McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

The driver for Linux/Kis was added to cover for a malicious remote access/hacking package. It includes a gui client and server part.

The Linux/Kis (Kernel Intrusion System) trojan source code is available at certain websites. A local recompilation of the .c source code is needed. During testing, the recompilation was not errorfree and the binaries didn't get build. As the binaries are to be locally rebuild, the filesize (and internal file content) might vary.

The Linux/Kis server, an ELF binary file called kis , might replace a file with itself (/sbin/init) to ensure automatic loading at system boot. It puts itself in "/.secret_directory".

The Linux/Kis client, an ELF binary file called kis_client , can use spoofing. An IP number can be entered of the host to be spoofed as. When using 0 for the IP it will spoof a random IP every time it sends a packet. When using 0 for the port KIS will spoof a different port every time. Note that this requires root access so will most likely not work on the majority of the systems.

Linux/Kis may disable security modules that might be loaded.

Symptoms

-Presence of an ELF binary file called "kis"
-Presence of an ELF binary file called "kis_client"
-Unexpected (random) port usage

Method of Infection

The Linux/Kis .c source files have to be downloaded from certain websites and manually compiled.

Removal

Detection is included in the specified DAT release.

In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

Administrators should regularly check for availability of important security updates/patches.

Recommended links:

Caldera

Debian

FreeBSD

Redhat

Sun

SuSe

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

The driver for Linux/Kis was added to cover for a malicious remote access/hacking package. It includes a gui client and server part.

The Linux/Kis (Kernel Intrusion System) trojan source code is available at certain websites. A local recompilation of the .c source code is needed. During testing, the recompilation was not errorfree and the binaries didn't get build. As the binaries are to be locally rebuild, the filesize (and internal file content) might vary.

The Linux/Kis server, an ELF binary file called kis , might replace a file with itself (/sbin/init) to ensure automatic loading at system boot. It puts itself in "/.secret_directory".

The Linux/Kis client, an ELF binary file called kis_client , can use spoofing. An IP number can be entered of the host to be spoofed as. When using 0 for the IP it will spoof a random IP every time it sends a packet. When using 0 for the port KIS will spoof a different port every time. Note that this requires root access so will most likely not work on the majority of the systems.

Linux/Kis may disable security modules that might be loaded.

Symptoms

Symptoms -

-Presence of an ELF binary file called "kis"
-Presence of an ELF binary file called "kis_client"
-Unexpected (random) port usage

Method of Infection

Method of Infection -

The Linux/Kis .c source files have to be downloaded from certain websites and manually compiled.

Removal -

Removal -

Detection is included in the specified DAT release.

In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

Administrators should regularly check for availability of important security updates/patches.

Recommended links:

Caldera

Debian

FreeBSD

Redhat

Sun

SuSe

Variants

Variants -

N/A