Slashdot Mirror
New Linux Rootkit Emerges
Trailrunner7 writes "A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of a high-level programmer or be meant for use in targeted attacks. The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said his site had been targeted by the malware and some of his customers had been redirected to malicious sites."
How come neither of the links actually describe how this malware infects the machine in the first place? I'd say that's quite an important piece of information completely missing.
Yada-yada-blabber-blabber.
nobody really uses this OS except hobbyists and niche markets
Yeah, what with Microsoft, Amazon, Google, Valve and so on. Oh, pssh, they're irrelevant; they count as nobodies, right?
There's a new secure OS called Rootkit Server 12 - maybe it's time you nerds started upgrading to it!
This is the year of the Linux rootkit.
amd64 is the name of the architecture you normally call "64bits" or "x86_64" every day, and is an extension of "i686".
The name is so merely because amd came up with it.
Intel's modern microprocessors are amd64 as well (they just call it a different name).
Dunno about AC, but first glance seems to be that it exploits shitty PHP code in order to get itself hosted onto the websites.
According to TFA, it appears to target one specific kernel (Debian-based), and tries to do some hokey-pokey with RAM to get itself executed. If you want a better description go to the original report
TFA gives some details, however:
The kernel module in question has been compiled for a kernel with the version string 2.6.32-5. The -5 suffix is indicative of a distribution-specific kernel release. Indeed, a quick Google search reveals that the latest Debian squeeze kernel has the version number 2.6.32-5.
The module furthermore exports symbol names for all functions and global variables found in the module, apparently not declaring any private symbol as static in the sources. In consequence, some dead code is left within the module: the linker can't determine whether any other kernel module might want to access any of those dead-but-public functions, and subsequently it can't remove them.
...doesn't say exactly how, but there is one thing that is entirely left out of the equation... if it's a drive-by download, does it definitely require user involvement, or not? According to the original report, the complaints were that they customers were being redirected to a malicious site, but nothing about a trojan being involved.
Quo usque tandem abutere, Nimbus, patientia nostra?
If you dig into the articles to some of the raw analysis you'll discover two things.
1) "It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely." So it unlikely that they gained root with something new, but it was a web site that was hacked, so the likely vector is something related to what the site it was running. PHP, WordPress, DB Injection, and Apache exploits.
2) "Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely."
The best short term defense against this?
Just put /etc/rc.local and the rootkit becomes unloadable. Just like in Debian Squeeze.
exit 0
at the end of your
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
no no, read the summary. these boxes were using red hat - "A new Linux rootkit has emerged"