Slashdot Mirror
New Linux Rootkit Emerges
Trailrunner7 writes "A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of a high-level programmer or be meant for use in targeted attacks. The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said his site had been targeted by the malware and some of his customers had been redirected to malicious sites."
Moderately funny, but this is about servers. A more apt joke would be about Windows Server 2008 or 2012.
which is totally what she said
it does not appear to be the work of high-level programmer or be meant for use in targeted attacks
So basically it's installed by some jerkoff contractor with root access, and it's not something involving a hole in the server security?
How come neither of the links actually describe how this malware infects the machine in the first place? I'd say that's quite an important piece of information completely missing.
Just curious why the root kit is only targeting 64-bit. Is it specifically targeting the intel 64bit spec that allows for privileged escalation, or something like that? Reading the article makes it sound like it's an exploit of the AMD little endian pointers which, since I don't know hardware on that level, I don't know if that means it's actually a CPU exploit or an OS exploit. And if it's a CPU exploit I don't know if it's all AMD64 based including or excluding Intel.
Yada-yada-blabber-blabber.
nobody really uses this OS except hobbyists and niche markets
Yeah, what with Microsoft, Amazon, Google, Valve and so on. Oh, pssh, they're irrelevant; they count as nobodies, right?
There's a new secure OS called Rootkit Server 12 - maybe it's time you nerds started upgrading to it!
This is the year of the Linux rootkit.
http://joshwieder.blogspot.com/2012/09/windows-8-rootkit-discovered-in-wild.html
Since you're so knowledgeable, maybe you could explain to us which 'weakness' this rootkit is exploiting to get itself installed?
If patch is made, kindly share asap.
If you want security you need a Unix with a Strong Leader like Theo De Raadt. He may be a bastard, but he makes the trains run on time.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
You really need to try harder.
If you want security you need a Unix with a Strong Leader like Theo De Raadt. He may be a bastard, but he makes the trains run on time.
Theo De Raadt was neutered?
Dunno about AC, but first glance seems to be that it exploits shitty PHP code in order to get itself hosted onto the websites.
According to TFA, it appears to target one specific kernel (Debian-based), and tries to do some hokey-pokey with RAM to get itself executed. If you want a better description go to the original report
TFA gives some details, however:
The kernel module in question has been compiled for a kernel with the version string 2.6.32-5. The -5 suffix is indicative of a distribution-specific kernel release. Indeed, a quick Google search reveals that the latest Debian squeeze kernel has the version number 2.6.32-5.
The module furthermore exports symbol names for all functions and global variables found in the module, apparently not declaring any private symbol as static in the sources. In consequence, some dead code is left within the module: the linker can't determine whether any other kernel module might want to access any of those dead-but-public functions, and subsequently it can't remove them.
...doesn't say exactly how, but there is one thing that is entirely left out of the equation... if it's a drive-by download, does it definitely require user involvement, or not? According to the original report, the complaints were that they customers were being redirected to a malicious site, but nothing about a trojan being involved.
Quo usque tandem abutere, Nimbus, patientia nostra?
He may be a bastard, but he makes the trains run on time.
...try and submit some shit code onto Linus' lap for kernel inclusion... I dare you. ;)
Quo usque tandem abutere, Nimbus, patientia nostra?
> This is the year of the Linux rootkit.
. . . on the desktop?
Or on hundreds of millions of Android phones. Or supercomputers. Or TiVos or other DVRs. Or routers, printers, and countless other devices. OMG the world is going to end in 2012!!!
Better to switch to a safe proprietary OS that has never had a security problem.
I'll see your senator, and I'll raise you two judges.
Must be specifically targeted at Gentoo then.
If you dig into the articles to some of the raw analysis you'll discover two things.
1) "It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely." So it unlikely that they gained root with something new, but it was a web site that was hacked, so the likely vector is something related to what the site it was running. PHP, WordPress, DB Injection, and Apache exploits.
2) "Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely."
There's a new secure OS called Rootkit Server 12 - maybe it's time you nerds started upgrading to it!
This is the year of the Linux rootkit.
Why? Linux has been around 85% of all web servers in the world for a loooooong time. You don't target the 15% windows servers to get stuff done.
If it's meant to attack websites, it's aimed at web servers. Do actual production web servers that receive non-trivial levels of traffic and haven't been migrated to 64-bit hardware still exist?
Here you go
Drepper's crap is why I don't use Linux.
The rootkit is half the battle as TFA says... what gets me really wondering is the exploit they used to get unfettered root access, especially if SELinux is enabled and enforcing.
The best short term defense against this? A monolithic kernel that has all modules compiled in, and has module loading disabled. Of course, this loses a lot of functionality.
Long term, maybe the best defense would be to take the TE (trustchk) system from AIX (which can be configured to not run any binaries that are not in a signed database), have signed kernel modules, and use a TPM + LUKS to ensure that if there is tampering, the boot process stops because there is no key to mount the root filesystem. Yes, TPM is a double-edged sword, but it does do well in guarding against these types of attacks.
Better to switch to a safe proprietary OS that has never had a security problem.
Menuet64?
He didn't mention any form of infection. Apparently it is just an application you manually have to start as root, which then hooks itself into the system like a rootkit.
Without infection mechanism, it's not a rootkit. Let alone dangerous.
This is a case of PEBKAC. If somebody has root access, it doesn't matter if he installs some lame rootkit. He already has full access! It's already too late!
Kids these days...
To be fair to Linux, glibc is not in the Linux kernel. That's why it's important to say GNU/Linux: because Drepper deserves the blame at least as much as Linus. Android, for example, is Linux and uses a FreeBSD libc derivative instead of glibc.
I am TheRaven on Soylent News
Ok, why this story is tagged with conditionbrownpants? Anybody cares to explain?
(and no, it's not because of my post, because I'm asking after this tag appeared)
#
#\ @ ? Colonize Mars
#
Dunno about AC, but first glance seems to be that it exploits shitty PHP code in order to get itself hosted onto the websites.
How does "first glance" tell you that? And are you talking about code written in the PHP language or about the PHP implementation? And even if you break into a PHP implementation remotely, how do you make the kernel load the module, assuming the administrator isn't an outright idiot and the PHP process isn't running as root?
Ezekiel 23:20
1.) Pseudonymous source "stacktrace"
2.) Noone explains which weakness is being "exploited"
I call bullshit on this until they show the code which actually own the Linux kernel. If you could trace this whole thing, I am quite positive it leads to the checkbook of a Mr Ballmer, resident of Redmon, WA, USA.
The best short term defense against this?
Just put /etc/rc.local and the rootkit becomes unloadable. Just like in Debian Squeeze.
exit 0
at the end of your
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Well said: A well-placed truth has /. Linux FUD spreaders quaking in rage!
you have such courage to post as ac instead of your registered luser name.
Just out of curiosity:
As a Linux user, in general, how safe is my web-browsing experience from attackers installing the code of their choice on my system?
I run a GNU/Linux 64-bit system that was released in 2012. I use the latest Firefox with common media plugins, running as an ordinary unprivileged user. Assume that I have an average level of awareness of Internet security issues (which is to say: not much, but I am smart enough not to execute random files).
A more apt joke would be about Windows Server 2008 or 2012.
An even more apt joke would be something like:
# apt-get install windows-server-2008
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package windows-server-2008
But that doesn't seem to work.
Debian does not have SELinux enabled by default. So that is one barrier that frequently they won't have to cross in getting root access.
Debian might also have been targeted for its large market share and not having security extension installed by default. Considering the wide range of uses that Debian is put to it seems like maybe they should create a "public server" install profile that includes things like SELinux enabled and checkrootkit and other routine auditing tools installed.
Work bio at MMWD
Hahahaha. Awww, poor little ac troll got down moderated to -1.
More like 11% and heading downhill fast. Even MS doesn't want you to use server 2012 for just websites.
IMHO, this is one thing they really need to look into fixing to keep up with what threats are out there.
It doesn't matter if they use SELinux or AppArmor. Just use something to limit the context things run in so even if something like Apache gets compromised, even with a way to UID 0, the mischief they can do is limited, be it to a directory or filesystem, or to only a segment of process space.
One thing I like is how sandboxie works on Windows -- a sandboxed program would have a list of executables (either explicitly specified, or via directory wildcards) that it can run, and this would include what context the process would run under (be it SUID root, user, or another user). Attempts to run anything else under a different context would be blocked. That way, if the apache binary tried to run the /bin/passwd command, it would be blocked.
Get him a diaper at least. Sounds like he needs one.
http://linux.slashdot.org/comments.pl?sid=3263519&cid=42045967
How about MAC (Mandatory Acces Control)?
Hello SELinux... (Fedora)
Here be signatures
...while it's nice that Linux has gained a reputation as a secure alternative to Windows, the fact of the matter is that no one has really given a shit until now enough to really poke a hole in it.
Frothing at the mouth, Mr. Ballmer? Linux isn't a "a secure alternative to Windows for most folks using it, it runs on everything from wristwatches to the most powerful supercomputers in the world. Most web servers are running Linux. If Linux were easy to exploit, you'd have heard of a LOT of exploits.
Free Martian Whores!
This rootkit on Linux and the security breach @ FreeBSD http://it.slashdot.org/story/12/11/19/1649254/two-freebsd-project-servers-hacked
Rootkit for Liunux: requires that rc.local have no "exit 0" at the end of the script and a very specific kernel. Darn, my kernel is different *and* I have "exit 0" at the end of /etc/rc.local. The only good part about noting this exploit and rc.local is that when I looked at rc.local I noticed that I don't update my CPU writeable control store currently (and that's something I normally do). Thanks for the notice. I downloaded the latest firmware from Intel, and I've once again got it loading in rc.local (before the exit 0 line). Yay!
A natural reaction to a large 'root' going up into that area of his torso.
The next Patch Tuesday will be coming sooner than we all think. I can't wait! I'll see you there.[/sarcasm]
The recent "incidents" on xBSD and Linux are short on substance (kernel-level exploits) and long on irrelevant "meat" to impress those who don't know the subject.
It's Propaganda Campaign by Redmond and their "partners" in the Virus Scanner "Protection Business" to scare people away from Free Operating Systems. You bet they have the money to hire shady people to steal an SSH key and you as we see here, they have the money to program pointless "viruses" to be installed while running as root.
This is a clear sign that the Sleazebags in Washington State are Scared To Hell. They know that they can't win on technical or economical merits, so they try Mud-Lobbing.
This "rootkit" fails to demonstrate an actual exploit in a browser and/or the Linux kernel. It's 100% Propaganda.
If you want have even more security, use an AppArmor to limit the access rights of your browser. It has no business in reading your OpenOffice files, for example.
..new Baseless Smear Tactics by a Scared Mr Ballmer.
..all you say must be true.
But here is some good advice for your Evil Lord Ballmer:
1.) Don't always use the old Redmond Propaganda Memes. You are too easy to identify and blasted back into your rathole.
2.) Find an ACTUAL Exploit, instead of coming up with this irrelevant crap. You know, something like "virus hiding in icon on USB stick an pwning the box upon insertion of stick." Something like these hundreds of Windows kernel-level exploits.
I would think that TVs would be the ideal target. Sure, the processing power is low, but nobody even considers watching for malware on TVs. I wouldn't be surprised to find out that the computer running Linux inside my TV never turns off. Of that is the case, a malware writer the targeted TVs would have 100k - millions of low power but always on and never protected computers to run there malware on.
Of course that would only be if Linux were easy to exploit.
"The rootkit is designed specifically for 64-bit Linux systems .. The new Linux rootkit is loaded into memory and once there"
How does this 'rootkit' get executed on the target machine, does it require prior root access in order to sucessfully execute?
AccountKiller
"All Operating Systems Are As Crappily Insecure As Windows".
Except that this "rootkit" has to be run with root privileges to be a threat. Message to Redmond: Unix systems are not browsing as administrative user, unlike the historical norm of WINDOWS.
Next new Android Linux exploit'll be sooner than that.
They happen all the time since Android's a Linux. Security by Obscurity no more Penguins.
Or are you just another Redmond FUD-$hill ?
4 NIX users (BSD hacked, Linux rootkit, Android exploits galore daily) http://linux.slashdot.org/comments.pl?sid=3263519&cid=42047493 so your FUD charade? It's over.
no no, read the summary. these boxes were using red hat - "A new Linux rootkit has emerged"
An iframe injection that redirects you to a malicious website where you have to download something and run it as root to get infected sounds almost nothing like something that runs as a normal user and exploits local weaknesses to gain privileged access surreptitiously.
these boxes were using red hat - "A new Linux rootkit has emerged"
That would be Gentoo, where we even have to compile our viruses from source (but then the virus is super-optimized).
It sounds like just plain old malware - maybe it does have a rootkit as part of the package - but still.. iFrame injection and a slew of other functional abilities are not in the domain of a 'rootkit'. The definition of a worm is a malicious program that replicates itself.
So since the "root kit" involves some other vector letting the intruder append something to rc.local (or somehow pivot on whether rc.local ends with an "exit 0") the root kit ins't a root kit but a post-root-promotion exploit.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
ah, whoops. s/red hat/gentoo/
Reading the original article I have to ask how does this rootkit get installed. There is enough info on how it works once it is in a system, but nothing on how it can install itself.
As written, it looks like you need direct access to the machine to infect it.
They don't write about any exploit, because they don't have one.
Regarding Sandboxie - on Linux you have several options to do sandboxing. First, there is AppArmor, then there is SE Linux and finally you can roll your own sandbox using Linux Security Modules. A well-defined API you can use according to your specific needs.
But, as I wrote, you don't need sandboxing to defend against this "threat", as it is not a real one. It's just part of a cheap propaganda campaign by M$ and their Partners In Sleaze.
That's why I'll never buy a Sony product. I would expect a Sony TV to be pre-rooted.
Free Martian Whores!
2011. Top Pharmacy List! Best Prices Online!
I noticed that several fairly high profile sites (stumbleupon, apartmentratings) had been compromised and were trying to pump traffic to spammer sites through an iframe on the compromised site about 5 months ago and published it here: http://joshwieder.blogspot.com/2012/07/blogger-traffic-source-spam-stumbleupon.html
None of the servers I am responsible for were infected. Without server side access, I didnt see the cause, just the effects. This bit of software fits the profile rather nicely.
In any event, its worth pointing out there is not much that is new about this.
Linux gets used by the majority since they're smallfry and cash strapped since Linux = free
i get microsoft also missed the memo cos even they have linux on azure
this one sounds like APK that we all know and loathe :)
...overly concerned about mod points, trolls, and posting as AC himself
so how's that bug in your pointless and overly bloated and mindlessly exception handled Python function coming along then?
You make no sense. Apk has no account (0 mod points as ac).
Linux = attempted cost cutting measure that failed.
APK makes no sense anyway... even though he posts as AC, he still rants about mod points.... go figure
omg ok you've convinced me with your infinite bullsh.... i mean wisdom :)
crutchy keep wasting time on a 2nd rate least used OS platform (we don't want "your kind" on the #1 most used OS platform there is on PC desktops and servers combined). He really got through to you since all you had was that line of garbage in response.
Can you prove your ranting? No. Seek professional psychiatric help.
You looked stupid on code (apk's runs perfectly + is err handled properly. Yours isn't, despite your rant it should be) http://developers.slashdot.org/comments.pl?sid=3258205&cid=42039353
and
You practically had to pull out a crowbar to ADMIT android is a Linux http://slashdot.org/comments.pl?sid=3263923&cid=42078237
Since it uses a Linux kernel and what happens to android every week practically? Exploits!
So much for years of "fud" on /. on how "Linux = secure, windows != secure", eh, crutch?
Guess what?
No more "hiding behind security-by-obscurity" on those smartphones, and lately on servers too!
(All this week *NIX in general has gotten NUKED with FreeBSD servers "hacked into" as well as massive Linux security vulnerabilities discovered & running wild as botnets on Linux 64-bit servers).
No... You fools do NOT want to see "year of the Linux desktop", trust me - since what's happening on smartphones via Android Linux + Servers being rooted & infested with botnets only is a "portent of things to come"... and, you KNOW it.
2011. Top Pharmacy List! Best Prices Online!
we don't want "your kind" on the #1 most used OS platform there is on PC desktops and servers combined
your kind stinks and is full of whingeing morons who don't even realise how much they rely on the "2nd rate least used OS platform"
...used google lately?
...read it and weep moron
http://en.wikipedia.org/wiki/Google_platform#Software
go back to trying to figure out where the bug is in your Python code, idiot
meanwhile, linux will continue to dominate the world hahahahah!!!!
I looked. I saw code doing 5 perfect outputs in front of you crutchy. Some bug.
crutchy forgot to take his meds again!!!
crutchy, you been editing those wikipedia pages again?
try looking at the code in your posts
Since my code runs perfectly (and it did @ least 5x in front of you this week, and many more times before that as well, plus 100's of times vs. trolls (simply giving them what they NEED, in a dose of "ReVeRsE-PsyChoLoGy', lol))?
* Have you *ever* considered that it's /. formatting upon my pasting it that causes the format I get on posting the actual code itself?
(Some "Food 4 Thought" for you there, lol, 'CruTcHy'...)
APK
P.S.=> I can see it now, lol: A lightbulb ignites over 'CruTcHy''s puny skull, lmao... (it's a bit dim, like 'CruTcHy', but... it's there!)
... apk
hmm,
are there any sources or similiar out of the rk for further studies?
Many thanks for any hint...