Rare Linux virus on the loose

It has emerged in the last week that another of those rare Linux viruses may be on the loose. And this one has strong similarities to October's Remote Shell Trojan (RST) that was largely dismissed by the Linux community.

In a posting to a security mailing list at the end of December, SecurityFocus brought 'RST.b' to the internet community's attention.

The researchers warned that the culprit carrying the virus is likely to be "some exploit being passed around, possibly a Secure Shell one". Linux users are advised not to run exploits from unknown sources.

Once it has gained a foothold into the system, it installs a back door and attempts to escalate its permissions to root privileges.

The basic differences to the October version are that the new virus tries to communicate with a machine on a different IP address to the original RST, and the backdoor operates on the Exterior Gateway Protocol instead of the User Datagram Protocol.

Like the original RST, the virus infects binary files in the Linux Executable and Linking Format (ELF).

RST.b infects the start address in ELF headers with an address that points to its own code. So when an infected program is run, a parent string forks off to run the original code so as to avoid suspicion, while a child string "takes care of the evil stuff", according to researchers at Lockeddown.net.

"Not only do we have a virus spreading, but it is opening up the infected boxes to attackers," they added.

A SecurityFocus researcher who attempted to contact the host of the web server that had infected the machines said: "The response I got indicated that 'his account was terminated a few weeks ago'. I received no response to a later request for clarification."