New Linux Rootkit Emerges

Trailrunner7 writes "A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of a high-level programmer or be meant for use in targeted attacks. The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said his site had been targeted by the malware and some of his customers had been redirected to malicious sites."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Infection method?

[hawguy]

How come neither of the links actually describe how this malware infects the machine in the first place? I'd say that's quite an important piece of information completely missing.

I don't think it's self-replicating or installing itself by some vulnerability, I believe it would have to be installed maliciously (perhaps by an employee, or maybe by someone using an unrelated root exploit), or as a Trojan Horse - many people are happy to blindly install unsigned packages on their system, running the installation as root.

Back in the day, I used to make at least a cursory inspection of the Makefile and sometimes would even look over the source code associated with distributed packages. But now I just install the package without even paying attention to what files are being installed. I am a little careful about where I download my packages from, and almost always installed signed packages by a trusted distributor, but I do install packages from unknown developers from time to time.

Re:Why Only 64-bit

[hobarrera]

amd64 is the name of the architecture you normally call "64bits" or "x86_64" every day, and is an extension of "i686".
The name is so merely because amd came up with it.

Intel's modern microprocessors are amd64 as well (they just call it a different name).

Re:Security through obscurity FAIL

[Penguinisto]

Dunno about AC, but first glance seems to be that it exploits shitty PHP code in order to get itself hosted onto the websites.

According to TFA, it appears to target one specific kernel (Debian-based), and tries to do some hokey-pokey with RAM to get itself executed. If you want a better description go to the original report [seclists.org]

TFA gives some details [crowdstrike.com], however:

The kernel module in question has been compiled for a kernel with the version string 2.6.32-5. The -5 suffix is indicative of a distribution-specific kernel release. Indeed, a quick Google search reveals that the latest Debian squeeze kernel has the version number 2.6.32-5.

The module furthermore exports symbol names for all functions and global variables found in the module, apparently not declaring any private symbol as static in the sources. In consequence, some dead code is left within the module: the linker can't determine whether any other kernel module might want to access any of those dead-but-public functions, and subsequently it can't remove them.

...doesn't say exactly how, but there is one thing that is entirely left out of the equation... if it's a drive-by download, does it definitely require user involvement, or not? According to the original report, the complaints were that they customers were being redirected to a malicious site, but nothing about a trojan being involved.

Infection Method - Well it's not...

[Kagato]

If you dig into the articles to some of the raw analysis you'll discover two things.

1) "It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely." So it unlikely that they gained root with something new, but it was a web site that was hacked, so the likely vector is something related to what the site it was running. PHP, WordPress, DB Injection, and Apache exploits.

2) "Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely."

Re:There's a new secure OS called...

[slashmydots]

There's a new secure OS called Rootkit Server 12 - maybe it's time you nerds started upgrading to it!

This is the year of the Linux rootkit.

Why? Linux has been around 85% of all web servers in the world for a loooooong time. You don't target the 15% windows servers to get stuff done.

Re:Infection method?

[tyleroar]

I think you are confused as to what this is doing. How the malware initially got loaded onto the *NIX box is not discussed in the write-up. The malware does not break out of the browser's sandbox and obtain root privileges. The malware is used to add/change the file being served by the web server. There is no mention of what file the malware was being used to serve up...it could be used just to transparently serve up ads or could be used to serve up some client-side exploits.

Comment removed

[account_deleted]

Comment removed based on user account deletion