Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Linux Rootkit Found Launching iFrame Injection Attacks

Last week, someone posted a module to the Full Disclosure mailing list, which turned out to be a rootkit for Linux. Experts examined it, and concluded that if anything, it’s a unique piece of malware, in addition to it being a credible risk to LAMPP deployments.

Last week, someone posted a module to the Full Disclosure mailing list, which turned out to be a rootkit for Linux. Experts examined it, and concluded that if anything, it’s a unique piece of malware, in addition to it being a credible risk to LAMPP deployments.

One of the first organizations to examine the rootkit was CrowdStrike, a security startup that focuses on malware intelligence. They offered some interesting analysis, but unfortunately, it appears to be peppered it with sensationalized details.

Linux RootkitFor example, CrowdStrikes’s Georg Wicherski, a Senior Security Researcher, speculated that this rootkit could be used in targeted attacks, if modified to do so. Any family of malware could be configured for this purpose, so stating the obvious doesn’t seem to do any good. Further, Wicherski stated that based on how the code itself was developed, and other information they “cannot publicly disclose,” the attacker likely came from Russia. Again, the idea that someone in Russia can develop unique malware for a new level of attack is nothing new or shocking. It’s expected really.

However, CrowdStrike does hit on some of the useful functionality of the malware, namely the methods used to inject malicious links and hide itself, but as Kaspersky Lab noted in their research, much of what has been learned about this rootkit shows that it is still in the development stages. This is good news for security administrators, as this makes it easier detect and block.

The rootkit was hardcoded for the latest Debian squeeze kernel, 2.6.32-5. This was the OS version being used by the victim who posted the sample to Full Disclosure. However, there is nothing in current research that says they were singled out in the attack.

The injection attack occurred on any page that was served by the webserver, including error pages. The rootkit does this by substituting the system function responsible for TCP packets with a function of its own. This means that all sites hosted are victimized, as the rootkit focuses on the HTTP software itself.

At this time, much of the rootkit’s functionality isn’t working, and it was compiled with debugging information.

“It’s an outstanding sample, not only because it targets 64-bit Linux platforms and uses advanced techniques to hide itself, but primarily because of the unusual functionality of infecting the websites hosted on attacked HTTP server – and therefore working as a part of drive-by download scenario,” commented Marta Janus, a Kaspersky Lab Expert who examined the rootkit sample. “This rootkit, though it’s still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future.”

Kaspersky’s analysis is here.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.