How the virus “Remote Shell Trojan” (RST) works

Marco Balduzzi <balduzzi@idi.ntnu.no>

University of Trondheim
Norwegian University of Science and Technology, Department of Telematics

Abstract
This paper introduces the concept of malicious
software, spending more words on virus threats. Later
it focuses on the “Remote Shell Trojan” virus, a well-
known GNU/Linux code which spread across on all
Internet in September 2001.

1. Introduction programs are the backdoors/trapdoors

(secret entry point that allows
Malicious programs are probably the someone aware to obtain access to
most dangerous threats for computer the system without going through the
systems; the literatures divides them usual procedure), the logic bombs
into the following classes: viruses, (code embedded in some legitimate
worms and trojan horses. program that's set to “explode” when
The jargon file [1] defines a virus certain conditions are met) and
as a cracker program that searches zombies (programs used in DoS
out other executable files and infect attacks).
them by embedding a copy of itself.
When these programs are executed, the 2. Overview of “Remote Shell
embedded virus is executed too, doing Trojan” virus
bad mistakes and propagating the
infection. Finally the original The “Remote Shell Trojan” virus (or
program is called and run in normal RST) has been discovered by Qualys
way: thus the virus activity is at the 5th of September 2001 and
invisible to the user. named due to its backdoor
Some viruses infect memory and boot functionality. It's also known with
records instead of simple files, the name RST.a to distinguishes from
becoming more aggressive and its more recent variant (RST.b)
dangerous. appeared four months later. An
A worm is a program which doesn't anonymous has written on buqtraq
require file transmission like mailing-list about its origin [3]:
viruses. It takes advantage of “RST was developed by us as a
systems vulnerability to diffuse research project and intended only
across the network and infect running for internal use on our systems.
processes. A very famous worm was [...] An infected binary
coded by R. H. Morris. The story of accidentally leaked out our research
“The Internet Worm of 1988” is at lab and came into the hands of so
[2]. called script kiddies”.
A trojan horse is a code which The source code of the virus has
pretend to be a useful program but still not been released, thus the
when executed it performs some analysis have been made with the
unwanted or harmful function. “black-box” techniques or
Differently from virus and worms, a disassembling the virus executable.
trojan horse doesn't auto-propagate
but require user installation. When RST doesn't take advantage of the
executed, a trojan horse grants to vulnerability of computer systems;
the cracker the access to the differently from a worm, the
victim's computer. infection is diffused with the
exchange of file (email attachments
Other minor classes of malicious and download). RST attacks GNU/Linux
ELF binaries and when run it infects
all binaries in the current and in / 4. Detection and immunization
bin directory (like cp, mv, ps
commands). It also provides a Many tools has been provided by
backdoor functionality which allows antivirus software-houses and
the attacker to launch arbitrary underground community, but nobody of
commands. these work perfectly because of the
many variants of the virus and the
3. RST analysis difficulty of debugging.

The virus begins to spread by For detection a reliable procedure

attaching itself to a “healthy” ELF is checking MD5, timestamps and size
binary using a variation of Silvio of /bin files (host-based IDS like
Cesare's technique described here Tripwire becomes very useful). In
[4]: fact the viral code infection alters
• the viral code inserts itself binaries.
between code segment and data Another technique it to verify
segment; whether the entry point is exactly
• the viral code is modified to jump
4096 from the end of the code
to original entry point afterwards; segment. It'd mean that the
• the entry point of the executable
executable is infected.
is changed to run the viral code; Some scanners parse `readelf -l`
• some field of ELF header are output for LOAD segments and
adjusted (code segment size for calculate the distance between the
example) and other data are moved start of a new LOAD segment and the
to the end of the virus. end of the previous one. If the
distance is less than 0x1000 bytes a
Afterwards the virus forks and the warning is printed.
parent runs the original code while
the child acts in evil way. It spawns Immunization works by increasing the
a backdoor listening on UDP port 5503 size of the text segment by 4096
(the RST.b variant use an EGP raw bytes so that the hole between the
socket realizing a more hidden text and data segments is gone. Thus
communication channel). Special there is no space for the RST to add
packets enable the backdoor to itself to the binary anymore.
execute remote commands with the If it were known the original entry
privileges of the process. point, a simpler solution would be
to restore the entry point. This
It's interesting to note that the technique requires a deep reverse
virus adopts a anti-debugging engineering procedure since many
technique which consists in calling viral codes store the original entry
the ptrace(PTRACE_TRACEME) function point at a non-intuitive address, in
to check if someone is debugging us the middle of infective code.
[5]:
int main() References
{
if(ptrace(PTRACE_TRACEME, 0, 1,0)<0) [1] The Jargon File,
{ http://www.catb.org/jargon/
printf("Don't debug me!\n"); [2] The Internet Worm of 1988,
return 1; http://world.std.com/~franl/worm.htm
} l
printf("Normal execution...\n"); [3] Remote Shell Trojan: Threat,
return 0;
Origin and the Solution
}
[4] Unix ELF Parasites And Virus,
A workaround is to open up the file http://www.packetstormsecurity.com/9
in a hex editor and change the int 80 901-exploits/elf-pv.txt
to NOP NOP which prevents ptrace from [5]Linux anti-debugging techniques
being called. Another possibility is (fooling the debugger),
to block the ptrace() syscall with a http://vx.netlux.org/lib/vsc04.html
LKM (Loadable Kernel Module).