Forgot your password?
typodupeerror
Security Linux

New Linux Rootkit Emerges 172

Posted by timothy
from the horses-getting-nervous dept.
Trailrunner7 writes "A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of a high-level programmer or be meant for use in targeted attacks. The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said his site had been targeted by the malware and some of his customers had been redirected to malicious sites."
This discussion has been archived. No new comments can be posted.

New Linux Rootkit Emerges

Comments Filter:
  • it does not appear to be the work of high-level programmer or be meant for use in targeted attacks

    So basically it's installed by some jerkoff contractor with root access, and it's not something involving a hole in the server security?

    • Well, they are suspecting a Russian based attacker, so unless you contract out to Russian jerks then I fear that your supposition is unsupported and is most likely based on wishful thinking. The code was not well hidden, and they didn't strip the symbols in the executable file - hence the programmer still has a lot to learn.

  • Infection method? (Score:5, Insightful)

    by Gaygirlie (1657131) <gaygirlieNO@SPAMhotmail.com> on Tuesday November 20, 2012 @01:50PM (#42043915) Homepage

    How come neither of the links actually describe how this malware infects the machine in the first place? I'd say that's quite an important piece of information completely missing.

    • Re: (Score:3, Informative)

      by hawguy (1600213)

      How come neither of the links actually describe how this malware infects the machine in the first place? I'd say that's quite an important piece of information completely missing.

      I don't think it's self-replicating or installing itself by some vulnerability, I believe it would have to be installed maliciously (perhaps by an employee, or maybe by someone using an unrelated root exploit), or as a Trojan Horse - many people are happy to blindly install unsigned packages on their system, running the installation as root.

      Back in the day, I used to make at least a cursory inspection of the Makefile and sometimes would even look over the source code associated with distributed packages.

    • Indeed. All it says is thay you're redirected to an iframe. How it breaks out of the browser's sandbox and then obtains root priviledges isn't mentioned either. I'm quite interested in how they achieved this too, since it would mean that there's a huge priviledge escalation in linux that nobody noticed.

      • Re:Infection method? (Score:4, Informative)

        by tyleroar (614054) on Tuesday November 20, 2012 @02:43PM (#42044685) Homepage
        I think you are confused as to what this is doing. How the malware initially got loaded onto the *NIX box is not discussed in the write-up. The malware does not break out of the browser's sandbox and obtain root privileges. The malware is used to add/change the file being served by the web server. There is no mention of what file the malware was being used to serve up...it could be used just to transparently serve up ads or could be used to serve up some client-side exploits.
      • To be honest, other than constantly using the word "rootkit", I don't see any references to getting root via this "kit". And the link (this one: https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012 [threatpost.com]) looks like it was written by a computer program pulling random sentences from a malware description and turning it into an article.

        I'm going to wait for the dup, hopefully it'll link to an Ars Technica article or something else relatively reputable.

    • How come neither of the links actually describe how this malware infects the machine in the first place? I'd say that's quite an important piece of information completely missing.

      It's something new in the Defense of The Dark Arts: Security Thru Obscurity!

    • by sl4shd0rk (755837)

      Looks like an infected kernel module so one of the below:
          1) server was cracked, and module compiled
          2) compromised kernel mod in distro

      more likely #1 but probably too early to tell. Grepping kernel sources for some of the text in the module_init binary may be fun:
      http://seclists.org/fulldisclosure/2012/Nov/94 [seclists.org]

    • by donaldm (919619)

      How come neither of the links actually describe how this malware infects the machine in the first place? I'd say that's quite an important piece of information completely missing.

      From the article. "Since the command is appended to the end of rc.local, there might actually be shell commands that result in the command not being executed as intended".

      The only way to write or edit rc.local is as root, however if you are running a Fedora distribution rc.local does not exist.

  • by medv4380 (1604309) on Tuesday November 20, 2012 @01:51PM (#42043925)
    Just curious why the root kit is only targeting 64-bit. Is it specifically targeting the intel 64bit spec that allows for privileged escalation, or something like that? Reading the article makes it sound like it's an exploit of the AMD little endian pointers which, since I don't know hardware on that level, I don't know if that means it's actually a CPU exploit or an OS exploit. And if it's a CPU exploit I don't know if it's all AMD64 based including or excluding Intel.
    • by Sulphur (1548251)

      Just curious why the root kit is only targeting 64-bit. Is it specifically targeting the intel 64bit spec that allows for privileged escalation, or something like that? Reading the article makes it sound like it's an exploit of the AMD little endian pointers which, since I don't know hardware on that level, I don't know if that means it's actually a CPU exploit or an OS exploit. And if it's a CPU exploit I don't know if it's all AMD64 based including or excluding Intel.

      Did it work on 32-bit?

    • Re:Why Only 64-bit (Score:5, Informative)

      by hobarrera (2008506) on Tuesday November 20, 2012 @02:11PM (#42044233) Homepage

      amd64 is the name of the architecture you normally call "64bits" or "x86_64" every day, and is an extension of "i686".
      The name is so merely because amd came up with it.

      Intel's modern microprocessors are amd64 as well (they just call it a different name).

      • by medv4380 (1604309)
        Except Intel didn't implement AMD64 correctly 100%. You can read the US-CERT [cert.org] for yourself if you want. For that all you had to do was run a couple of commands and your code could be escalated to kernel level privileges, but only on Intel 64bit. It would be bad to assume that what works on one as an exploit would work the same way on the other. My concern is about this being a flaw in the CPU similar to what happened with Intel 64bit.
      • by antdude (79039)

        That is confusing. :( I kept thinking amd64 is only for AMD and not Intel.

        • by donaldm (919619)

          That is confusing. :( I kept thinking amd64 is only for AMD and not Intel.

          They are both fully binary compatible.

    • Re:Why Only 64-bit (Score:4, Interesting)

      by quintus_horatius (1119995) on Tuesday November 20, 2012 @02:21PM (#42044355) Homepage
      FTFA (emphasis added):

      "To hook private functions that are called without indirection (e.g., through a function pointer), the rootkit employs inline code hooking. In order to hook a function, the rootkit simply overwrites the start of the function with an e9 byte. This is the opcode for a jmp rel32 instruction, which, as its only operand, has 4 bytes relative offset to jump to," Georg Wicherski of CrowdStrike wrote in a detailed analysis of the new Linux malware.
      "The rootkit, however, calculates an 8-byte or 64-bit offset in a stack buffer and then copies 19 bytes (8 bytes offset, 11 bytes unitialized) behind the e9 opcode into the target function. By pure chance the jump still works, because amd64 is a little endian architecture, so the high extra 4 bytes offset are simply ignored."

      • by medv4380 (1604309)
        I read that already, but "By pure chance the jump still works, because amd64 is a little endian architecture" which makes me think this is an exploit of the CPU, and not an exploit of the OS. From what that says it overwrites the start of the function that it's targeting with a relative jump of 32 bits of 1 byte. It then calculates a 64 bit address of 8 bytes I assume this is the address of some Root Level command. It then copies the 8 bytes after the 1 byte rel32 byte and an additional 11 bytes of junk. T
        • by Qu4Z (1402097)
          There's no "exploit". The emphasized section just says the programmer was incompetent, but by chance his rootkit still (mostly) works.
          Again, this is a rootkit. You need root access through some other means to install it. Still a nuisance, though.
    • by mlts (1038732) *

      If I were a betting person, I'd say the reason why it was built for 64 bit architectures is because most servers use more than 4GB of RAM, which is the limit for 32 bit operating systems. I could be completely wrong on all counts though.

    • by fearlezz (594718)

      I'm not so sure about that. The kernel module uploaded to the full discosure list happened to be a amd64 module targetting debian kernel 2.6.32-5. But when it's not php, most malware I've seen was distributed as source code, compiled at the target machine to match the targets specifications.

    • by marcopo (646180)
      Finally something that works better on 64-bit.
  • by Anonymous Coward on Tuesday November 20, 2012 @02:24PM (#42044393)

    Must be specifically targeted at Gentoo then.

  • by Kagato (116051) on Tuesday November 20, 2012 @02:25PM (#42044409)

    If you dig into the articles to some of the raw analysis you'll discover two things.

    1) "It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely." So it unlikely that they gained root with something new, but it was a web site that was hacked, so the likely vector is something related to what the site it was running. PHP, WordPress, DB Injection, and Apache exploits.

    2) "Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely."

    • 1) "It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely." So it unlikely that they gained root with something new, but it was a web site that was hacked, so the likely vector is something related to what the site it was running. PHP, WordPress, DB Injection, and Apache exploits.

      That's what I thought, too, but it should be researched more carefully. If the malware in question was injected in the first place via PHP, WordPress or something similar then that makes this much, much less of an important issue. However, if the malware did indeed use one or another exploit in the kernel or the default GNU userland, well, THAT would be truly news-worthy and should raise some serious flags.

    • A Russia based attacker eh? Well, when I view the RSS feed through Google Reader, under the article title I see a picture of "Marina 26, Russia" and she does look a little naughty. So, I guess that's that cleared up.
  • Ok, why this story is tagged with conditionbrownpants? Anybody cares to explain?

    (and no, it's not because of my post, because I'm asking after this tag appeared)
  • "The rootkit is designed specifically for 64-bit Linux systems .. The new Linux rootkit is loaded into memory and once there"

    How does this 'rootkit' get executed on the target machine, does it require prior root access in order to sucessfully execute?
    • "The rootkit is designed specifically for 64-bit Linux systems .. The new Linux rootkit is loaded into memory and once there"

      How does this 'rootkit' get executed on the target machine, does it require prior root access in order to sucessfully execute?

      Yes, it does. It contains no exploits whatsoever.

  • An iframe injection that redirects you to a malicious website where you have to download something and run it as root to get infected sounds almost nothing like something that runs as a normal user and exploits local weaknesses to gain privileged access surreptitiously.

    • by lgw (121541)

      A "rootkit" is not "a kit to get root" but "a kit to keep root, once you somehow get it". Rootkits try to make an intrusion undetectable and un-removable, but they don't provide the intrusion.

  • It sounds like just plain old malware - maybe it does have a rootkit as part of the package - but still.. iFrame injection and a slew of other functional abilities are not in the domain of a 'rootkit'. The definition of a worm is a malicious program that replicates itself.
  • Buy Ultracet online HERE FROM TOP TEN ONLINE PHARMACIES [comule.com] [iwebdrugs.com] [iwebdrugs.com] [comule.com] Best Price,Payment information >>> (LOWEST PRICE! DISCOUNTS!) [comule.com]
    • Without Prescription
    • Free Consultation
    • Fast And Discreet Shipping Worldwide
    • 24/7 Customer Support
    • And Much More
    • Bonus Policy>>> [comule.com]
    • Order 3 or more products and get free Regular Airmail (12-21 days) shipping!
    • Free insurance (guaranteed reshipment if delivery failed)

    2011. Top Pharmacy List! Best Prices Online!

    • Special Internet Prices (up to 40% off

I've never been canoeing before, but I imagine there must be just a few simple heuristics you have to remember... Yes, don't fall out, and don't hit rocks.

Working...