Send to Kindle

LinuxA new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of high-level programmer or be meant for use in targeted attacks. 

The new Linux rootkit is loaded into memory and once there, it pulls out some memory addresses and then stores them for use later. It also then hooks into several kernel functions as a way to hide some of its files on the machine. 

“To hook private functions that are called without indirection (e.g., through a function pointer), the rootkit employs inline code hooking. In order to hook a function, the rootkit simply overwrites the start of the function with an e9 byte. This is the opcode for a jmp rel32 instruction, which, as its only operand, has 4 bytes relative offset to jump to,” Georg Wicherski of CrowdStrike wrote in a detailed analysis of the new Linux malware.
“The rootkit, however, calculates an 8-byte or 64-bit offset in a stack buffer and then copies 19 bytes (8 bytes offset, 11 bytes unitialized) behind the e9 opcode into the target function. By pure chance the jump still works, because amd64 is a little endian architecture, so the high extra 4 bytes offset are simply ignored.”

The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said that his site had been targeted by the malware and some of his customers had been redirected to malicious sites.

The rootkit, like many pieces of malware, relies on a remote command-and-control server for some instructions. The server is still active right now and researchers said that it has some other related tools stored on it, as well. In order to inject the iframes onto targeted sites the rootkit uses a custom method.

“The iFrame injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg – which is responsible for building TCP packets – with its own function, so the malicious iFrames are injected into the HTTP traffic by direct modification of the outgoing TCP packets,” Marta Janus of Kaspersky Lab said in her analysis of the rootkit. 

“In order to obtain the actual injection payload, the malware connects to the C&C server using an encrypted password for authentication. We weren’t able to connect to the C&C on the port used by malware, but the malicious server is still active and it hosts other *NIX based tools, such as log cleaners.”

Once the rootkit connects to the C&C server, the server sends back instructions about what code the malware should inject onto the target site. The C&C server will send details on whether it should inject JavaScript or an iframe and the specific code to be used. Wicherski said that the rootkit’s method for maintaining persistence on the infected machine is somewhat sloppy.

“Since the command is appended to the end of rc.local, there might actually be shell commands that result in the command not being executed as intended. On a default Debian squeeze install, /etc/rc.local ends in an exit 0 command, so that the rootkit is effectively never loaded,” he wrote.

Researchers believe that the Linux rootkit likely is being used in cybercrime operations rather than in targeted attacks, as the quality of the code isn’t high enough to have come from one of the groups engaged in the upper level attacks right now.

Although the code quality would be unsatisfying for a serious targeted attack, it is interesting to see the cyber-crime-oriented developers, who have partially shown great skill at developing Windows rootkits, move into the Linux rootkit direction. The lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit, is a further indicator that this is not part of a sophisticated, targeted attack,” Wicherski said.

 

Send to Kindle
Categories: Malware

Comments (23)

  1. John Fro
    1

    It’s not at all clear from the article how the rootkit ends up on the machine in the first place.

  2. Jay Pfoutz
    2

    Hi there! I believe it ends up on the machine through iFrame injections (drive-by downloads). Unless, someone corrects me, I believe this is the case here.

     

  3. Chris
    3

    Another useful piece of information would be clarification of how to secure a machine from this rootkit. They mention how the rootkit appends a line to rc.local, and that it apparently doesn’t properly run on Debian squeeze due to the rc.local file included with that system ending with an exit 0 statement. Does this mean that appending exit 0 to rc.local is enough to block the attack?

  4. Anonymous
    4

    @Jay Pfoutz: iframes are used to spread malware from the infected server to visitors. Iframes are not used to infect the server as servers usually don’t run any browsers.

  5. Peter Flynn
    5

    I read it as meaning that appending exit 0 to rc.local would prevent the rootkit persisting across a reboot. But we still need details about the infection vector. The iframes appear to be what the server uses to cause remote clients to download malware (or perhaps ads; we don’t know). This report must be treated as unusable until we have proper details, but don’t let that stop you from adding exit 0 to your rc.local :-)

  6. kilgoretrout
    6

    If this malware is capable of appending a line to your rc.local, I imagine it could be easily modified to comment out exit 0.

  7. Anonymous
    7

    Interesting – in a proper linux setup, rc.local can only be written to by root account, so how does an iframe from a user get access to write to a system file not normally accessible by a user?

  8. Anonymous
    8

    Something bad has happened and that is the extent of the context and detail of this report. How does the “rootkit” infect the web server?

  9. M337sh33ld
    9

    rc.local ends/exits/stops processing at exit 0. this not very smart malware appends a line to rc.local but rc.local ends at exit 0 and NEVER RUNS the newly added line.adding exit 0 to rc.local would stop this malfeasance from running IF you put exit 0 BEFORE the bug line…but if you were doing that why not just delete the offending line. Based on the minimal info giben in this article, you could manually check rc.local for added lines. maybe someone hit by this bug could post the infected added line. But a quick manual audit of the machine would be best further investigation would be warranted if you have a modified rc.local

     

     

  10. Anonymous
    11

    hey guys, read the external link in the article. the rootkit is loaded as a module for distro-specific compiled kernel. it’s an inside job i think :-/

  11. PR FUD
    12

    Only install software from trusted repositories, and check the signatures. Prefer secure rather than “user-friendly” distros for your servers.

    This is just PR FUD from a wannabee “security company. It looks like someone is seeking pre-orders for their to-be-released virusware.

    You would need to take heroic measures to infect your nginx proxy server: Install a specific kernel and the malware kernel module, edit the init scripts, … Then you end up with a partially working prototype malware “infection”, that may, or may not redirect web visitors to a malware site via an embedded <iframe>.

    If you have time to search out and read variations on this “story”, some of the comments are quite humorous .

  12. Anonymous
    14

    yep, as long as it has the root password, it successfully carries out its function.  wink.  amazing little rootkit.

  13. John B.
    15
    Rootkits really suck…reason I left Microsoft now on Unbuntu (only 64 bit). Pretty soon you will have to install virus software on your Linux platform, just like you do with Microsoft junk, just to keep your system safe!!!

     

  14. Anonymous
    16

    @John B.

    Well so far, unless proven otherwise, it does look like someone did install virus software on Linux… Oh you meant an anti-virus. : )

  15. Anonymous
    17

    Gone are the Old Good Days for Linux users to Enjoy the world of Free malware. But Could you guy Show as the Known solution to this Problem

  16. YellowApple
    20

    The problem with this article – and the malware report in general – is that there’s no indication of how it gained the ability to edit rc.local at all; that file is normally only writeable by root.  This report would be much more useful if there was some indication of exactly how the rootkit is gaining the privileges necessary to be effective.

    I get that it’s intended to be loaded as a kernel module, but there’s the question of how it got loaded to begin with; unless someone is modprobing the malware as root, then there has to be some kind of exploit being utilized to gain the necessary permissions to touch the kernel at all.  I’d like to know what that exploit is.

    In other words: more details would be great in order to determine how this happened and how to prevent it.

  17. Another Anonymous
    21

    With tools like DKMS it’s pretty easy to compile additional kernel modules for a Debian system. As long as this module doesn’t show up in an official, signed .deb I wouldn’t worry about an inside job at Debian. But we still don’t know how this system was compromised.

  18. Anonymous
    22

    How did it get the escalated privs… yes, I think you’ve got it.

    Must ne the person is running a browser as root for the “local user” or some such.

    Come on people this doesn’t even pass the SNIFF test of a real threat.

     

    Stop reacting to these things like Linux has no privilege separation. Gads!

  19. gouchout
    23

    PR FUD – exactly. They’re all the same – I wonder if Graham Clueless of Sophos fame has anything to say about it. He usually does have something to say about everything, that amounts to “spend more money on AV etc.”
    Its the same with all these Linux stories – they bang on about some “rootkit”, but its never clear how one is supposed to get infected. It becomes obvious that it has to be an inside job every time – & if you’ve got that level of access then the sky’s the limit anyway…

Comments are closed.