Rootkit Being Used in Attacks on Exim Bug

Author: Dennis Fisher
minute read

Attackers have begun using the bug in the Exim mailer that was disclosed earlier this week to install a rootkit on machines running vulnerable versions of the software.

Attackers have begun using the bug in the Exim mailer that was disclosed earlier this week to install a rootkit on machines running vulnerable versions of the software.

The vulnerability in Exim, which is a mail transfer agent used on Unix-based machines, came to light on Monday and can result in remote code execution. US-CERT said in an advisory on Monday that the bug already was being exploited in the wild by the time it was disclosed.

“The internal string handling functions of the Exim software contain a function called string_format().
The version of this function included with Exim versions prior to 4.70
contains a flaw that can result in a buffer overflow. An attacker can
exploit this vulnerability by crafting message headers that are
subsequently supplied to Exim logging functions,” the advisory said.

Several users running Debian Linux said in a discussion thread on Reddit that they’d found a rootkit on some of their machines that were running vulnerable versions of Exim. The malware installs itself and creates some temporary files. Here’s a description of the rootkit’s behavior:

To get in, it created a number of temporary files in
/var/spool/exim4, including a small C program which it compiled and
setuid to get root access and run a shell as root:

-rw------- 1 Debian-exim Debian-exim     117 Dec 15 16:41 a.conf
-rw------- 1 Debian-exim Debian-exim     119 Dec 15 16:41 e.conf 
drwxr-xr-x 3 root        root             75 Dec 16 18:00 rk
-rw------- 1 root        root        4421289 Dec 15 20:13 rk.tgz
-rw-r--r-- 1 root        root              0 Dec 16 13:26 s
-rw-r--r-- 1 root        root              0 Dec 16 13:26 s.c
-rwsr-xr-x 1 root        root           6764 Dec 15 23:29 setuid
-rw------- 1 Debian-exim Debian-exim    3120 Dec 15 16:41 setuid.1
-rw------- 1 Debian-exim Debian-exim     130 Dec 15 16:41 setuid.c

Note that the rk directory contained the installer for the root kit.

Other users also noted seeing the same kind of malware on their Debian machines. One of the signs that users noticed that led them to find the infections was that their email stopped working.

The bug has been fixed in new version of Exim. The latest version can be downloaded on the Exim site.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.