Linux based Trojan gets a closer look

posted onSeptember 10, 2001
by hitbsecnews

In light of the interest in the recently discovered Linux based Remote Shell Trojan, vnunet.com has uncovered more details of the worm's functionality in a bid to dispel any fear, uncertainty and doubt.
Security experts analysing the Trojan have said that it infects Linux Executable and Linking Format (ELF) files, initially surfacing in the /bin directory.

It should be noted, however, that infected ELF files will remain fully functional so as to hide the infection.

The program displays some virus-like qualities such as self-replication via email. It also installs a backdoor in the infected host, listening on UDP port 5503 or higher.

An attacker could connect to this port via TCP and potentially take control of the machine, as they would have shell access at the permission level of the user executing the virus.

So far, no memory resident infection activities have been identified.

According to analysis, the Remote Shell Trojan does not appear to apply any sophisticated stealth mechanisms: for example, file sizes and file modification dates are changed during infection and can easily be detected.

This means that host-based checksum tools deployed on mission critical servers should be able to detect infection.

The scope of such tools should include file system locations commonly used for the storage of executable binaries, such as /bin, /etc/bin, and /usr/bin, and other common locations.

An infected system also creates a lockfile in reference to the back door; this will appear as '/tmp/982235016-gtkrc-429249277'. The presence of this lockfile is an indication of a potential infection with the Remote Shell Trojan.

According to security firm Qualys, which claims discovery of the virus, it commonly arrives via binary email attachments or downloaded software.

Qualys said that the proliferation of Linux servers on the internet mean that potentially, this virus could hit harder than Code Red, but only if executed by unwary users.

A host infected with the Remote Shell Trojan could be: hijacked by the attacker; employed as secondary attack platforms for further intrusions within or external to an organisation; scrutinised for information to be used in subsequent attacks and intrusions; scoured for sensitive organisational data; or vandalised and/or destroyed in order to cause financial and/or operational harm to an organisation.

Apparently organisations whose systems have been compromised by the Remote Shell Trojan may now inadvertently fall foul of the Data Protection Act, added Qualys.

More information and methodology for eliminating the virus can be found here.

VnuNet.

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs