Rst-B Detection Tool

Published on

So today my first ever piece of professionally developed software got released, as open source software too :D It’s nothing big – about 500 lines of code, and it does a very simple job, but still!

There’s a blog entry by SophosLabs that explains the purpose behind the tool, but I’ll summarise it here:

Basically, the Labs guys have a Linux honeypot set up with a weak username/password combination that allows it to be hacked. They then look at the tools the hackers use and develop protection against them and the viruses, etc. However, Billy (one of the Labs guys) found that a lot of the hacking tools that were being used were actually themselves infected with a virus called Linux/Rst-B. This probably wasn’t intentional (there’s no good reason why the hacking tools themselves would be infected), so it’s probably safe to assume the hackers themselves don’t know it’s infected, and there’s some site where the script kiddies are downloading their sets of hacking tools from that’s infected with this virus.

So, for research purposes I was asked to develop a tool that scans for this particular virus, and then encourage people to submit any detections back to Labs for analysis (it’d be the hacking tool that Labs are interested in, not the virus itself), and also to see how widespread the problem is.

So there it is :) If you’re a Linux user running a server, you can always run it yourself and see what you think! It’s at http://www.sophos.com/linux-detection-tool

(Probably should say this as I’m talking about work, but this isn’t an official Sophos communication or anything like that – this is my personal journal – for all the official stuff, see the Sophos website)