CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Linux Rootkit Found Launching iFrame Injection Attacks

Last week, someone posted a module to the Full Disclosure mailing list, which turned out to be a rootkit for Linux. Experts examined it, and concluded that if anything, it’s a unique piece of malware, in addition to it being a credible risk to LAMPP deployments.

Last week, someone posted a module to the Full Disclosure mailing list, which turned out to be a rootkit for Linux. Experts examined it, and concluded that if anything, it’s a unique piece of malware, in addition to it being a credible risk to LAMPP deployments.

One of the first organizations to examine the rootkit was CrowdStrike, a security startup that focuses on malware intelligence. They offered some interesting analysis, but unfortunately, it appears to be peppered it with sensationalized details.

Linux RootkitFor example, CrowdStrikes’s Georg Wicherski, a Senior Security Researcher, speculated that this rootkit could be used in targeted attacks, if modified to do so. Any family of malware could be configured for this purpose, so stating the obvious doesn’t seem to do any good. Further, Wicherski stated that based on how the code itself was developed, and other information they “cannot publicly disclose,” the attacker likely came from Russia. Again, the idea that someone in Russia can develop unique malware for a new level of attack is nothing new or shocking. It’s expected really.

However, CrowdStrike does hit on some of the useful functionality of the malware, namely the methods used to inject malicious links and hide itself, but as Kaspersky Lab noted in their research, much of what has been learned about this rootkit shows that it is still in the development stages. This is good news for security administrators, as this makes it easier detect and block.

The rootkit was hardcoded for the latest Debian squeeze kernel, 2.6.32-5. This was the OS version being used by the victim who posted the sample to Full Disclosure. However, there is nothing in current research that says they were singled out in the attack.

The injection attack occurred on any page that was served by the webserver, including error pages. The rootkit does this by substituting the system function responsible for TCP packets with a function of its own. This means that all sites hosted are victimized, as the rootkit focuses on the HTTP software itself.

At this time, much of the rootkit’s functionality isn’t working, and it was compiled with debugging information.

“It’s an outstanding sample, not only because it targets 64-bit Linux platforms and uses advanced techniques to hide itself, but primarily because of the unusual functionality of infecting the websites hosted on attacked HTTP server – and therefore working as a part of drive-by download scenario,” commented Marta Janus, a Kaspersky Lab Expert who examined the rootkit sample. “This rootkit, though it’s still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future.”

Kaspersky’s analysis is here.

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.