Forgot your password?
Security Linux

New Linux Rootkit Emerges 172

Posted by timothy
from the horses-getting-nervous dept.
Trailrunner7 writes "A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of a high-level programmer or be meant for use in targeted attacks. The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said his site had been targeted by the malware and some of his customers had been redirected to malicious sites."
This discussion has been archived. No new comments can be posted.

New Linux Rootkit Emerges

Comments Filter:
  • Re:Why Only 64-bit (Score:4, Interesting)

    by quintus_horatius (1119995) on Tuesday November 20, 2012 @02:21PM (#42044355) Homepage
    FTFA (emphasis added):

    "To hook private functions that are called without indirection (e.g., through a function pointer), the rootkit employs inline code hooking. In order to hook a function, the rootkit simply overwrites the start of the function with an e9 byte. This is the opcode for a jmp rel32 instruction, which, as its only operand, has 4 bytes relative offset to jump to," Georg Wicherski of CrowdStrike wrote in a detailed analysis of the new Linux malware.
    "The rootkit, however, calculates an 8-byte or 64-bit offset in a stack buffer and then copies 19 bytes (8 bytes offset, 11 bytes unitialized) behind the e9 opcode into the target function. By pure chance the jump still works, because amd64 is a little endian architecture, so the high extra 4 bytes offset are simply ignored."

  • Quick fix (Score:5, Interesting)

    by AliasMarlowe (1042386) on Tuesday November 20, 2012 @04:03PM (#42045813) Journal

    The best short term defense against this?

    Just put
    exit 0
    at the end of your /etc/rc.local and the rootkit becomes unloadable. Just like in Debian Squeeze.

There is hardly a thing in the world that some man can not make a little worse and sell a little cheaper.