Sophos

13 February 2008 11:43 GMT

Botnets, a free tool and 6 years of Linux/Rst-B

I have mentioned before that we regularly see Linux malware infected with an old Linux virus, Linux/Rst-B.

It is 6 years to the day when we first saw Linux/Rst-B and despite reputable anti-virus solutions having being able to detect it since then, we keep seeing it appear on our honeypots. In fact, over the last 3 months roughly 70% of malware downloaded by hackers to one of our honeypots was infected with Linux/Rst-B.

Linux computers are very valuable to hackers. A bot army, similar to real armies, needs a general (controller) and infantry (zombies). Linux boxes are often used as servers, which means they have a high up-time - essential for a central control point. A Windows computer, on the other hand, is found at home or as a desktop machine in an office, and these computers are regularly switched off. This makes them less attractive as controllers, but ideal for infantry, or zombies.

The picture below shows the typical role of a compromised Linux computer under a hackers control. By identifying these bot controllers, we have a much better opportunity to disrupt entire botnets.

irc-botnet-tn.JPG

Hackers typically gain control via weak SSH password or some other vulnerability. Once in, they install IRC based malware and use IRC channels to control their bots.

A few of us in the Sophos labs are researching how prominent Linux based botnet controllers are and would appreciate your help. If you don’t run anti-virus on your Linux boxes, we would like to invite you to run a tiny rudimentary scanner we have developed whose sole job is to look for Linux/Rst-B infections. Note that running this tool will not help you if you are infected with any other malware, so we strongly encourage you to consider running an up-to-date antivirus scan to ascertain the real health of your system. If you find any Linux/Rst-B infections it could mean you have been compromised and are part of the botnet problem. Please get in touch with us at rstb@sophos.com if this is indeed the case as it will be a big help to our research.

Download the Linux/Rst-B detection tool

To run the Linux/Rst-B detection tool you will need to download the tar.gz file and build the tool using the Makefile provided. Note that this requires you to have gcc installed. If you don’t have gcc, a compiled binary is also included.

Steps for running the Linux/Rst-B detection tool:

  1. Download the file.
  2. md5sum or sha1sum to verify the contents.
  3. tar zxf detection_tool.tar.gz
  4. cd detection_tool
  5. Either compile the tool yourself by typing “make” or run the compiled binary.
  6. Check the usage for details on how to run the tool - it should be run as root.

To verify the contents, you can use MD5 or SHA1 - the steps below explain how and show the expected results.

A couple of points to note:

1) You could scan your whole system but if this isn’t feasible then at least scan your /bin /usr/bin /tmp /var/tmp /sbin and /usr/sbin directories .

2) If you find any infected files, please send them to rstb@sophos.com and we will check whether they are infected hacking tools or just infected standard binaries. Simply disinfecting a hacking tool doesn’t actually clean up the problem! (If you send us samples, please send them in an encrypted form. A password protected zip file is sufficient, just remember to include the password in the email).

3) We would appreciate feedback. If you’ve found infected files I’d personally be interested in trying to get a better feel of how prevalent Linux/Rst-B is so please send an email to rstb@sophos.com with some details. I will treat any information provided with the highest degree of confidentiality.

4) If you don’t find Linux/Rst-B on your system, it’s good news but obviously doesn’t mean that you are not infected with something else. I’d encourage you to at least do regular on-demand scans on your Linux box but ideally run an on-access scanner, such as Sophos Anti-Virus for Linux.

Billy McCourt, SophosLabs UK