Tux

...making Linux just a little more fun!

Six Years Old And Still Causing Problems For Linux Users

Ben Okopnik [ben at linuxgazette.net]


Wed, 13 Feb 2008 16:40:38 -0500

----- Forwarded message from Stephen Russell <srussell@racepointgroup.com> -----

Subject: Six Years Old And Still Causing Problems For Linux Users
Date: Wed, 13 Feb 2008 13:56:56 -0500
From: Stephen Russell <srussell@racepointgroup.com>
To: ben@linuxgazette.net
Hello Ben,

I thought you might be interested in the information below on a six-year-old virus that is still causing problems for Linux users. In fact, the problem is so common that 70 percent of Linux infections are because of the virus. In response to this problem, Sophos has made available a free detection tool for Linux users to determine if they are infected by the virus.

If you are interested in discussing this virus with Sophos, don't hesitate to contact me.

Best,

Stephen

Stephen Russell

Racepoint Group for Sophos

781-487-4609

==============================================================================

Six Year Anniversary for Linux Virus Rst-B - Are You Infected?

Sophos Makes Available Detection Tool for Linux Users

IT security and control firm Sophos is warning Linux users of the importance of properly securing their Linux systems, following findings from SophosLabs(TM) that a long established threat, known as Linux/Rst-B, is still infecting computers and servers.

Analysis of malware has shown almost 70 percent of the infections are due to this six-year-old malicious program. Today, SophosLabs has made freely available a small detection tool to help Linux users find out whether they are unwittingly infected with this virus.

Linux servers are very valuable to hackers, according to SophosLabs experts. Servers, by their nature, are rarely turned off and often found to be running no or insufficient protection against malware attacks. This makes the Linux systems ideal candidates for the role of controller in a botnet - the central control point when creating and managing an army of infected computers, known as bots or zombies. Where Linux systems are most often found to be running as a server, Windows machines are more frequently used at home or as a desktop machine in an office, and these computers are regularly switched off. This makes them less attractive as controllers, but ideal as bots or zombies.

Hackers typically gain control via weak SSH password or some other vulnerability. Once in, they install IRC based malware and use IRC channels to control their bots.

"The number of malware in existence is around 350,000, and while only a teeny number of these target Linux, it seems as though hackers are taking advantage of this false sense of security," said Carole Theriault, senior security consultant at Sophos. "It was very surprising to see that a six-year-old virus seems to be responsible for a large proportion of the malware collating in our Linux honeypot, and we hope that Linux users who aren't running security will at least run this tool to find out if they are infected with this granny virus."

Information on the Linux/Rst-B detection tool is available on the SophosLabs blog. Sophos underlines that running the detection tool will only detect versions of Linux/Rst-B.

Sophos encourages all Linux users to consider running an up-to-date anti-virus to ensure the integrity of their computers and servers is not compromised.

About Sophos

As a global company, Sophos provides solutions that enable enterprises to secure and control their IT infrastructure. Sophos's network access control and endpoint solutions simplify security to provide an integrated defense against malware, spyware, intrusions, unwanted applications and policy abuse. Sophos complements these solutions with innovative email and web security products that filter traffic for security threats, spam and policy infringements.

With over 20 years of experience, Sophos's reliably engineered security solutions and services protect more than 100 million users in over 140 countries. Recognized for its high level of customer satisfaction, award-winning channel program, and powerful yet easy-to-use solutions, Sophos has an enviable history of industry awards, reviews and certifications.

Sophos is headquartered in Boston, MA and Oxford, UK. More information is available at www.sophos.com.

----- End forwarded message -----

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * https://LinuxGazette.NET *


Top    Back


Steve Brown [steve.stevebrown at gmail.com]


Thu, 14 Feb 2008 03:23:28 +0000

On Wednesday 13 February 2008 21:40:38 Ben Okopnik wrote:

> ----- Forwarded message from Stephen Russell <srussell@racepointgroup.com>
> -----
>
> Subject: Six Years Old And Still Causing Problems For Linux Users
> Date: Wed, 13 Feb 2008 13:56:56 -0500
> From: Stephen Russell <srussell@racepointgroup.com>
> To: ben@linuxgazette.net
>
> Hello Ben,
>
> I thought you might be interested in the information below on a
> six-year-old virus that is still causing problems for Linux users.  In
> fact, the problem is so common that 70 percent of Linux infections are
> because of the virus.  In response to this problem, Sophos has made

70% of how many exactly?

> "It was very surprising to see that a
> six-year-old virus seems to be responsible for a large proportion of the
> malware collating in our Linux honeypot, and we hope that Linux users who
> aren't running security will at least run this tool to find out if they
> are infected with this granny virus."

How is your "honeypot" set up and secured? Can you give details of the installed software, distro and so on?

Again, how much malware is there, and of what types.

I'm not saying the virus doesn't exist, nor that we should be complacent in securing linux boxes, but you have given very little information to support your claims.

Your competitors don't seem too concerned either.

Best regards,

Steve


Top    Back


Kapil Hari Paranjape [kapil at imsc.res.in]


Thu, 14 Feb 2008 09:13:36 +0530

Hello,

On Thu, 14 Feb 2008, Steve Brown wrote in response to:

> On Wednesday 13 February 2008 21:40:38 Ben Okopnik wrote:
> > ----- Forwarded message from Stephen Russell <srussell@racepointgroup.com>
> >
> > Subject: Six Years Old And Still Causing Problems For Linux Users

Steve Brown said:

> I'm not saying the virus doesn't exist, nor that we should be complacent in
> securing linux boxes, but you have given very little information to support
> your claims.

I agree.

Normally each security related problem is recorded as a security alert. Security alerts are co-ordinated amongst various security sites.

Could the reporter of this problem please provide a reference for the relevant security alert if it exists?

Regards,

Kapil.


Top    Back


Steve Brown [steve.stevebrown at gmail.com]


Thu, 14 Feb 2008 10:06:06 +0000

On Thu, Feb 14, 2008 at 3:43 AM, Kapil Hari Paranjape <kapil@imsc.res.in> wrote:

> Hello,
>
>  On Thu, 14 Feb 2008, Steve Brown wrote in response to:
>
> > On Wednesday 13 February 2008 21:40:38 Ben Okopnik wrote:
>  > > ----- Forwarded message from Stephen Russell <srussell@racepointgroup.com>
>  > >
>  > > Subject: Six Years Old And Still Causing Problems For Linux Users
>
>
> Steve Brown said:
>  > I'm not saying the virus doesn't exist, nor that we should be complacent in
>  > securing linux boxes, but you have given very little information to support
>  > your claims.
>
>  I agree.
>
>  Normally each security related problem is recorded as a security
>  alert. Security alerts are co-ordinated amongst various security sites.
>
>  Could the reporter of this problem please provide a reference for
>  the relevant security alert if it exists?
>

The only recent references to this virus stem from the Sophos labs, all worded very similarly to the parent email.

Symantic, Trend and McAfee all rate this a low risk.

https://www.symantec.com/security_response/writeup.jsp?docid=2004-052312-2729-99&tabid=1 https://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ELF%5FRST%2EB&VSect=S&Period=All https://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=99978

Sophos's own risk analysis: https://www.sophos.com/virusinfo/analyses/linuxrstb.html indicates that this low risk too.

I'm afraid I can't give any credence to this.

Best regards,

Steve


Top    Back


Ben Okopnik [ben at linuxgazette.net]


Thu, 14 Feb 2008 08:19:35 -0500

On Thu, Feb 14, 2008 at 10:06:06AM +0000, Steve Brown wrote:

> 
> The only recent references to this virus stem from the Sophos labs,
> all worded very similarly to the parent email.
> 
> Symantic, Trend and McAfee all rate this a low risk.
> 
> https://www.symantec.com/security_response/writeup.jsp?docid=2004-052312-2729-99&tabid=1
> https://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ELF%5FRST%2EB&VSect=S&Period=All
> https://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=99978
> 
> Sophos's own risk analysis:
> https://www.sophos.com/virusinfo/analyses/linuxrstb.html indicates that
> this low risk too.
> 
> I'm afraid I can't give any credence to this.

This is why I forwarded this here - pretty much as entertainment material for the Gang. Sure, PR is usually about high-flying hype, but there's such a thing as TOO MUCH. Just as commercial pilots, who are allowed to fly higher than 18,000', are aware of the implied risks of doing so, the same applies here - and this particular one has gone into jet upset.

https://en.wikipedia.org/wiki/Jet_upset

It's a classic example of FUD (Fear, Uncertainty, and Doubt - usually spread for the purpose of terrifying users into buying Mafia-like "protection") and reflects no credit on Sophos.

Here's a summary of Symantec's page about the "virus" - the word isn't really applicable to Linux, despite Sophos' hype:

Linux.RST.B
 
Risk Level 1: Very Low
Discovered: April 23, 2002
Updated: February 13, 2007 12:21:47 PM
Also Known As: Linux.RST.b [Kaspersky], Linux/RST.B [RAV]
Type: Virus
Systems Affected: Linux
 
Threat Assessment
 
Wild
 
  * Wild Level: Low
  * Number of Infections: 0 - 49
  * Number of Sites: 0 - 2
  * Geographical Distribution: Low
  * Threat Containment: Easy
  * Removal: Easy

In addition, a bit of research shows that it's a file infector with no distribution mechanism. I.e., some skript kiddie might get "infected" by downloading it and screwing around with it, but it represents no danger whatsoever to an actual normal Linux system.

Again, according to Sophos, it's distributed via an "SSH vulnerability"... if someone can find and exploit an SSH vulnerability, that would be a report worth following up. "After someone breaks into your house, they can really mess up your flower arrangements" is not.

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * https://LinuxGazette.NET *


Top    Back


Rick Moen [rick at linuxmafia.com]


Fri, 15 Feb 2008 21:29:27 -0800

Quoting Ben Okopnik (ben@linuxgazette.net):

> ----- Forwarded message from Stephen Russell <srussell@racepointgroup.com> -----
> 
> Subject: Six Years Old And Still Causing Problems For Linux Users
> Date: Wed, 13 Feb 2008 13:56:56 -0500
> From: Stephen Russell <srussell@racepointgroup.com>
> To: ben@linuxgazette.net
> 
> Hello Ben,
> 
> I thought you might be interested in the information below on a
> six-year-old virus that is still causing problems for Linux users.

This is, in short, a junk news story (or rather, a vendor-puffery press release) about a pathetic ELF-infector that is sometimes a _minor aftereffect_ of system compromise through unrelated means entirely.

Telling people they need to be protected against Rst-B is pretty much like telling them they need protection from bicycles, after noting a pattern of people who'd been three-pack-a-day smokers for decades collapsing in the street and then getting hit by bicycle traffic.

If your system has been root-compromised, you have a great deal bigger worries than the Rst-B detritus that got deposited afterwards. I note that Sophos Plc. don't bother to point out that extremely crucial fact; but, then, I guess nobody's paying them to.


Top    Back