
It shows self-replicating capabilities and has been observed to
infect Linux ELF (Executable and Linking Format) binary executable
programs. Based upon appropriate permissions, the Remote Shell
Trojan RST.b begins its replication activities in the current
working directory and in the /bin directory.
The Remote Shell Trojan RST.b operates as both a self-replicating
program and a remote control backdoor program. Once a host has
been infected - commonly initiated through the execution of binary
email attachments or downloaded software - the Remote Shell Trojan
RST.b then initiates a virus-like self replication process that
infects additional executable binaries in the current working
directory and in the /bin directory. No memory resident infection
activities have been identified so far.
The Infection Process:
The infection method used by RST.b is a well-known parasite
technique for ELF. It will insert 4096 Bytes physically into the
file between the text and data segments. It then modifies the
appropriate headers of the binary to account for the change in
binary structure. The entry point of the binary is modified to jump
to the location of the parasite. Once any executable binary has been
infected and is launched, the Remote Shell Trojan code will be
executed. After calling ptrace to prevent analysis and debugging,
RST.b then issues the HTTP GET request
"GET /~telcom69/gov.php HTTP/1.0" to port 80 on the host
220.127.116.11 (ns1.xoasis.com). The requested content does not
appear to exist on this host. Additionally, the infected machine
will be turned into a network sniffer by turning on the promiscuous
flags on ppp0 and eth0 and the backdoor process will be created.
The installed backdoor process assumes the credentials of the
infected program and will remain active even after termination of
the "host" program. In some instances, due to a programming error
in the backdoor process, it will terminate together with the
termination of the "host" program.
The Backdoor Process:
As the infection process turns an infected machine into promiscuous
mode, it is listening for specially crafted UDP packets on any port.
An earlier posting on securityfocus.com on this new Trojan has
indicated the protocol to be EGP, which is incorrect after careful
analysis of the binary. To activate the backdoor, an attacker needs
to send a UDP packet containing the three-byte ASCII string "DOM" at
a specific offset. Additionally, the packet contains an activation
code, determining the type of action from the backdoor process.
This could be either:
1) A response UDP packet containing the three-byte ASCII string
"DOM" sent to port 0x1111 (4369) of the attacker’s host. This
provides a simple way querying for infected systems on the Internet.
2) The execution of any command contained within the packet by
passing it to /bin/sh -c. This provides an attacker execution of
arbitrary commands on the target system at the credential- and
permissions-level of infected binary program that has been launched.
Qualys security researchers have been able to simulate the client
portion for communicating with the backdoor process, however it is
likely that one or more client programs are in use by attackers.
Remote Shell Trojan RST.b has functionalities that have previously
been seen in Trojans and viruses affecting other operating systems
including Microsoft Windows. The specific components include the
virus-like file infector, adding 4,096 bytes for the bootstrap
segment and Trojan code. It is important to note that infected
ELF binary files remain fully functional. Also the Remote Shell
Trojan RST.b does not appear to apply any sophisticated stealth
mechanisms; for example, file sizes and file modification dates
are changed during infection and can easily be detected.
Scope & Impact:
Hosts infected with the Remote Shell Trojan RST.b can be:
· Hijacked by the attacker
· Employed as secondary attack platforms for further
intrusions within or external to an organization
· Scrutinized for information to be used in subsequent attacks
· Scoured for sensitive organizational data
· Vandalized and/or destroyed in order to cause financial
and/or operational harm to an organization
The replication process of the Remote Shell Program RST.b can
only effect binary files within the access privileges of the
user who launched the originally infected program.
Hosts and networks protected by firewalls can be infected by
the Remote Shell Trojan RST.b through careless security policy
and practice regarding email attachments and downloaded software.
However, in current versions of the Trojan, attackers cannot
establish communication with the backdoor process if, for example,
a dynamic packet-filtering firewall effectively prohibits
uninitiated inbound UDP traffic at any port.
Hosts equipped with checksum-based administration tools such as
tripwire can be configured to identify binaries that have been
altered by the propagation and infection activities of the
Remote Shell Trojan RST.b.
Administrators should take measures to review and perhaps
reassess current perimeter firewall policies, particularly
with regard to uninitiated inbound UDP communications.
Organizational security policies relating to email attachments
and downloaded software should be reiterated to staff and employees.
The Remote Shell Trojan RST.b changes file dates upon infection,
therefore administrators can examine file dates to determine
whether a binary file has been affected.
Because the Remote Shell Trojan RST.b changes the size and
content of files during infection, host-based checksum tools
should be deployed to mission-critical servers. The scope of
such tools should include file system locations commonly used
for the storage of executable binaries, such /bin, /etc/bin,
and /usr/bin and other common locations.
When an infected binary is launched, the resident backdoor
process is created with the name of the infected host program.
The process table should be examined to determine whether
unexpected processes (e.g., ls) are present.
On an infected system, the backdoor process creates lock
files /dev/hdx1 and /dev/hdx2. The presence of such lock files
is an indication for a potential infection with Remote Shell
Outgoing UDP packets containing the three-byte ASCII string
"DOM" with destination port 0x1111 (4369) indicate a
potentially active backdoor process.
Administrators, security officers, and concerned users may
freely download Qualys-developed Remote Shell Trojan RST.b
detection and cleaning tools from the Qualys web site at
Detection & Repair Procedures:
Identification and cleaning tools are available from
Qualys Inc. at https://www.qualys.com/forms/remoteshellb.html.
In addition, users may request a free perimeter vulnerability
scan from Qualys at the same address.
The Qualys tool rstb_detector uses the following syntax:
rstb_detector host [source_port dest_port] [-r n]
It takes an IP address as a command line parameter and probes
the requested system for the Remote Shell Trojan RST.b backdoor.
Optional parameters allow specifying the source and destination
UDP ports (default ports are 53) to be used by the detector to
query for RST.b. Finally, there is an option -r which allows to
specify the number of simultaneous UDP query packets being sent
by the detector (the default value of n is set to 1). This
option is particularly useful within highly congested networks.
The Qualys tool rstb_cleaner takes an infected file name as a
command line parameter and creates a cleansed version of the
infected file. The tool also accepts wildcard parameters
(e.g. /bin/*). Cleaned copies of the file are created in the
source directory with the extension .clean. Source files are
Qualys has developed, tested and deployed a Remote Shell
Trojan RST.b vulnerability detection signature within its
QualysGuard online vulnerability assessment platform.
QualysGuard Vulnerability ID:
Supplementary Information & Resources:
An earlier posting on securityfocus.com from December 27, 2001
on Remote Shell Trojan RST.b had inaccuracies in the analysis
as well as lack of detection and cleaning capabilities. No
other resources regarding the Remote Shell Trojan RST.b are
known at present.
At this time, the Remote Shell Trojan RST.b source code is not
known to be available.
The Qualys security research team has worked with security
researchers around the world to isolate and analyze this
Trojan. Qualys has security researchers at multiple sites
to identify new threats and vulnerabilities as they emerge.
Qualys Contact Information:
1600 Bridge Parkway, Suite 201
Redwood Shores, CA 94065