Linux/Rst-B – very much alive and kicking

Last month a snippet of our Linux malware research was published in Virus Bulletin. Virus Bulletin is the de facto anti-malware publication but is only available via subscription. With their permission, we decided to republish some of the results here.

I’ve mentioned the Linux virus Linux/Rst-B a couple of times before on the SophosLabs blog [1] [2], mainly in connection with infected hacking tools found on our honeypots. This new research took advantage of the fact that Linux/Rst-B attempts to download a webpage from a specific IP address if it is executed as root. If we could monitor the request attempts to the specific address, we would have a pretty good indication of the number of Linux/Rst-B root infections out there.

We contacted Accretive Networks (the address in question fell under their control) and they offered to assist us by hooking a websever up to the IP address. This gave us the opportunity to monitor ‘call home’ requests and therefore infer the number of root compromised hosts out there.

Before I get into breaking down the results, I’ll let the picture from Google earth set the scene. Each red point represents a single IP address which contains at least one root infected computer (the actual number of infected computers will be higher than the number of ‘infected’ IP addresses due to NAT etc).

Below: Infections across Europe
rstb-eur.jpg

Below: Infections across the USA
rstb-usa.jpg

The data is based on requests since the middle of May this year. When the data was generated for the Virus Bulletin article (end of July) there were IPs from 125 different countries calling home. From the data gathered today, there were 145. The top 10 most infected countries are as follows:

Country Unique Infected IPs
USA 2052
China 1347
Brazil 897
Germany 777
India 527
Taiwan 504
Korea 463
France 384
Italy 355
Romania 278

From mid May, there have been 105,930 call home attempts from 12238 different IPs. Whilst these numbers seem pretty insignificant when we compare them to Windows infections, we have to remember that these are only root infections. Our honeypots show that hackers (at least the ones unsophisticated enough to use hacking tools infected with Linux/Rst-B) generally do not bother going to the trouble of gaining root access, so we can safely assume the real number of infected machines is much higher.

So does this prove that the Linux community are living in malware denial? Well, no, not really. With Linux gaining in popularity, it is inevitable that novice users will fail to take the appropriate precautions and hackers will take advantage (although we have found several compromised boxes owned by people who certainly should have known better…) This is an old virus that generally gets onto a system via a weak SSH password, a situation hopefully no security conscious user would find themselves in.

As has been said on this blog a few times now, the biggest security vulnerability sits behind the keyboard. It looks like we’ve simply managed to prove that the vulnerability is cross platform. 🙂