Linux world dismisses new Trojan risk
A Remote Shell Trojan (RST) is making its way around the Linux community, but security experts say it should not pose a risk if users are vigilant with the programs they run.
The Trojan is a more complex variant of an earlier RST that hit Linux systems last October. In order to propagate, RST.b requires a user to run an infected binary, which then opens up a remote shell and allows an attacker to access the machine
Linux distributor Red Hat is categorizing RST.b as low risk. The variant requires a root user to download the malformed binary in order for the Trojan to run, which is less likely to happen on Linux machines as it products are designed to keep partitions on what users can do.
"On Linux a lot of packages are digitally signed and come with their own source code, which makes it a lot harder for a trojan to attach itself, and ensures that the product is not affected during transit," said Mark Cox, senior director of engineering at Red Hat.
The virus replaces the start address in the Executable and Linking Format headers with an address that points to its code. When an infected program is run it is re-directed to the virus code. According to researchers at lockeddown.net, a parent string forks off to the real start address and runs the normal code while a child string "takes care of the evil stuff".
Trojan horses designed to attack Linux systems are rare. Viruses that exploit vulnerabilities in Microsoft Windows are fairly common, but according to Red Hat, the popular Apache Web server has not had any vulnerabilities that would allow remote access for two years. "The risk factor is a lot lower than IIS (Internet Information Server) for example," said Cox.
Staff writer Wendy McAuliffe reported from London.