- December 21, 2001
- December 21, 2001 10:40:10 PM
The RST.B virus infects Linux x86 ELF binaries. It does so by inserting itself between segments in the file. Most ELF binaries have multiple segments, often with a gap in the logical address space of the segments, though there is no physical gap in the file. The virus re-writes the ELF binary with itself physically between the segments on disk, and picks a logical memory address for itself that does not interfere with the other segments. It then changes the start address of the ELF binary to point to itself at the address it will be loaded when the file is run. It saves the original start address, and uses that to execute the original program after it forks a copy of itself.
Execution begins when an infected file is run. The virus starts by determining its own base address, though it does not use this information for anything. The entire virus is written to use relative addresses. The only hard coded memory address is the saved start point of the original program.
The main subroutine of the virus starts with a fork call. The child exits this routine, causing program control to transfer to the original program code of the infected file. For example, if the ?ls? program were infected, the virus would fork a copy of itself, and the child copy would display a directory.
The parent continues on, and executes the ptrace system call, and exits if it gets a particular result. This is an attempt to thwart anyone trying to use a debugger on the virus. Next, the virus scans the current directory and attempts to infect any executable files in it. Then, it changes to the ?/bin? directory, and attempts to infect all executables there.
Now the virus installs the backdoor. It registers a handler routine for the SIGCHILD signal, which waits for any child processes to exit before proceeding. The virus forks again. One copy deals with the eth0 network interface, the other with the ppp0 network interface. The two sections of code are nearly identical.
The eth0 branch begins by attempting to create a file named /dev/hdx2. If it fails, that copy exits. If it succeeds, it sets the file descriptor flag to O_ATOMICLOOKUP. This process essentially servers as a semaphore. If another copy of the virus is run while the first is still running, it will exit. The same process takes place for the ppp0 branch, but it checks /dev/hdx1 instead.
The two copies now allocate a socket of type SOCK_PACKET, protocol EGP for their respective interface. Both branches then set their interface to promiscuous mode, which will allow them to read all traffic off of their network segment, some of which is not be addressed to them, depending on how the network is configured. This allows the virus to obtain copies of all packets that are marked as Exterior Gateway Protocol (EGP) packets. This type of communication is normally used for router-to-router communications, and is depreciated. The ?netstat? command will not give any indication that the network interfaces are listening in this way, though the ?ifconfig? command will show the interfaces in promiscuous mode.
Before completing the backdoor step, each copy will contact a web server, presumable to ?check in?, and have its IP address entered into a log. It contacts the IP address 126.96.36.199 at TCP port 80, and sends 'GET /~telcom69/gov.php HTTP/1.0',0Dh,0Ah,0Dh,0Ah. As soon as it sends the HTTP request, it drops the connection, not bothering to listen for the response.
It is assumed that this is a way for the worm to ?check in? when it infects a new host. This would require the author to have access to the web server logs on that host, potentially indicating that it has been compromised. The operators of that web server have been contacted, and we are awaiting their response.
Each forked copy now enters an infinite loop where they read the contents of their socket into a buffer. If either copy receives a packet formatted in a special way, it will respond to a command. Some of the special formatting requirements include that the packet be an EGP packet, that it have a TTL of 17 when it reaches the victim, and that in one case, it contains a ?password? of ?DOM?.
There are two commands that the virus will accept. The first, which is marked by a 1 in the appropriate place within the packet, provides a method of executing commands on the victim. The packet must also contain the password, and the command to be executed.
The second command is marked by a 2 instead of a 1 in the appropriate spot in the packet. This command will cause the password to be sent to an IP address contained in the packet. It will send the packet to UDP port 4369. The virus is hard-coded to use 3-byte passwords. The IP address will receive a UDP packet with a 3-byte payload. This feature allows an attacker to scan for compromised machines, and obtain the password if it has been changed for some reason.
After accepting either of these commands, the virus loops and awaits another. It will continue to do so until the process is killed or the machine is shut down.
Writeup By: Kaoru Hayashi