New Linux Rootkit Emerges 172
Trailrunner7 writes "A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of a high-level programmer or be meant for use in targeted attacks. The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said his site had been targeted by the malware and some of his customers had been redirected to malicious sites."
Re:Why Only 64-bit (Score:4, Interesting)
"To hook private functions that are called without indirection (e.g., through a function pointer), the rootkit employs inline code hooking. In order to hook a function, the rootkit simply overwrites the start of the function with an e9 byte. This is the opcode for a jmp rel32 instruction, which, as its only operand, has 4 bytes relative offset to jump to," Georg Wicherski of CrowdStrike wrote in a detailed analysis of the new Linux malware.
"The rootkit, however, calculates an 8-byte or 64-bit offset in a stack buffer and then copies 19 bytes (8 bytes offset, 11 bytes unitialized) behind the e9 opcode into the target function. By pure chance the jump still works, because amd64 is a little endian architecture, so the high extra 4 bytes offset are simply ignored."
Quick fix (Score:5, Interesting)
The best short term defense against this?
Just put /etc/rc.local and the rootkit becomes unloadable. Just like in Debian Squeeze.
exit 0
at the end of your