*LINUX OS TARGETED BY NEW BREED OF TROJAN
By Shawna McAlearney, Security Wire Digest
A Trojan, Remote Shell Trojan b, is demonstrating a new twist by adding a viral component to malicious code targeting Linux systems.
"We see more of a trend targeting Linux systems--systems that are increasingly being used in corporate environments," says Gerhard Eschelbeck, vice president of engineering at Qualys. "RST.b is not currently in the wild, but it--and Trojans like it--have a much higher probability of success in compromising a system than a standard Trojan."
Since it uses any of nearly 65,000 UDP ports as a control vector, compared with only one or two ports used by most Trojans, chances of an infected system being utilized by an attacker are exponentially increased. It self-replicates and infects Linux Executable and Linking Format (ELF) binary executable programs. Once a system is infected--often through the execution of binary e-mail attachments or downloaded software--RST.b then initiates a virus-like self-replication process that infects additional executable binaries in the current working directory and in the /bin directory. No memory resident infection activities have been identified so far, according to Qualys.
"A virus-based Trojan placed on a public FTP server or Web server where many users download software could really take off," says Paul Robertson, director of risk assessment at TruSecure. (TruSecure publishes Security Wire Digest.) "When getting binary code from a public site, you need to verify its integrity before you install it. Linux admins aren't used to dealing with viral code so clean up is going to be a problem."
Systems infected with RST.b can be hijacked by the attacker, used as a secondary attack platform, searched for sensitive data or be destroyed.
"This Trojan turns any infected system into a network sniffer," says Eschelbeck. "And the tiniest hole in a firewall--for example, UDP port 53 for DNS--can be exploited."
Qualys offers free Remote Shell Trojan RST.b detection and cleaning tools
at:
Free tools
Alert:
Alert
By Shawna McAlearney, Security Wire Digest
A Trojan, Remote Shell Trojan b, is demonstrating a new twist by adding a viral component to malicious code targeting Linux systems.
"We see more of a trend targeting Linux systems--systems that are increasingly being used in corporate environments," says Gerhard Eschelbeck, vice president of engineering at Qualys. "RST.b is not currently in the wild, but it--and Trojans like it--have a much higher probability of success in compromising a system than a standard Trojan."
Since it uses any of nearly 65,000 UDP ports as a control vector, compared with only one or two ports used by most Trojans, chances of an infected system being utilized by an attacker are exponentially increased. It self-replicates and infects Linux Executable and Linking Format (ELF) binary executable programs. Once a system is infected--often through the execution of binary e-mail attachments or downloaded software--RST.b then initiates a virus-like self-replication process that infects additional executable binaries in the current working directory and in the /bin directory. No memory resident infection activities have been identified so far, according to Qualys.
"A virus-based Trojan placed on a public FTP server or Web server where many users download software could really take off," says Paul Robertson, director of risk assessment at TruSecure. (TruSecure publishes Security Wire Digest.) "When getting binary code from a public site, you need to verify its integrity before you install it. Linux admins aren't used to dealing with viral code so clean up is going to be a problem."
Systems infected with RST.b can be hijacked by the attacker, used as a secondary attack platform, searched for sensitive data or be destroyed.
"This Trojan turns any infected system into a network sniffer," says Eschelbeck. "And the tiniest hole in a firewall--for example, UDP port 53 for DNS--can be exploited."
Qualys offers free Remote Shell Trojan RST.b detection and cleaning tools
at:
Free tools
Alert:
Alert