RST is a Linux virus that opens backdoors allowing attackers to take control of systems. It's B variant became quite prevalent in the early 2000s. Its name stands for "Remote Shell Trojan", as it opens a backdoor that listens for commands from an attacker.

Behavior

When executed, RST checks to see if the debugger ptrace is being run and if so, stops execution. Aside from this, it makes no attempt to hide itself and infected files will appear larger and with a modification date of the day it was infected. If ptrace is not running, it infects all Linux ELF binaries in the current directory. It patches the header and moves the entry point to the virus. It relocates all data after the original host code to the end of the viral code. It then tries to infect ELF files in the /bin folder. As it does not try to exploit any vulnerabilities to elevate privileges, it will have to be run as root or any user configured to write to files in that directory to succeed at this.

The virus then begins its backdoor routine. It attempts to create two new device files "/dev/hdx1" and "/dev/hdx2", and on succeeding at this, checks for the network interfaces "eth0" and "ppp0" and tries to set them to promiscuous mode. It also tries to create an "Exterior Gateway Protocols" raw socket, and puts it into listening mode on port 5503 or above. When the EGP packet arrives it checks for thew value 0x11 in the 23rd byte, then a 3-byte string at the offset 0x2a in the buffer. If these two conditions are met, it checks for a byte of "1" or "2". If this byte is "1", it opens a standard "/bin/sh" shell, which allows a remote attacker access to the system.

It issues an HTTP GET request to port 80 on host 212.15.64.41 (orinoco.portland.co.uk), the intended purpose of this request has not yet been determined.

The body of the virus contains the strings "snortdos" and "tory", neither of which are actually used.

Variants

RST.B

RST.B, the second iteration of the virus, became more widespread than the original. It was discovered on the 21st of December in 2001. It is 4,096 bytes long.

Infection

When an infected file is executed, RST.B first determines its base address, something it strangely doesn't use for anything as it is written to use relative addresses. The only hard coded memory address is the saved start point of the original program. The main virus subroutine starts with a fork call. The child exits this routine transferring control to the original program's code. For example if the user runs "ss" while it is infected, it will display information about network sockets.

The parent continues execution and checks to see if ptrace is being run and exits if it is. This hinders the ability of the user to debug the virus. RST.B then scans the current working directory for infectable ELF files, then changes to /bin and infects files there.

This variant inserts its code in a gap between the text and data segments of code in the file, and chooses a logical memory address that doesn't interfere with other segments. It changes the start address of the of the binary to point to the address where it will be loaded when the file is run. The virus saves the original start address and uses it to execute the original program after it forks a copy of itself. The entry point of the binary is modified to jump to the location of the parasite.

Remote Shell Trojan

After any executable binary has been infected and is launched, the Remote Shell Trojan code is executed. To install this
backdoor, it first It registers a handler routine for the SIGCHILD signal, which waits for any child processes to exit before continuing. It then forks itself into two mostly identical sections, one handling the eth0 interface, while the other deals with the ppp0. The ppp0 branch begins by attempting to create a file named /dev/hdx1. If it fails the section exits. If it succeeds, it sets the file descriptor flag to O_ATOMICLOOKUP. This process essentially servers as a semaphore. If another copy of the virus is run while the first is still running, it will exit. The same process takes place for the eth0 branch, but it checks /dev/hdx2 instead.

The two copies then allocate a socket of type SOCK_PACKET, protocol EGP for their respective interface. Both branches then set their interface to promiscuous mode, which will allow them to read all traffic off of their network segment, much of which is not be addressed to them. This allows the virus to obtain copies of all packets that are marked as Exterior Gateway Protocol (EGP) packets. This type of communication is normally used for router-to-router communications, and had been falling out of use. The netstat command will not give any indication that the network interfaces are listening using this protocol, though the ifconfig command will show the interfaces in promiscuous mode.

After calling ptrace to prevent analysis and debugging RST.B contacts a web server, presumably to send system information to be logged there. It contacts the the IP address 207.66.155.21 (ns1.xoasis.com) at TCP port 80, sending the command 'GET /~telcom69/gov.php HTTP/1.0'. As soon as it sends the request, it drops the connection, not bothering to wait for a response.

Both copies enter an infinite loop reading the contents of their respective sockets into a buffer and waits for a specially formatted packet containing a command. It requires such a packet to be an EGP packet, have a time to live of 17 when it reaches the victim, and has a password of DOM.

RST.B accepts two commands found in appropriate places in the packet, which are passed to "/bin/sh -c". The first command marked by a "1" provides a method of executing commands on the victim. The second command is marked by a "2". It will cause the password to be sent to an IP address contained in the packet over UDP port 4369. The virus is hard-coded to use 3-byte passwords. The IP address will receive a UDP packet with a 3-byte payload. This feature allows an attacker to scan for compromised machines, and obtain the password if it has been changed for some reason.

After accepting either of these commands, the virus loops and awaits another. It will continue to do so until the process is killed or the machine is shut down. It is assumed that this is a way for the worm to check in when it infects a new host. This would require the author to have access to the web server logs on that host, potentially indicating that it has been compromised. The operators of that web server have been contacted, and we are awaiting their response.

The backdoor runs with the same credentials as the user of the infected program, so it may run into issues if not run as root. Though the virus is not memory resident, the backdoor is supposed to remain active after the host program terminates. There are some programming errors that sometimes causes it to terminate with the host.

There is some controversy over what protocol is used for the socket packets. Most sources agree that it is EGP, but Qualys says this is a mistake.

RST.D

This variant seems relatively similar to the original. It is a non-resident ELF infector that weighs in at 18,956 bytes. The earliest description of it is from November of 2013, but it may actually be from much earlier. It uses the uses /proc/self/exe component to execute certain routines.

Effects

RST was at first dismissed by the Linux community, but the B variant drew some serious attention. Still, many malware researchers accused Linux users as having "malware denial". Though appearing in 2001, it was quite prevalent through the 2000s, being pretty common by 2008. Researchers were impressed by the virus's longevity and ability to spread under many different versions of the Linux kernel. Its spread was attributed to the proliferation of infected hack tools. This virus raised questions about the need for antivirus for Linux.

One researcher reported 70% of a particular honeypot's downloaded files had RST. It often came with flooders, SSH scanners and, most commonly, an IRC bot. It was by far most common in the US with 1,271 infected IP addresses, followed by China with 622. Sophos reported the US having 2,052 while China had 1,347. Several other places in Europe, Asia, and the Americas reported significant outbreaks. Germany had a very significant cluster of pings coming from RST, though this could be because of a large number of Linux workstations that were frequently rebooted. The virus was found in 125 countries. Sophos reported 105,930 call home attempts from 12238 different IP addresses between May and September of 2008. These numbers were small compared to Windows infections.

When trying to contact the sites the virus contacted, researchers often found they were taken down and the owner's accounts were suspended.

Sources

Costin Raiu, Kaskpersky Labs Romania, Virus.Linux.RST.a. 31-JAN-2002

Sophos, Linux/Rst-A. 20-FEB-2002

Kaoru Hayashi. Symantec, Linux.RST.B. 21-DEC-2001

Qualys, Qualys Security Alert QSA-2002-01-01 "Remote Shell Trojan b" (RST.b) 09-JAN-2002

-, Qualys Security Alert QSA-2001-09-01 "Remote Shell Trojan". 05-SEP-2001

Gumban, Jennifer. Trend Micro, ELF_RST.D. 28-NOV-2013

Middleton, James. IT Director, Rare Linux virus on the loose. 05-JAN-2002

Billy McCourt, Helen Martin. Virus Bulletin, The case for AV for Linux: Linux/Rst-B. 2008-08-01

SophosLabs. Naked Security Blog, Linux/Rst-B – very much alive and kicking. 08-SEP-2008