9. Remote shell trojan (RST)

 

The superior man understands what is right; the inferior man understands what will sell.

 Confucius

On Silvio Cesare's site is a text file named elf-pv.txt. Complete title is "Unix ELF Parasites And Virus", dated October 1998. It gives some background and then describes the gap between code and data segment, as illustrated in readelf (for some strange reason he does not mention that command anywhere).

At the end of the text is an uuencoded file unix-linux-pv-src.tgz containing sources. The package is also available as plain vit-src.tgz. [7]

[…] The name of this virus by curiosity was given by the people at F-Prot [1] who noticed the virus created a temp file using the letters VIT.

In another text he calls the concept "the text segment padding virus (padding infection)".

Anyway, the code is hard to read as he started development with a piece of plain C and applied several transformations. It seems that he released the stuff the very second it produced results.

9.1. Three years later

"Remote Shell Trojan: Threat, Origin and Solution" [2] is dated 10/9/2001.

Perhaps they had to cut out all interesting details to protect their source. But what I read on that page makes little sense to me. Supposedly script kiddies [3] got hold of experimental back door code and planted it on sites they had access to. No names, dates, sites or legal consequences given. No details on the method used by intruders to gain access.

[…] From this point, the virus seemed to spread in the wild.

Well, how does it spread? There is no reference to a root exploit, either local or remote. It is explained that if root starts an infected program owned by another user, a virus can pollute the whole system. But how many people really do this? [4] And the question on how the virus spreads to other machines remains.

It is plausible that script kiddies copy root kits (including viral back doors) wholesale to cracked machines. It is possible to combine a remote exploit with such a virus to build a persistent worm, though creative work of this extent is by definition out of reach for script kiddies. But in both cases the problem is the used exploit, not the qualities of the installed back door.

Anyway, the concluding remark is strange: [5]

[…] Again, it is strongly recommend that anybody running Linux run the detector to see if their system is infected. Even if they do not expect anything, they can always optionally immunize their system. This is the only way we can fight the further spread of this virus.

Attached to the article is Perl and C code that detects and vaccinates against RST. Though I never encountered the culprit, seeing the antidote makes me sure it is a variation of Silvio Cesare's concept.

I am certain that both of my scanners, Turn the pages and Second scan, would detect RST, if I had a copy (add collecting to my list of incompetencies). And that a deactivated infection with One step closer to the edge has the same effect as the immunizer on that site.

Anyway, the code checks whether the entry point is exactly 4096 from the end of the code segment. If not, the executable is considered immune. This gets fooled by both the simple alignment in Copy & infect (which makes the distance less than 4096) and the improvements made in The entry point.

psize = (textseg.p_vaddr + textseg.p_filesz) - ehdr.e_entry;
poffset = (textseg.p_offset + textseg.p_filesz) - psize;
if (psize != 4096)
  return 0; /* Binary already cleaned */

The code also tries to clean infected executables by restoring the entry point. I don't trust that part, however:

// read original entry point, that according to my reverse engineering
// is stored on the parasite at offset 1
if (fseek(fp, poffset+1, SEEK_SET)!=0) goto err;
if (fread(&oldentry, 4, 1, fp) != 1) goto err;
  
// restore the binary's entry point to point to the real program again,
// avoiding the execution of the parasite code.
// this pernamently disables the parasite code and makes the binary immune
// to further infection attempts.
ehdr.e_entry = oldentry;
if (fseek(fp, 0, SEEK_SET) != 0) goto err;
if (fwrite(&ehdr, sizeof(ehdr), 1, fp) != 1) goto err;

I can't see any attempt to verify the retrieved address. Silvio Cesare's classic pieces stored the original entry point at a non-intuitive address in the middle of infective code.

9.2. The lighter side

Above code contains everything to build an infector. Obviously it is written from reverse angle. Posted on a HTML page without <pre> or <tt> tags. And there are no references to preceding works and authors. But these are all inevitable constraints of trojan source code (term invented by me, right now). By delivering a good show it is possible to trick unsuspicious high-bandwidth sites into hosting educational material of the guild.

9.3. Another three months later

"New Linux Backdoor Virus Gains Smarts" [6] is dated 05 Jan 2002.

What does the title mean? I feel very illiterate. Does it really fit this text?

[…] To date there have been "limited" reports of the new RST variant in the wild, according to Eschelbeck. To replicate, the virus requires users to run an infected program from an account with "root" permissions. Upon execution, the infected program will attempt to spread the virus to all ELF files on the local system, he said.

If the virus cannot gain root on it's own devices, left alone reach other machines, how does it propagate at all? If this is just a fancy kind of back door then it must have been planted after a successful attack. What type of attack? What vulnerability? On what distributions? Are there updates available? What does CERT [7] say about it?

[…] However, Russell said it would be "dead simple" to attach the virus to a useful program, such as a tool that exploits a security hole, and beguile some users into running it.

The first sentence is funny. Do they really say that an exploit is a useful program? Or does this just mean that "Remote Shell Trojan" is not a trojan according to my definition?

To me it summarizes like this: On some cracked machines a new kind of back door was found. Period.

9.4. The serious side

There is a lot of documentation in the net. For example the Security-HOWTO [8] tells this in section "10. What To Do During and After a Breakin": [9]

[…] Re-installation should be considered mandatory upon an intruder obtaining root access. […]

There is a Unix-FAQ [10] which explains trivia like "What's wrong with having '.' in your $PATH?" [11] More specific information is the FAQ [12] of comp.security.unix and comp.security.misc. Another interesting piece is "Steps for Recovering from a UNIX or NT System Compromise" [13] And "Unix System Security" [14] confronts you with

The best place to start is by reading articles, such as:

  • Guide to Cracking Unix [15]

  • Usenet computer-security FAQ files [16]

  • Compromise FAQ [17]

Finally we have the suicide methods FAQ. [18]

News sites seem to avoid the topic of prevention like the plague. For some yet unknown reason readers are given no hint to educate themselves, or question the sanity of day-to-day behavior. Security incidences are described as act of evil forces beyond mortal control. Instead I detect a strange appeal for magic tools that can cure disease after contagion [19]

There might come the time of a completely brain washed user base taking incredible risks every day. This could be a major opportunity for the folks coding trojans. And perhaps, if dumbed down customers exert enough pressure on vendors, the security concepts implemented today might be rendered inactive on a default installation. [20]

9.5. Another theory

"Rare Linux virus on the loose" [21] is dated 03-01-2002.

[…] The researchers warned that the culprit carrying the virus is likely to be "some exploit being passed around, possibly a Secure Shell one". Linux users are advised not to run exploits from unknown sources. […]

The article does not back this up with facts. But the idea itself is interesting.

One of the strongest obstacles to virus spread is the distribution concept of Linux. Typical installation method is a set of CDs from a single vendor. Probably a lot of people don't buy the disks but copy them. However, it is quite difficult to infect ISO-9660 images. Even more if the CDs are copied on the fly using two drives.

Most other software is downloaded from a specific site. Either a central repository like http://www.sourceforge.org/ or registered on a place like http://www.freshmeat.net/. Should such a download site ever get infected by a virus there is just a single place to shut down. Some sites are mirrored to share bandwidth demands. But most mirrors are set up to automatically take over changes on a daily or weekly base. So I guess that all "official" sources of infected software will dry up fast. Something similar actually happened. See the story of the irssi 0.8.4 backdoor. [22]

On the other hand 0-day exploits are traded in secrecy. From one hand to the other. Without authoritative origin. And little incentive to raise public attention.

But then I doubt that script kiddies [3] called in security consultants after infecting their own machines. It might be possible that white hat administrators tested such an exploit on their own production machines. I agree with the citation that this is a stupid thing to do. But in that case the administrators would still have the original binary they executed. Which would clarify the issue beyond doubt. To me "is likely to be" means that someone might have installed the virus without knowing it, but on a machine already rooted. Big deal.

Notes

[1]

http://www.f-prot.com/f-prot/

[2]

http://www.securiteam.com/unixfocus/5MP022K5GE.html

[3]

http://www.tuxedo.org/~esr/jargon/html/entry/script-kiddies.html

[4]

A poll on http://www.slashdot.org/ might give answer.

[5]

We should make another poll on "http://www.slashdot.org/ about how many people used the detector. It must have been all of them. Or is there another explanation that the predicted catastrophe did not occur?

[6]

http://www.newsbytes.com/news/02/173408.html

[7]

http://www.cert.org

[8]

http://www.tldp.org/HOWTO/Security-HOWTO.html

[9]

http://www.tldp.org/HOWTO/Security-HOWTO-10.html

[10]

http://www.faqs.org/faqs/unix-faq/faq

[11]

http://www.faqs.org/faqs/unix-faq/faq/part2/section-13.html

[12]

http://www.faqs.org/faqs/computer-security/most-common-qs/preamble.html

[13]

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

[14]

http://www.washington.edu/R870/Security.html

[15]

http://stimpy.cac.washington.edu/~dittrich/R870/cracking_guide.html

[16]

http://www.cis.ohio-state.edu/hypertext/faq/usenet/computer-security/

[17]

http://http://www.cis.ohio-state.edu/hypertext/faq/usenet/computer-security/compromise-faq/faq.html

[18]

http://www.faqs.org/faqs/suicide_methods

[19]

The second article links to http://www.qualys.com, which even seems to sell them.

[20]

http://newsforge.com/article.pl?sid=02/01/25/1811226&mode=thread

[21]

http://www.vnunet.com/News/1127965

[22]

http://real.irssi.org/?page=backdoor