New Linux Rootkit Emerges 172
Trailrunner7 writes "A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of a high-level programmer or be meant for use in targeted attacks. The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said his site had been targeted by the malware and some of his customers had been redirected to malicious sites."
Re: (Score:2)
Re: (Score:1)
Well, they are suspecting a Russian based attacker, so unless you contract out to Russian jerks then I fear that your supposition is unsupported and is most likely based on wishful thinking. The code was not well hidden, and they didn't strip the symbols in the executable file - hence the programmer still has a lot to learn.
Comment removed (Score:5, Insightful)
Re: (Score:3, Informative)
How come neither of the links actually describe how this malware infects the machine in the first place? I'd say that's quite an important piece of information completely missing.
I don't think it's self-replicating or installing itself by some vulnerability, I believe it would have to be installed maliciously (perhaps by an employee, or maybe by someone using an unrelated root exploit), or as a Trojan Horse - many people are happy to blindly install unsigned packages on their system, running the installation as root.
Back in the day, I used to make at least a cursory inspection of the Makefile and sometimes would even look over the source code associated with distributed packages.
Re: (Score:3)
Indeed. All it says is thay you're redirected to an iframe. How it breaks out of the browser's sandbox and then obtains root priviledges isn't mentioned either. I'm quite interested in how they achieved this too, since it would mean that there's a huge priviledge escalation in linux that nobody noticed.
Re: (Score:2)
You can't run a program by just clicking OK on a browser dialogue. No Linux browser knows how to chmod a downloaded file.
Re: (Score:1)
Firefox on linux used to be able to execute arbitrary commands from extensions: I wrote one which did that on Firefox 2 and ported it to firefox 3. that means if you can fool someone into installing your extension, you've got them.
Similarly, a *.desktop file (used for Gnome and KDE desktop items) can contain arbitrary shell script. This doesn't need +x, because it isn't executed directly when you click on it, instead the string is passed to system(3). The way I'd use that would be to overwrite a common prog
Re: (Score:2)
Yes, wine does that. But I've never seen KDE running scripts that didn't have the execution bit set. I can't tell about mono, as I simply never installed it.
Re:Infection method? (Score:4, Informative)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It's something new in the Defense of The Dark Arts: Security Thru Obscurity!
Re: (Score:3)
Looks like an infected kernel module so one of the below:
1) server was cracked, and module compiled
2) compromised kernel mod in distro
more likely #1 but probably too early to tell. Grepping kernel sources for some of the text in the module_init binary may be fun:
http://seclists.org/fulldisclosure/2012/Nov/94 [seclists.org]
Re: (Score:2)
How come neither of the links actually describe how this malware infects the machine in the first place? I'd say that's quite an important piece of information completely missing.
From the article. "Since the command is appended to the end of rc.local, there might actually be shell commands that result in the command not being executed as intended".
The only way to write or edit rc.local is as root, however if you are running a Fedora distribution rc.local does not exist.
Why Only 64-bit (Score:3)
Re: (Score:2)
Just curious why the root kit is only targeting 64-bit. Is it specifically targeting the intel 64bit spec that allows for privileged escalation, or something like that? Reading the article makes it sound like it's an exploit of the AMD little endian pointers which, since I don't know hardware on that level, I don't know if that means it's actually a CPU exploit or an OS exploit. And if it's a CPU exploit I don't know if it's all AMD64 based including or excluding Intel.
Did it work on 32-bit?
Re:Why Only 64-bit (Score:5, Informative)
amd64 is the name of the architecture you normally call "64bits" or "x86_64" every day, and is an extension of "i686".
The name is so merely because amd came up with it.
Intel's modern microprocessors are amd64 as well (they just call it a different name).
Re: (Score:2)
Re: (Score:2)
That is confusing. :( I kept thinking amd64 is only for AMD and not Intel.
Re: (Score:2)
That is confusing. :( I kept thinking amd64 is only for AMD and not Intel.
They are both fully binary compatible.
Re: (Score:2)
Yeah, now I know. They should just remove AMD part. :P
Re:Why Only 64-bit (Score:4, Interesting)
"To hook private functions that are called without indirection (e.g., through a function pointer), the rootkit employs inline code hooking. In order to hook a function, the rootkit simply overwrites the start of the function with an e9 byte. This is the opcode for a jmp rel32 instruction, which, as its only operand, has 4 bytes relative offset to jump to," Georg Wicherski of CrowdStrike wrote in a detailed analysis of the new Linux malware.
"The rootkit, however, calculates an 8-byte or 64-bit offset in a stack buffer and then copies 19 bytes (8 bytes offset, 11 bytes unitialized) behind the e9 opcode into the target function. By pure chance the jump still works, because amd64 is a little endian architecture, so the high extra 4 bytes offset are simply ignored."
Re: (Score:2)
Re: (Score:1)
Again, this is a rootkit. You need root access through some other means to install it. Still a nuisance, though.
Re: (Score:2)
If I were a betting person, I'd say the reason why it was built for 64 bit architectures is because most servers use more than 4GB of RAM, which is the limit for 32 bit operating systems. I could be completely wrong on all counts though.
Re: (Score:2)
I'm not so sure about that. The kernel module uploaded to the full discosure list happened to be a amd64 module targetting debian kernel 2.6.32-5. But when it's not php, most malware I've seen was distributed as source code, compiled at the target machine to match the targets specifications.
Re: (Score:1)
Re: (Score:1)
there is nothing to patch, idiot
Rootkit emerged (Score:3, Funny)
Must be specifically targeted at Gentoo then.
Infection Method - Well it's not... (Score:5, Informative)
If you dig into the articles to some of the raw analysis you'll discover two things.
1) "It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely." So it unlikely that they gained root with something new, but it was a web site that was hacked, so the likely vector is something related to what the site it was running. PHP, WordPress, DB Injection, and Apache exploits.
2) "Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely."
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
That's priviledge escalation. A rootkit is a piece of malware that disgusses itself by installing hooks at system functions.
Re: (Score:1)
conditionbrownpants ?? (Score:2)
(and no, it's not because of my post, because I'm asking after this tag appeared)
Rootkit loads into memory? (Score:2)
How does this 'rootkit' get executed on the target machine, does it require prior root access in order to sucessfully execute?
Re: (Score:3)
Re: (Score:2)
Is this a rootkit? (Score:1)
An iframe injection that redirects you to a malicious website where you have to download something and run it as root to get infected sounds almost nothing like something that runs as a normal user and exploits local weaknesses to gain privileged access surreptitiously.
Re: (Score:3)
A "rootkit" is not "a kit to get root" but "a kit to keep root, once you somehow get it". Rootkits try to make an intrusion undetectable and un-removable, but they don't provide the intrusion.
"Rootkit" (Score:1)
Ultracet no prior script (Score:1)
2011. Top Pharmacy List! Best Prices Online!
Re: (Score:1)
Moderately funny, but this is about servers. A more apt joke would be about Windows Server 2008 or 2012.
Re: (Score:3, Funny)
A more apt joke would be about Windows Server 2008 or 2012.
An even more apt joke would be something like:
# apt-get install windows-server-2008
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package windows-server-2008
But that doesn't seem to work.
Re:There's a new secure OS called... (Score:5, Funny)
no no, read the summary. these boxes were using red hat - "A new Linux rootkit has emerged"
Re:There's a new secure OS called... (Score:4, Funny)
these boxes were using red hat - "A new Linux rootkit has emerged"
That would be Gentoo, where we even have to compile our viruses from source (but then the virus is super-optimized).
Re: (Score:2)
ah, whoops. s/red hat/gentoo/
No rc.local file in Gentoo (Score:3)
So since the "root kit" involves some other vector letting the intruder append something to rc.local (or somehow pivot on whether rc.local ends with an "exit 0") the root kit ins't a root kit but a post-root-promotion exploit.
Re:There's a new secure OS called... (Score:5, Funny)
There's a new secure OS called Rootkit Server 12 - maybe it's time you nerds started upgrading to it!
This is the year of the Linux rootkit.
Re: (Score:3)
. . . on the desktop?
Or on hundreds of millions of Android phones. Or supercomputers. Or TiVos or other DVRs. Or routers, printers, and countless other devices. OMG the world is going to end in 2012!!!
Better to switch to a safe proprietary OS that has never had a security problem.
Re: (Score:1)
Better to switch to a safe proprietary OS that has never had a security problem.
Menuet64? [wikipedia.org]
Re: (Score:3, Informative)
There's a new secure OS called Rootkit Server 12 - maybe it's time you nerds started upgrading to it!
This is the year of the Linux rootkit.
Why? Linux has been around 85% of all web servers in the world for a loooooong time. You don't target the 15% windows servers to get stuff done.
Re: (Score:1)
Linux gets used by the majority since they're smallfry and cash strapped since Linux = free
i get microsoft also missed the memo cos even they have linux on azure
Re: (Score:1)
Re: (Score:1)
we don't want "your kind" on the #1 most used OS platform there is on PC desktops and servers combined
your kind stinks and is full of whingeing morons who don't even realise how much they rely on the "2nd rate least used OS platform"
...used google lately?
...read it and weep moron
http://en.wikipedia.org/wiki/Google_platform#Software [wikipedia.org]
Re: (Score:1)
Nix Nuke Week in progress (lmao)
from TFA in linked comment regarding hacked freebsd servers; "hackers were able to gain access to the servers using legitimate SSH keys and not by exploiting any operating system vulnerabilities"...
try again shill
Re: (Score:1)
Comment removed (Score:5, Informative)
Re: (Score:3)
Since you're so knowledgeable, maybe you could explain to us which 'weakness' this rootkit is exploiting to get itself installed?
Re:Security through obscurity FAIL (Score:5, Informative)
Dunno about AC, but first glance seems to be that it exploits shitty PHP code in order to get itself hosted onto the websites.
According to TFA, it appears to target one specific kernel (Debian-based), and tries to do some hokey-pokey with RAM to get itself executed. If you want a better description go to the original report [seclists.org]
TFA gives some details [crowdstrike.com], however:
The kernel module in question has been compiled for a kernel with the version string 2.6.32-5. The -5 suffix is indicative of a distribution-specific kernel release. Indeed, a quick Google search reveals that the latest Debian squeeze kernel has the version number 2.6.32-5.
The module furthermore exports symbol names for all functions and global variables found in the module, apparently not declaring any private symbol as static in the sources. In consequence, some dead code is left within the module: the linker can't determine whether any other kernel module might want to access any of those dead-but-public functions, and subsequently it can't remove them.
...doesn't say exactly how, but there is one thing that is entirely left out of the equation... if it's a drive-by download, does it definitely require user involvement, or not? According to the original report, the complaints were that they customers were being redirected to a malicious site, but nothing about a trojan being involved.
Re: (Score:3)
The rootkit is half the battle as TFA says... what gets me really wondering is the exploit they used to get unfettered root access, especially if SELinux is enabled and enforcing.
The best short term defense against this? A monolithic kernel that has all modules compiled in, and has module loading disabled. Of course, this loses a lot of functionality.
Long term, maybe the best defense would be to take the TE (trustchk) system from AIX (which can be configured to not run any binaries that are not in a signe
Quick fix (Score:5, Interesting)
The best short term defense against this?
Just put /etc/rc.local and the rootkit becomes unloadable. Just like in Debian Squeeze.
exit 0
at the end of your
Re: (Score:2)
I did not get that. Would you kindly explain that?
Re: (Score:2)
The best short term defense against this?
Just put /etc/rc.local and the rootkit becomes unloadable. Just like in Debian Squeeze.
exit 0
at the end of your
I did not get that. Would you kindly explain that?
Well, it's even in TFA [threatpost.com], and described in more detail here [crowdstrike.com]. According to the guy who analyzed it (Georg Wicherski): "the command is appended to the end of rc.local" and "On a default Debian squeeze install, /etc/rc.local ends in an exit 0 command, so that the rootkit is effectively never loaded". This [blogspot.com] is what happens when you try to install the rootkit on Debian Squeeze.
Re: (Score:1)
TFA doesn't make a very clear connection between "iFrame injection mechanism" and full root access on the server, particularly as servers don't usually display iframes in a web browser (that's usually on the client end). sure
Re: (Score:3)
Debian does not have SELinux enabled by default. So that is one barrier that frequently they won't have to cross in getting root access.
Debian might also have been targeted for its large market share and not having security extension installed by default. Considering the wide range of uses that Debian is put to it seems like maybe they should create a "public server" install profile that includes things like SELinux enabled and checkrootkit and other routine auditing tools installed.
Re: (Score:2)
IMHO, this is one thing they really need to look into fixing to keep up with what threats are out there.
It doesn't matter if they use SELinux or AppArmor. Just use something to limit the context things run in so even if something like Apache gets compromised, even with a way to UID 0, the mischief they can do is limited, be it to a directory or filesystem, or to only a segment of process space.
One thing I like is how sandboxie works on Windows -- a sandboxed program would have a list of executables (either
Re: (Score:3)
Dunno about AC, but first glance seems to be that it exploits shitty PHP code in order to get itself hosted onto the websites.
How does "first glance" tell you that? And are you talking about code written in the PHP language or about the PHP implementation? And even if you break into a PHP implementation remotely, how do you make the kernel load the module, assuming the administrator isn't an outright idiot and the PHP process isn't running as root?
It Could Entirely Be Redmond Propaganda (Score:1)
1.) Pseudonymous source "stacktrace"
2.) Noone explains which weakness is being "exploited"
I call bullshit on this until they show the code which actually own the Linux kernel. If you could trace this whole thing, I am quite positive it leads to the checkbook of a Mr Ballmer, resident of Redmon, WA, USA.
Re: (Score:2)
Who is Noone and how well does he explain the weakness being exploited.?
Damn that guy gets around.
Re: (Score:3)
He may be a bastard, but he makes the trains run on time.
...try and submit some shit code onto Linus' lap for kernel inclusion... I dare you. ;)
Re: (Score:2)
Re: (Score:2)
How about MAC (Mandatory Acces Control)?
Hello SELinux... (Fedora)
Re: (Score:2)
Frothing at the mouth, Mr. Ballmer? Linux isn't a "a secure alternative to Windows for most folks using it, it runs on everything from wristwatches to the most powerful supercomputers in the world. Most web servers are running Linux. If Linux were easy to exploit, you'd have heard of a LOT of exploits.
Re: (Score:2)
Of course that would only be if Linux were easy to exploit.
Re: (Score:2)
That's why I'll never buy a Sony product. I would expect a Sony TV to be pre-rooted.
Re: (Score:2)
Wrong. A rootkit is code which maliciously takes over certain functionality at root level. How it got installed doesn't matter for its classification as rootkit. Of course most rootkits get installed by some virus, worm or trojan, but a rootkit which some cracker installed by hand is still a rootkit.
Comment removed (Score:4, Informative)
Re: (Score:2)
Did you get new information about some novel and previously unknown exploit for Linux desktop installs?
Nothing is infallible but the historic record has persistently shown the *nix development system delivers a rather robust OS.
So yes stay vigilant on any system that's exposed to the web or (USB) media but also do enjoy some peace from knowing you are running a from a security standpoint better designed OS than the de-facto industry standard for desktops.
Re: (Score:1)
Having said that, you need to already have root access to install this, so it's really not a big deal.
Re: (Score:1)
Re: (Score:1)
so how's that bug in your pointless and overly bloated and mindlessly exception handled Python function coming along then?
Re: (Score:1)
Re: (Score:1)
meanwhile, linux will continue to dominate the world hahahahah!!!!
Re: (Score:1)
Re: (Score:1)
i'm just another bored fool trying in vain to highlight a bug in it
ignore that advice all you want, but anyone who understands Python will read it and think "hahahaha there's an indentation bug on the 5th line... what a dumbass!!!!"
particularly because of the arrogant and rediculous context that you repeatedly post it
Re: (Score:1)
Re: (Score:1)
and your classic repsponse here: http://slashdot.org/comments.pl?sid=3258205&cid=42018527 [slashdot.org]
quote: "(No bugs 5x above, & 100's of times before it the past year or so here)"
i guess its also slashdot's fault that you're a douchebag?
Re: (Score:1)
the error was your own... you forgot to include the required indent for bug-free posted python code
the fact that it has taken you so long to actually look at your code and realize (even after numerous attempts to point it out to you) confirms how much of an arrogant noob you are
just don't expect me to debug all your code or i'll have to start charging by the hour
Re: (Score:1)
it doesn't put indents in. you have to do that yourself, and you fucked up by missing one... and then bragged about how your code was "bug free" hahahahaha what a douche
"his".... right whatever APK