Over two-thirds of the malware infections suffered by Sophos’s Linux honeypots involve Rst-B, which attempts to infect ELF (Executable and Linkable Format) binaries in the current working directory and in /bin, and to create a backdoor to the system.
it a six-year old Linux virus is still in circulation, and Sophos suspects the high uptime exhibited by servers (compared with the typical home or office Windows PC that spends much of the day switched off or asleep) makes them valuable to bot-herders as central control points.
Sophos has created a detection tool specifically for this virus, and encourages administrators to use it and then forward any infected files to SophosLabs for analysis.
“If you don’t find Linux/Rst-B on your system, it’s good news but obviously doesn’t mean that you are not infected with something else, said Billy McCourt, SophosLabs UK.
“I’d encourage you to at least do regular on-demand scans on your Linux box but ideally run an on-access scanner.”
A previous analysis by McCourt suggested that Rst-B infections are not being used by intruders to gain access to systems, rather they occur as a side-effect of already-infected hacking tools being downloaded onto servers once a foothold has been gained.