The case for AV for Linux: Linux/Rst-B

In February, researchers at SophosLabs noted that Linux/Rst-B seemed to be very common on hacked Linux boxes [1]. The prevalence of this particular virus is not due to ingenious spreading mechanisms or Linux users swapping binaries, it is due to a proliferation of infected hacking tools. The fact that the virus replicates equally well on older and newer kernels will have added to its longevity – a characteristic that isn’t always found in other Linux viruses.

We became interested in Linux/Rst-B when we noticed that around 70% of executable files downloaded to one of our honeypots were infected. Underneath the Linux/Rst-B infection were various tools such as flooders, SSH scanners and, more often than not, an IRC bot.

A particularly interesting feature of Linux/Rst-B is that it attempts to download a page from a specific IP address if it is executed as root. The Ethereal screenshot in Figure 1 shows the request being made to 207.66.xxx.xxx/~telcom69/gov.php.

Figure 1. Figure 1: Request being made to 207.66.xxx.xxx/~telcom69/gov.php.

This call-home technique provides the opportunity to assess the number of Linux/Rst-B root-compromised Linux boxes in the real world. The call home IP address falls under the control of Accretive Networks, who kindly agreed to assist us with our research.

Since the beginning of May, we have had the call-home IP address hooked up to a web server and connection attempts to the specific URL have been logged. From this data, we can cross-reference the infected IP address with WHOIS data to find out details such as the country and company of an infected host. The data presented in this article is based on roughly five weeks’ worth of logs.

One of the first sets of statistics that we generated was the number of infections by country. We take a single instance of each IP address that has called home and look up which country it came from:

This data helps to show that this is a global problem. When these statistics were generated there were IP addresses from over 125 different countries calling home.

Figure 2 highlights that Europe is pretty badly hit. Each red marker represents a single IP address.

Figure 2. Location of infected IP addresses.

Another way to look at the data is to examine the frequency of each IP address calling home. Table 2 shows the most common IP addresses calling home. This is an interesting result since it allows us to monitor activity tied to specific hosts. The most common call home attempts were made by computers in Germany. (Note that the first two IP addresses were from the same provider so could really be considered as a single IP address with a total of 28,748 hits.)

It would be nice to assume that these figures are the number of infected machines but it is clearly not that straightforward (due to computers behind NAT gateways etc. where many computers will be represented by a single IP address). Also, whilst a server that is never turned off will only ever call home once, a computer that is rebooted daily will call home after each reboot (assuming appropriate binaries have been infected, but this is a fair assumption if the virus has been executed as root).

Germany therefore may simply have more Linux computers being used as workstations and being rebooted frequently. However, even if we assume that every machine is booted up at least once a day, this still suggests that there are over 750 root-infected machines sitting behind two IP addresses alone.

It is also important to remember that we can only gather statistics for root-compromised computers. Our honeypots show that hackers are happy to gain access to standard user accounts (we don’t allow root to SSH in) – only a tiny percentage of attackers have downloaded and executed a root exploit before downloading their other tools. From this we can safely assume that the actual number of infected Linux boxes is far higher than our results suggest.

Hopefully every Linux AV scanner is able to detect Linux/Rst-B. It has been around for over six years and, according to our research, it is the virus you are most likely to encounter as a Linux user. Simply running an on-access scanner would prevent most hacking attempts from achieving anything destructive. Whilst on-access scanners don’t address any underlying security issues (weak passwords, vulnerable web applications etc.) they should at least make you aware of hacking attempts without major damage being done.

Unfortunately, it is probably only script-kiddie-level hackers that use hacking tools infected with Linux/Rst-B. Hackers with financial motivation will no doubt be more meticulous with their choice of tools, providing more of a challenge for AV vendors to detect proactively.

We chose to investigate this particular virus partly due to its call-home feature (it gives a fairly accurate picture of real-world infections), but also since it is a real, in-the-wild, Linux threat. The longevity of these infections indicates that system administrators are not even running on-demand scans or file integrity checkers, despite appropriate tools being readily available on many common distributions.

It doesn’t take much searching to find a Linux zealot claiming that malware is only a Windows problem – hopefully these figures will make users reconsider their approach to Linux security.