Jump to content

Linux users targeted by mystery drive-by rootkit


Recommended Posts

Corrine

The malware is aimed at the 64-bit Debian Squeezy kernel and is distributed to would-be victims via an unusual form of iFrame injection attack

 

Security researchers have discovered what appears to be an experimental Linux rootkit designed to infect its highly select victims during a classic drive-by website attack.

 

Posted anonymously to Full Disclosure on 13 November by an annoyed website owner, the rootkit has since been confirmed by CrowdStrike and Kaspersky Lab as being distributed to would-be victims via an unusual form of iFrame injection attack.

 

http://podcasts.info...ce=rss_security

  • Like 1
Link to post
Share on other sites
V.T. Eric Layton

Very interesting write-up at CrowdStrike, particularly the last few paragraphs:

 

 

Conclusion

 

Considering that this rootkit was used to non-selectively inject iframes into nginx webserver responses, it seems likely that this rootkit is part of a generic cyber crime operation and not a targeted attack. However, a Waterhole attack, where a site mostly visited from a certain target audience is infected, would also be plausible. Since no identifying strings yielded results in an Internet search (except for the ksocket library), it appears that this is not a modification of a publicly available rootkit. Rather, it seems that this is contract work of an intermediate programmer with no extensive kernel experience, later customized beyond repair by the buyer.

 

Although the code quality would be unsatisfying for a serious targeted attack, it is interesting to see the cyber-crime-oriented developers, who have partially shown great skill at developing Windows rootkits, move into the Linux rootkit direction. The lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit, is a further indicator that this is not part of a sophisticated, targeted attack.

 

Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely. It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely.

 

Thanks for posting, Corrine.

 

Oh, and it's also interesting that they chose a relatively old kernel to test this on. Debian Squeeze (not Squeezy) is the current stable release of Debian. Most other distributions of Linux are using much newer kernels. Even my Slackware (14), which isn't cutting edge by a long shot, is running 3.2.29. I think this is nothing more than an amateurish experiment of some sort. It'll probably amount to nothing, threat-wise, to GNU/Linux.

  • Like 1
Link to post
Share on other sites
securitybreach

Oh, and it's also interesting that they chose a relatively old kernel to test this on. Debian Squeeze (not Squeezy) is the current stable release of Debian. Most other distributions of Linux are using much newer kernels. Even my Slackware (14), which isn't cutting edge by a long shot, is running 3.2.29. I think this is nothing more than an amateurish experiment of some sort. It'll probably amount to nothing, threat-wise, to GNU/Linux.

 

I came to the same conclusion...

Link to post
Share on other sites
Guest LilBambi

It doesn't have to be that. It could be that they deliberately chose an older kernel. One that most Debian users would not be using if they did their updates as they should. So it would not affect many people but they could still get the information out there so it was not 'hidden'.

Link to post
Share on other sites

  • wheezy will be the next release ( no date set)
  • squeeze is Debian 6.0
  • lenny is Debian 5.0
  • etch is Debian 4.0
  • sarge is Debian 3.1
  • woody is Debian 3.0
  • potato is Debian 2.2
  • slink is Debian 2.1
  • hamm is Debian 2.0
  • bo is Debian 1.3
  • rex is Debian 1.2
  • buzz is Debian 1.1

Link to post
Share on other sites
securitybreach

Bambi's husband JL made a good point:

On a default Debian squeeze install, /etc/rc.local ends in an exit 0 command, so that the rootkit is effectively never loaded. They are appending the command to the end of rc.local. They drop the code and link to it in rc.local, so the code runs as root on next boot or next reload of kernel. Of course once it is running, it hides the changes so you have to boot a cd or something to see it. Their main target is web servers, to spread by injection.

 

(Paraphrasing his comments.)

Link to post
Share on other sites
securitybreach

Yeah I but thought the first point was the kicker:

][/font]On a default Debian squeeze install, /etc/rc.local ends in an exit 0 command, so that the rootkit is effectively never loaded.
Link to post
Share on other sites
V.T. Eric Layton

... but... criminals, being what they are, will keep trying...

 

That's their job, Temmu. Someone has to do it. ;)

Link to post
Share on other sites
amenditman

Sophos Labs has a good, short article about this malware.

Naked Security, Sophos...

FLAMING RETORT: Linux rootkit news "provides some comic relief"

 

 

Could you be infected with this malware and not know about it?

The good news is, that's unlikely.

You'd need to be running the Linux kernel labelled 2.6.32-5-amd64 - that pretty much means the 64-bit version of Debian Squeeze 6.0.0. And you'll have an unexpected kernel module called /lib/modules/2.6.32-5-amd64/kernel/sound/module_init.ko.

  • Like 1
Link to post
Share on other sites
V.T. Eric Layton

And the debate continues on STILL WITHOUT a definitive answer as to whether or not there actually are Linux viruses out there in the wild gobbling up cpu cycles on unsuspecting tech nerds' computers around the globe.

 

Gosh! What's a geek to do? I may have to go back to MS Windows to avoid all these phantom Linux virii running around out there. :o

  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...