Slashdot Mirror
New Linux Rootkit Emerges
Trailrunner7 writes "A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of a high-level programmer or be meant for use in targeted attacks. The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said his site had been targeted by the malware and some of his customers had been redirected to malicious sites."
How come neither of the links actually describe how this malware infects the machine in the first place? I'd say that's quite an important piece of information completely missing.
Just curious why the root kit is only targeting 64-bit. Is it specifically targeting the intel 64bit spec that allows for privileged escalation, or something like that? Reading the article makes it sound like it's an exploit of the AMD little endian pointers which, since I don't know hardware on that level, I don't know if that means it's actually a CPU exploit or an OS exploit. And if it's a CPU exploit I don't know if it's all AMD64 based including or excluding Intel.
Yada-yada-blabber-blabber.
nobody really uses this OS except hobbyists and niche markets
Yeah, what with Microsoft, Amazon, Google, Valve and so on. Oh, pssh, they're irrelevant; they count as nobodies, right?
There's a new secure OS called Rootkit Server 12 - maybe it's time you nerds started upgrading to it!
This is the year of the Linux rootkit.
Since you're so knowledgeable, maybe you could explain to us which 'weakness' this rootkit is exploiting to get itself installed?
Dunno about AC, but first glance seems to be that it exploits shitty PHP code in order to get itself hosted onto the websites.
According to TFA, it appears to target one specific kernel (Debian-based), and tries to do some hokey-pokey with RAM to get itself executed. If you want a better description go to the original report
TFA gives some details, however:
The kernel module in question has been compiled for a kernel with the version string 2.6.32-5. The -5 suffix is indicative of a distribution-specific kernel release. Indeed, a quick Google search reveals that the latest Debian squeeze kernel has the version number 2.6.32-5.
The module furthermore exports symbol names for all functions and global variables found in the module, apparently not declaring any private symbol as static in the sources. In consequence, some dead code is left within the module: the linker can't determine whether any other kernel module might want to access any of those dead-but-public functions, and subsequently it can't remove them.
...doesn't say exactly how, but there is one thing that is entirely left out of the equation... if it's a drive-by download, does it definitely require user involvement, or not? According to the original report, the complaints were that they customers were being redirected to a malicious site, but nothing about a trojan being involved.
Quo usque tandem abutere, Nimbus, patientia nostra?
He may be a bastard, but he makes the trains run on time.
...try and submit some shit code onto Linus' lap for kernel inclusion... I dare you. ;)
Quo usque tandem abutere, Nimbus, patientia nostra?
> This is the year of the Linux rootkit.
. . . on the desktop?
Or on hundreds of millions of Android phones. Or supercomputers. Or TiVos or other DVRs. Or routers, printers, and countless other devices. OMG the world is going to end in 2012!!!
Better to switch to a safe proprietary OS that has never had a security problem.
I'll see your senator, and I'll raise you two judges.
Must be specifically targeted at Gentoo then.
If you dig into the articles to some of the raw analysis you'll discover two things.
1) "It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely." So it unlikely that they gained root with something new, but it was a web site that was hacked, so the likely vector is something related to what the site it was running. PHP, WordPress, DB Injection, and Apache exploits.
2) "Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely."
There's a new secure OS called Rootkit Server 12 - maybe it's time you nerds started upgrading to it!
This is the year of the Linux rootkit.
Why? Linux has been around 85% of all web servers in the world for a loooooong time. You don't target the 15% windows servers to get stuff done.
The rootkit is half the battle as TFA says... what gets me really wondering is the exploit they used to get unfettered root access, especially if SELinux is enabled and enforcing.
The best short term defense against this? A monolithic kernel that has all modules compiled in, and has module loading disabled. Of course, this loses a lot of functionality.
Long term, maybe the best defense would be to take the TE (trustchk) system from AIX (which can be configured to not run any binaries that are not in a signed database), have signed kernel modules, and use a TPM + LUKS to ensure that if there is tampering, the boot process stops because there is no key to mount the root filesystem. Yes, TPM is a double-edged sword, but it does do well in guarding against these types of attacks.
Dunno about AC, but first glance seems to be that it exploits shitty PHP code in order to get itself hosted onto the websites.
How does "first glance" tell you that? And are you talking about code written in the PHP language or about the PHP implementation? And even if you break into a PHP implementation remotely, how do you make the kernel load the module, assuming the administrator isn't an outright idiot and the PHP process isn't running as root?
Ezekiel 23:20
Wrong. A rootkit is code which maliciously takes over certain functionality at root level. How it got installed doesn't matter for its classification as rootkit. Of course most rootkits get installed by some virus, worm or trojan, but a rootkit which some cracker installed by hand is still a rootkit.
The Tao of math: The numbers you can count are not the real numbers.
The best short term defense against this?
Just put /etc/rc.local and the rootkit becomes unloadable. Just like in Debian Squeeze.
exit 0
at the end of your
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
A more apt joke would be about Windows Server 2008 or 2012.
An even more apt joke would be something like:
# apt-get install windows-server-2008
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package windows-server-2008
But that doesn't seem to work.
Debian does not have SELinux enabled by default. So that is one barrier that frequently they won't have to cross in getting root access.
Debian might also have been targeted for its large market share and not having security extension installed by default. Considering the wide range of uses that Debian is put to it seems like maybe they should create a "public server" install profile that includes things like SELinux enabled and checkrootkit and other routine auditing tools installed.
Work bio at MMWD
There aren't any known, widespread Linux-based viruses or malware, and the few ones that do exist target server software, Java and/or Flash. And even if you found malware that still made its way in your computer via e.g. a vulnerability in the browser's Javascript - implementation that malware would still have to get root privileges in order to properly hide its existence -- there aren't any known, widespread security holes either in the Linux-kernel or the GNU userland, so if you keep your system up-to-date the chances are very, very slim the code would be able to get root privileges.
That is to say that if you e.g. used Firefox without Java and with the Flashblock add-on there'd be more-or-less no chances of you getting anything. Don't get scared by articles like this one because, well, this one doesn't spread via the web browser in the first place -- it was likely installed on the system by hand by someone who got access to it because of poor website implementation.
"The rootkit is designed specifically for 64-bit Linux systems .. The new Linux rootkit is loaded into memory and once there"
How does this 'rootkit' get executed on the target machine, does it require prior root access in order to sucessfully execute?
Yes, it does. It contains no exploits whatsoever.
no no, read the summary. these boxes were using red hat - "A new Linux rootkit has emerged"
these boxes were using red hat - "A new Linux rootkit has emerged"
That would be Gentoo, where we even have to compile our viruses from source (but then the virus is super-optimized).
So since the "root kit" involves some other vector letting the intruder append something to rc.local (or somehow pivot on whether rc.local ends with an "exit 0") the root kit ins't a root kit but a post-root-promotion exploit.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
A "rootkit" is not "a kit to get root" but "a kit to keep root, once you somehow get it". Rootkits try to make an intrusion undetectable and un-removable, but they don't provide the intrusion.
Socialism: a lie told by totalitarians and believed by fools.