Linux users targeted by mystery drive-by rootkit

[Corrine]

The malware is aimed at the 64-bit Debian Squeezy kernel and is distributed to would-be victims via an unusual form of iFrame injection attack

 

Security researchers have discovered what appears to be an experimental Linux rootkit designed to infect its highly select victims during a classic drive-by website attack.

 

Posted anonymously to Full Disclosure on 13 November by an annoyed website owner, the rootkit has since been confirmed by CrowdStrike and Kaspersky Lab as being distributed to would-be victims via an unusual form of iFrame injection attack.

 

http://podcasts.info...ce=rss_security

[V.T. Eric Layton]

Very interesting write-up at CrowdStrike, particularly the last few paragraphs:

 

 

Conclusion

 

Considering that this rootkit was used to non-selectively inject iframes into nginx webserver responses, it seems likely that this rootkit is part of a generic cyber crime operation and not a targeted attack. However, a Waterhole attack, where a site mostly visited from a certain target audience is infected, would also be plausible. Since no identifying strings yielded results in an Internet search (except for the ksocket library), it appears that this is not a modification of a publicly available rootkit. Rather, it seems that this is contract work of an intermediate programmer with no extensive kernel experience, later customized beyond repair by the buyer.

 

Although the code quality would be unsatisfying for a serious targeted attack, it is interesting to see the cyber-crime-oriented developers, who have partially shown great skill at developing Windows rootkits, move into the Linux rootkit direction. The lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit, is a further indicator that this is not part of a sophisticated, targeted attack.

 

Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely. It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely.

 

Thanks for posting, Corrine.

 

Oh, and it's also interesting that they chose a relatively old kernel to test this on. Debian Squeeze (not Squeezy) is the current stable release of Debian. Most other distributions of Linux are using much newer kernels. Even my Slackware (14), which isn't cutting edge by a long shot, is running 3.2.29. I think this is nothing more than an amateurish experiment of some sort. It'll probably amount to nothing, threat-wise, to GNU/Linux.

[securitybreach]

Oh, and it's also interesting that they chose a relatively old kernel to test this on. Debian Squeeze (not Squeezy) is the current stable release of Debian. Most other distributions of Linux are using much newer kernels. Even my Slackware (14), which isn't cutting edge by a long shot, is running 3.2.29. I think this is nothing more than an amateurish experiment of some sort. It'll probably amount to nothing, threat-wise, to GNU/Linux.

 

I came to the same conclusion...

[Guest LilBambi]

It doesn't have to be that. It could be that they deliberately chose an older kernel. One that most Debian users would not be using if they did their updates as they should. So it would not affect many people but they could still get the information out there so it was not 'hidden'.

[zlim]

• wheezy will be the next release ( no date set)
  
• squeeze is Debian 6.0
  
• lenny is Debian 5.0
  
• etch is Debian 4.0
  
• sarge is Debian 3.1
  
• woody is Debian 3.0
  
• potato is Debian 2.2
  
• slink is Debian 2.1
  
• hamm is Debian 2.0
  
• bo is Debian 1.3
  
• rex is Debian 1.2
  
• buzz is Debian 1.1
  

[securitybreach]

Basically they used the version of the kernel that was shipped with Debian 6.0 (squeeze), 2.6.32, which has since been updated to 2.6.37:

 

https://en.wikipedia.../Debian#Kernels

[securitybreach]

Bambi's husband JL made a good point:

On a default Debian squeeze install, /etc/rc.local ends in an exit 0 command, so that the rootkit is effectively never loaded. They are appending the command to the end of rc.local. They drop the code and link to it in rc.local, so the code runs as root on next boot or next reload of kernel. Of course once it is running, it hides the changes so you have to boot a cd or something to see it. Their main target is web servers, to spread by injection.

 

(Paraphrasing his comments.)

[Guest LilBambi]

Of course, their main target is ... webservers under that situation.

[securitybreach]

Yeah I but thought the first point was the kicker:

][/font]On a default Debian squeeze install, /etc/rc.local ends in an exit 0 command, so that the rootkit is effectively never loaded.

[Guest LilBambi]

Definitely!

[V.T. Eric Layton]

... but... criminals, being what they are, will keep trying...

 

That's their job, Temmu. Someone has to do it.

[amenditman]

Sophos Labs has a good, short article about this malware.

Naked Security, Sophos...

FLAMING RETORT: Linux rootkit news "provides some comic relief"

 

 

Could you be infected with this malware and not know about it?

The good news is, that's unlikely.

You'd need to be running the Linux kernel labelled 2.6.32-5-amd64 - that pretty much means the 64-bit version of Debian Squeeze 6.0.0. And you'll have an unexpected kernel module called /lib/modules/2.6.32-5-amd64/kernel/sound/module_init.ko.

[V.T. Eric Layton]

And the debate continues on STILL WITHOUT a definitive answer as to whether or not there actually are Linux viruses out there in the wild gobbling up cpu cycles on unsuspecting tech nerds' computers around the globe.

 

Gosh! What's a geek to do? I may have to go back to MS Windows to avoid all these phantom Linux virii running around out there.