OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Qualys, Inc. (researchqualys.com)
Date: Thu Jan 10 2002 - 01:09:29 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                     Qualys Security Alert QSA-2002-01-01
                       "Remote Shell Trojan b" (RST.b)

    Release Date:
    -------------
    January 9, 2002

    Platforms Affected:
    -------------------
    This new Remote Shell Trojan RST.b identified and examined by
    Qualys has been verified to affect various Linux platforms.
    Qualys researchers have concluded that the backdoor functionality
    of this new Trojan can be triggered at any UDP port, which makes
    it particularly easy to launch arbitrary commands on infected
    machines.

    Applications Affected:
    ----------------------
    The Remote Shell Trojan RST.b - named by Qualys due to its
    backdoor functionality - is different in its activation and
    backdoor functionality from the Remote Shell Trojan identified
    earlier by Qualys in http://www.qualys.com/alert/remoteshell.html .
    It shows self-replicating capabilities and has been observed to
    infect Linux ELF (Executable and Linking Format) binary executable
    programs. Based upon appropriate permissions, the Remote Shell
    Trojan RST.b begins its replication activities in the current
    working directory and in the /bin directory.

    Technical Description:
    ----------------------
    The Remote Shell Trojan RST.b operates as both a self-replicating
    program and a remote control backdoor program. Once a host has
    been infected - commonly initiated through the execution of binary
    email attachments or downloaded software - the Remote Shell Trojan
    RST.b then initiates a virus-like self replication process that
    infects additional executable binaries in the current working
    directory and in the /bin directory. No memory resident infection
    activities have been identified so far.

    The Infection Process:
    ----------------------
    The infection method used by RST.b is a well-known parasite
    technique for ELF. It will insert 4096 Bytes physically into the
    file between the text and data segments. It then modifies the
    appropriate headers of the binary to account for the change in
    binary structure. The entry point of the binary is modified to jump
    to the location of the parasite. Once any executable binary has been
    infected and is launched, the Remote Shell Trojan code will be
    executed. After calling ptrace to prevent analysis and debugging,
    RST.b then issues the HTTP GET request
    "GET /~telcom69/gov.php HTTP/1.0" to port 80 on the host
    207.66.155.21 (ns1.xoasis.com). The requested content does not
    appear to exist on this host. Additionally, the infected machine
    will be turned into a network sniffer by turning on the promiscuous
    flags on ppp0 and eth0 and the backdoor process will be created.
    The installed backdoor process assumes the credentials of the
    infected program and will remain active even after termination of
    the "host" program. In some instances, due to a programming error
    in the backdoor process, it will terminate together with the
    termination of the "host" program.

    The Backdoor Process:
    ---------------------
    As the infection process turns an infected machine into promiscuous
    mode, it is listening for specially crafted UDP packets on any port.
    An earlier posting on securityfocus.com on this new Trojan has
    indicated the protocol to be EGP, which is incorrect after careful
    analysis of the binary. To activate the backdoor, an attacker needs
    to send a UDP packet containing the three-byte ASCII string "DOM" at
    a specific offset. Additionally, the packet contains an activation
    code, determining the type of action from the backdoor process.
    This could be either:

    1) A response UDP packet containing the three-byte ASCII string
    "DOM" sent to port 0x1111 (4369) of the attacker’s host. This
    provides a simple way querying for infected systems on the Internet.
    2) The execution of any command contained within the packet by
    passing it to /bin/sh -c. This provides an attacker execution of
    arbitrary commands on the target system at the credential- and
    permissions-level of infected binary program that has been launched.

    Qualys security researchers have been able to simulate the client
    portion for communicating with the backdoor process, however it is
    likely that one or more client programs are in use by attackers.

    Remote Shell Trojan RST.b has functionalities that have previously
    been seen in Trojans and viruses affecting other operating systems
    including Microsoft Windows. The specific components include the
    virus-like file infector, adding 4,096 bytes for the bootstrap
    segment and Trojan code. It is important to note that infected
    ELF binary files remain fully functional. Also the Remote Shell
    Trojan RST.b does not appear to apply any sophisticated stealth
    mechanisms; for example, file sizes and file modification dates
    are changed during infection and can easily be detected.

    Scope & Impact:
    ---------------
    Hosts infected with the Remote Shell Trojan RST.b can be:

    · Hijacked by the attacker
    · Employed as secondary attack platforms for further
       intrusions within or external to an organization
    · Scrutinized for information to be used in subsequent attacks
       and intrusions
    · Scoured for sensitive organizational data
    · Vandalized and/or destroyed in order to cause financial
       and/or operational harm to an organization

    Mitigating Factors:
    -------------------
    The replication process of the Remote Shell Program RST.b can
    only effect binary files within the access privileges of the
    user who launched the originally infected program.

    Hosts and networks protected by firewalls can be infected by
    the Remote Shell Trojan RST.b through careless security policy
    and practice regarding email attachments and downloaded software.
    However, in current versions of the Trojan, attackers cannot
    establish communication with the backdoor process if, for example,
    a dynamic packet-filtering firewall effectively prohibits
    uninitiated inbound UDP traffic at any port.

    Hosts equipped with checksum-based administration tools such as
    tripwire can be configured to identify binaries that have been
    altered by the propagation and infection activities of the
    Remote Shell Trojan RST.b.

    Recommendations:
    ----------------

    Administrators should take measures to review and perhaps
    reassess current perimeter firewall policies, particularly
    with regard to uninitiated inbound UDP communications.

    Organizational security policies relating to email attachments
    and downloaded software should be reiterated to staff and employees.

    The Remote Shell Trojan RST.b changes file dates upon infection,
    therefore administrators can examine file dates to determine
    whether a binary file has been affected.

    Because the Remote Shell Trojan RST.b changes the size and
    content of files during infection, host-based checksum tools
    should be deployed to mission-critical servers. The scope of
    such tools should include file system locations commonly used
    for the storage of executable binaries, such /bin, /etc/bin,
    and /usr/bin and other common locations.

    When an infected binary is launched, the resident backdoor
    process is created with the name of the infected host program.
    The process table should be examined to determine whether
    unexpected processes (e.g., ls) are present.

    On an infected system, the backdoor process creates lock
    files /dev/hdx1 and /dev/hdx2. The presence of such lock files
    is an indication for a potential infection with Remote Shell
    Trojan RST.b.

    Outgoing UDP packets containing the three-byte ASCII string
    "DOM" with destination port 0x1111 (4369) indicate a
    potentially active backdoor process.

    Administrators, security officers, and concerned users may
    freely download Qualys-developed Remote Shell Trojan RST.b
    detection and cleaning tools from the Qualys web site at
    https://www.qualys.com/forms/remoteshellb.html

    Detection & Repair Procedures:
    ------------------------------
    Identification and cleaning tools are available from
    Qualys Inc. at https://www.qualys.com/forms/remoteshellb.html.
    In addition, users may request a free perimeter vulnerability
    scan from Qualys at the same address.

    The Qualys tool rstb_detector uses the following syntax:
    rstb_detector host [source_port dest_port] [-r n]
    It takes an IP address as a command line parameter and probes
    the requested system for the Remote Shell Trojan RST.b backdoor.
    Optional parameters allow specifying the source and destination
    UDP ports (default ports are 53) to be used by the detector to
    query for RST.b. Finally, there is an option -r which allows to
    specify the number of simultaneous UDP query packets being sent
    by the detector (the default value of n is set to 1). This
    option is particularly useful within highly congested networks.

    The Qualys tool rstb_cleaner takes an infected file name as a
    command line parameter and creates a cleansed version of the
    infected file. The tool also accepts wildcard parameters
    (e.g. /bin/*). Cleaned copies of the file are created in the
    source directory with the extension .clean. Source files are
    left unchanged.

    Qualys has developed, tested and deployed a Remote Shell
    Trojan RST.b vulnerability detection signature within its
    QualysGuard online vulnerability assessment platform.

    Technical Data:
    ---------------
    QualysGuard Vulnerability ID:
    1023

    CVE Identifier:
    CAN-1999-0660

    Supplementary Information & Resources:
    An earlier posting on securityfocus.com from December 27, 2001
    on Remote Shell Trojan RST.b had inaccuracies in the analysis
    as well as lack of detection and cleaning capabilities. No
    other resources regarding the Remote Shell Trojan RST.b are
    known at present.

    At this time, the Remote Shell Trojan RST.b source code is not
    known to be available.

    Acknowledgements:
    -----------------
    The Qualys security research team has worked with security
    researchers around the world to isolate and analyze this
    Trojan. Qualys has security researchers at multiple sites
    to identify new threats and vulnerabilities as they emerge.

    Qualys Contact Information:
    ---------------------------
    1600 Bridge Parkway, Suite 201
    Redwood Shores, CA 94065
    tel. 650.801.6100
    fax. 650.801.6101
    email. researchqualys.com
    http://www.qualys.com

    Disclaimer:
    -----------
    CONFIDENTIAL AND PROPRIETARY INFORMATION Qualys provides
    this Security Advisory "As Is" without any warranty of any
    kind. Qualys makes no warranty that this Security Advisory
    or any associated information contained herein will identify
    every vulnerability in your network or host systems, or that
    the suggested solutions and advice provided in this report,
    together with the results of any associated procedures or
    recommendations contained herein, will be error-free or complete.
    Qualys shall not be responsible or liable for the accuracy,
    usefulness, or availability of any information transmitted
    in this report, and shall not be responsible or liable for
    any use or application of the information contained in
    this report.

    QSA-2002-01-01

    (c) 2002, Qualys, Inc. All rights reserved.

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com