Qualys First To Detect And Protect Against New Linux Backdoor Trojan

Sunnyvale, Calif. — September 5, 2001 — Qualys™, Inc., a leading provider of enterprise network vulnerability assessment and monitoring solutions, today announced that its QualysGuard™ online vulnerability scanning service is the first scanning solution capable of detecting the presence of a potentially dangerous new Linux backdoor Trojan identified as the Remote Shell Trojan. This Trojan consists of two primary components - a virus-like self replication capability, and the ability to install a backdoor process to enable remote attacks on the infected system. Qualys is making available a free downloadable tool to probe for the trojan’s presence on a Linux machine along with a free downloadable fix to cleanse infected files. These tools are available at https://www.qualys.com/forms/remoteshell.html.

“While no system is perfectly secure, we believe that open source technologies provide the necessary transparency to better protect against security vulnerabilities, especially those related to downloading software from the Internet” said Michael Tiemann, Chief Technology Officer of Red Hat Linux. “We applaud Qualys for delivering these tools as open source software to provide users with a trustable fix to this new security threat.”

This new trojan can be disseminated by inconspicuous emails and replicates itself on the infected Linux based system. Similar to Back Orifice on the Windows platform, this Trojan installs a backdoor that listens for incoming connections on UDP port 5503 or higher, enabling remote attackers to connect and take control of the system. Remote Shell Trojan is especially dangerous if a privileged user is launching the infected Linux application. In this case, the attacker connecting to the backdoor inherits the privileged credentials and can completely take over the infected machine.

“In the spirit of open source, Qualys has developed and is freely distributing two standalone tools to detect and eliminate the Remote Shell Trojan on infected machines,” said Gerhard Eschelbeck, Vice President, Engineering for Qualys, Inc. “A vulnerability detection signature to reveal the presence of the new trojan has also been integrated into the Qualys online network vulnerability scanning platform, which is used by numerous Managed Security Providers to provide companies with ongoing protection against such security threats.”

“With security researchers at multiple sites around the world, Qualys was the first to detect and respond immediately to this Trojan and also to identify that systems are connecting to a third party website during the infection process.” added Eschelbeck. Qualys has developed tools to detect and clean the Remote Shell Trojan. The tool named “rst_detector” takes an IP address as a command line parameter and probes a specified remote computer to determine if it has the backdoor installed. The second tool, “rst_cleaner,” will be required to clean infected Linux files. These tools can be downloaded for free at https://www.qualys.com/forms/remoteshell.html.

About QualysGuard

The QualysGuard Web Service automates Network Security Audits and Vulnerability Management ensuring the security of information networks. With the highest degree of accuracy, data integrity, scalability, and ease of use, QualysGuard is available in a variety of packages designed to meet the specific needs of enterprises, SMBs, consultants, or managed service providers.

Qualys, the Qualys logo and QualysGuard are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.

Media Contact:
Tami Casey
Qualys
media@qualys.com