Forgot your password?
typodupeerror
Security Linux

New Linux Rootkit Emerges 172

Posted by timothy
from the horses-getting-nervous dept.
Trailrunner7 writes "A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of a high-level programmer or be meant for use in targeted attacks. The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said his site had been targeted by the malware and some of his customers had been redirected to malicious sites."
This discussion has been archived. No new comments can be posted.

New Linux Rootkit Emerges

Comments Filter:
  • by Gaygirlie (1657131) <gaygirlie@NOsPAM.hotmail.com> on Tuesday November 20, 2012 @01:52PM (#42043951) Homepage

    Yada-yada-blabber-blabber.

    nobody really uses this OS except hobbyists and niche markets

    Yeah, what with Microsoft, Amazon, Google, Valve and so on. Oh, pssh, they're irrelevant; they count as nobodies, right?

  • Re:Infection method? (Score:3, Informative)

    by hawguy (1600213) on Tuesday November 20, 2012 @02:00PM (#42044075)

    How come neither of the links actually describe how this malware infects the machine in the first place? I'd say that's quite an important piece of information completely missing.

    I don't think it's self-replicating or installing itself by some vulnerability, I believe it would have to be installed maliciously (perhaps by an employee, or maybe by someone using an unrelated root exploit), or as a Trojan Horse - many people are happy to blindly install unsigned packages on their system, running the installation as root.

    Back in the day, I used to make at least a cursory inspection of the Makefile and sometimes would even look over the source code associated with distributed packages. But now I just install the package without even paying attention to what files are being installed. I am a little careful about where I download my packages from, and almost always installed signed packages by a trusted distributor, but I do install packages from unknown developers from time to time.

  • Re:Why Only 64-bit (Score:5, Informative)

    by hobarrera (2008506) on Tuesday November 20, 2012 @02:11PM (#42044233) Homepage

    amd64 is the name of the architecture you normally call "64bits" or "x86_64" every day, and is an extension of "i686".
    The name is so merely because amd came up with it.

    Intel's modern microprocessors are amd64 as well (they just call it a different name).

  • by Penguinisto (415985) on Tuesday November 20, 2012 @02:17PM (#42044309) Journal

    Dunno about AC, but first glance seems to be that it exploits shitty PHP code in order to get itself hosted onto the websites.

    According to TFA, it appears to target one specific kernel (Debian-based), and tries to do some hokey-pokey with RAM to get itself executed. If you want a better description go to the original report [seclists.org]

    TFA gives some details [crowdstrike.com], however:

    The kernel module in question has been compiled for a kernel with the version string 2.6.32-5. The -5 suffix is indicative of a distribution-specific kernel release. Indeed, a quick Google search reveals that the latest Debian squeeze kernel has the version number 2.6.32-5.

    The module furthermore exports symbol names for all functions and global variables found in the module, apparently not declaring any private symbol as static in the sources. In consequence, some dead code is left within the module: the linker can't determine whether any other kernel module might want to access any of those dead-but-public functions, and subsequently it can't remove them.

    ...doesn't say exactly how, but there is one thing that is entirely left out of the equation... if it's a drive-by download, does it definitely require user involvement, or not? According to the original report, the complaints were that they customers were being redirected to a malicious site, but nothing about a trojan being involved.

  • by Kagato (116051) on Tuesday November 20, 2012 @02:25PM (#42044409)

    If you dig into the articles to some of the raw analysis you'll discover two things.

    1) "It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely." So it unlikely that they gained root with something new, but it was a web site that was hacked, so the likely vector is something related to what the site it was running. PHP, WordPress, DB Injection, and Apache exploits.

    2) "Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely."

  • by slashmydots (2189826) on Tuesday November 20, 2012 @02:36PM (#42044589)

    There's a new secure OS called Rootkit Server 12 - maybe it's time you nerds started upgrading to it!

    This is the year of the Linux rootkit.

    Why? Linux has been around 85% of all web servers in the world for a loooooong time. You don't target the 15% windows servers to get stuff done.

  • Re:Infection method? (Score:4, Informative)

    by tyleroar (614054) on Tuesday November 20, 2012 @02:43PM (#42044685) Homepage
    I think you are confused as to what this is doing. How the malware initially got loaded onto the *NIX box is not discussed in the write-up. The malware does not break out of the browser's sandbox and obtain root privileges. The malware is used to add/change the file being served by the web server. There is no mention of what file the malware was being used to serve up...it could be used just to transparently serve up ads or could be used to serve up some client-side exploits.
  • There aren't any known, widespread Linux-based viruses or malware, and the few ones that do exist target server software, Java and/or Flash. And even if you found malware that still made its way in your computer via e.g. a vulnerability in the browser's Javascript - implementation that malware would still have to get root privileges in order to properly hide its existence -- there aren't any known, widespread security holes either in the Linux-kernel or the GNU userland, so if you keep your system up-to-date the chances are very, very slim the code would be able to get root privileges.

    That is to say that if you e.g. used Firefox without Java and with the Flashblock add-on there'd be more-or-less no chances of you getting anything. Don't get scared by articles like this one because, well, this one doesn't spread via the web browser in the first place -- it was likely installed on the system by hand by someone who got access to it because of poor website implementation.

"Laugh while you can, monkey-boy." -- Dr. Emilio Lizardo

Working...