Botnets, a free tool and 6 years of Linux/Rst-B

I have mentioned before that we regularly see Linux malware infected with an old Linux virus, Linux/Rst-B.

It is 6 years to the day when we first saw Linux/Rst-B and despite reputable anti-virus solutions having being able to detect it since then, we keep seeing it appear on our honeypots. In fact, over the last 3 months roughly 70% of malware downloaded by hackers to one of our honeypots was infected with Linux/Rst-B.

Linux computers are very valuable to hackers. A bot army, similar to real armies, needs a general (controller) and infantry (zombies). Linux boxes are often used as servers, which means they have a high up-time – essential for a central control point. A Windows computer, on the other hand, is found at home or as a desktop machine in an office, and these computers are regularly switched off. This makes them less attractive as controllers, but ideal for infantry, or zombies.

The picture below shows the typical role of a compromised Linux computer under a hackers control. By identifying these bot controllers, we have a much better opportunity to disrupt entire botnets.


Hackers typically gain control via weak SSH password or some other vulnerability. Once in, they install IRC based malware and use IRC channels to control their bots.

A few of us in the Sophos labs are researching how prominent Linux based botnet controllers are and would appreciate your help. If you don’t run anti-virus on your Linux boxes,  we would like to invite you to run a tiny rudimentary scanner we have developed whose sole job is to look for Linux/Rst-B infections.

Download the Linux/Rst-B detection tool

To run the Linux/Rst-B detection tool you will need to download the tar.gz file and build the tool using the Makefile provided. Note that this requires you to have gcc installed. If you don’t have gcc, a compiled binary is also included.

Steps for running the Linux/Rst-B detection tool:

  1. Download the file.
  2. md5sum or sha1sum to verify the contents.
  3. tar zxf detection_tool.tar.gz
  4. cd detection_tool
  5. Either compile the tool yourself by typing “make” or run the compiled binary.
  6. Check the usage for details on how to run the tool – it should be run as root.

To verify the contents, you can use MD5 or SHA1 – the steps below explain how and show the expected results.

  • md5sum detection_tool.tar.gz -> 49b454e66b5c2a247c52cfe95c6813e6
  • sha1sum detection_tool.tar.gz -> cf9d8291de55031f969f9cd5b427334e31c52ea9

Two points to note:

  • You could scan your whole system but if this isn’t feasible then at least scan your /bin /usr/bin /tmp /var/tmp /sbin and /usr/sbin directories .
  • If you don’t find Linux/Rst-B on your system, it’s good news but obviously doesn’t mean that you are not infected with something else. I’d encourage you to at least do regular on-demand scans on your Linux box but ideally run an on-access scanner, such as Sophos Anti-Virus for Linux.