LinuxA new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of high-level programmer or be meant for use in targeted attacks. 

The new Linux rootkit is loaded into memory and once there, it pulls out some memory addresses and then stores them for use later. It also then hooks into several kernel functions as a way to hide some of its files on the machine. 

“To hook private functions that are called without indirection (e.g., through a function pointer), the rootkit employs inline code hooking. In order to hook a function, the rootkit simply overwrites the start of the function with an e9 byte. This is the opcode for a jmp rel32 instruction, which, as its only operand, has 4 bytes relative offset to jump to,” Georg Wicherski of CrowdStrike wrote in a detailed analysis of the new Linux malware.
“The rootkit, however, calculates an 8-byte or 64-bit offset in a stack buffer and then copies 19 bytes (8 bytes offset, 11 bytes unitialized) behind the e9 opcode into the target function. By pure chance the jump still works, because amd64 is a little endian architecture, so the high extra 4 bytes offset are simply ignored.”

The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said that his site had been targeted by the malware and some of his customers had been redirected to malicious sites.

The rootkit, like many pieces of malware, relies on a remote command-and-control server for some instructions. The server is still active right now and researchers said that it has some other related tools stored on it, as well. In order to inject the iframes onto targeted sites the rootkit uses a custom method.

“The iFrame injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg – which is responsible for building TCP packets – with its own function, so the malicious iFrames are injected into the HTTP traffic by direct modification of the outgoing TCP packets,” Marta Janus of Kaspersky Lab said in her analysis of the rootkit. 

“In order to obtain the actual injection payload, the malware connects to the C&C server using an encrypted password for authentication. We weren’t able to connect to the C&C on the port used by malware, but the malicious server is still active and it hosts other *NIX based tools, such as log cleaners.”

Once the rootkit connects to the C&C server, the server sends back instructions about what code the malware should inject onto the target site. The C&C server will send details on whether it should inject JavaScript or an iframe and the specific code to be used. Wicherski said that the rootkit’s method for maintaining persistence on the infected machine is somewhat sloppy.

“Since the command is appended to the end of rc.local, there might actually be shell commands that result in the command not being executed as intended. On a default Debian squeeze install, /etc/rc.local ends in an exit 0 command, so that the rootkit is effectively never loaded,” he wrote.

Researchers believe that the Linux rootkit likely is being used in cybercrime operations rather than in targeted attacks, as the quality of the code isn’t high enough to have come from one of the groups engaged in the upper level attacks right now.

Although the code quality would be unsatisfying for a serious targeted attack, it is interesting to see the cyber-crime-oriented developers, who have partially shown great skill at developing Windows rootkits, move into the Linux rootkit direction. The lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit, is a further indicator that this is not part of a sophisticated, targeted attack,” Wicherski said.


Categories: Malware

Comments (23)

  1. John Fro

    It’s not at all clear from the article how the rootkit ends up on the machine in the first place.

  2. Jay Pfoutz

    Hi there! I believe it ends up on the machine through iFrame injections (drive-by downloads). Unless, someone corrects me, I believe this is the case here.


  3. Chris

    Another useful piece of information would be clarification of how to secure a machine from this rootkit. They mention how the rootkit appends a line to rc.local, and that it apparently doesn’t properly run on Debian squeeze due to the rc.local file included with that system ending with an exit 0 statement. Does this mean that appending exit 0 to rc.local is enough to block the attack?

  4. Anonymous

    @Jay Pfoutz: iframes are used to spread malware from the infected server to visitors. Iframes are not used to infect the server as servers usually don’t run any browsers.

  5. Peter Flynn

    I read it as meaning that appending exit 0 to rc.local would prevent the rootkit persisting across a reboot. But we still need details about the infection vector. The iframes appear to be what the server uses to cause remote clients to download malware (or perhaps ads; we don’t know). This report must be treated as unusable until we have proper details, but don’t let that stop you from adding exit 0 to your rc.local 🙂

  6. kilgoretrout

    If this malware is capable of appending a line to your rc.local, I imagine it could be easily modified to comment out exit 0.

  7. Anonymous

    Interesting – in a proper linux setup, rc.local can only be written to by root account, so how does an iframe from a user get access to write to a system file not normally accessible by a user?

  8. Anonymous

    Something bad has happened and that is the extent of the context and detail of this report. How does the “rootkit” infect the web server?

  9. M337sh33ld

    rc.local ends/exits/stops processing at exit 0. this not very smart malware appends a line to rc.local but rc.local ends at exit 0 and NEVER RUNS the newly added line.adding exit 0 to rc.local would stop this malfeasance from running IF you put exit 0 BEFORE the bug line…but if you were doing that why not just delete the offending line. Based on the minimal info giben in this article, you could manually check rc.local for added lines. maybe someone hit by this bug could post the infected added line. But a quick manual audit of the machine would be best further investigation would be warranted if you have a modified rc.local



  10. Anonymous

    hey guys, read the external link in the article. the rootkit is loaded as a module for distro-specific compiled kernel. it’s an inside job i think :-/

  11. PR FUD

    Only install software from trusted repositories, and check the signatures. Prefer secure rather than “user-friendly” distros for your servers.

    This is just PR FUD from a wannabee “security company. It looks like someone is seeking pre-orders for their to-be-released virusware.

    You would need to take heroic measures to infect your nginx proxy server: Install a specific kernel and the malware kernel module, edit the init scripts, … Then you end up with a partially working prototype malware “infection”, that may, or may not redirect web visitors to a malware site via an embedded <iframe>.

    If you have time to search out and read variations on this “story”, some of the comments are quite humorous .

  12. Anonymous

    yep, as long as it has the root password, it successfully carries out its function.  wink.  amazing little rootkit.

  13. John B.
    Rootkits really suck…reason I left Microsoft now on Unbuntu (only 64 bit). Pretty soon you will have to install virus software on your Linux platform, just like you do with Microsoft junk, just to keep your system safe!!!


  14. Anonymous

    @John B.

    Well so far, unless proven otherwise, it does look like someone did install virus software on Linux… Oh you meant an anti-virus. : )

  15. Anonymous

    Gone are the Old Good Days for Linux users to Enjoy the world of Free malware. But Could you guy Show as the Known solution to this Problem

Comments are closed.