Linux Rootkit Found Launching iFrame Injection Attacks
Steve Ragan November 20, 2012

Last week, someone posted a module to the Full Disclosure mailing list, which turned out to be a rootkit for Linux. Experts examined it, and concluded that if anything, it’s a unique piece of malware, in addition to it being a credible risk to LAMPP deployments.

One of the first organizations to examine the rootkit was CrowdStrike, a security startup that focuses on malware intelligence. They offered some interesting analysis, but unfortunately, it appears to be peppered it with sensationalized details.

Linux RootkitFor example, CrowdStrikes’s Georg Wicherski, a Senior Security Researcher, speculated that this rootkit could be used in targeted attacks, if modified to do so. Any family of malware could be configured for this purpose, so stating the obvious doesn’t seem to do any good. Further, Wicherski stated that based on how the code itself was developed, and other information they “cannot publicly disclose,” the attacker likely came from Russia. Again, the idea that someone in Russia can develop unique malware for a new level of attack is nothing new or shocking. It’s expected really.

However, CrowdStrike does hit on some of the useful functionality of the malware, namely the methods used to inject malicious links and hide itself, but as Kaspersky Lab noted in their research, much of what has been learned about this rootkit shows that it is still in the development stages. This is good news for security administrators, as this makes it easier detect and block.

The rootkit was hardcoded for the latest Debian squeeze kernel, 2.6.32-5. This was the OS version being used by the victim who posted the sample to Full Disclosure. However, there is nothing in current research that says they were singled out in the attack.

The injection attack occurred on any page that was served by the webserver, including error pages. The rootkit does this by substituting the system function responsible for TCP packets with a function of its own. This means that all sites hosted are victimized, as the rootkit focuses on the HTTP software itself.

At this time, much of the rootkit’s functionality isn’t working, and it was compiled with debugging information.

“It's an outstanding sample, not only because it targets 64-bit Linux platforms and uses advanced techniques to hide itself, but primarily because of the unusual functionality of infecting the websites hosted on attacked HTTP server - and therefore working as a part of drive-by download scenario,” commented Marta Janus, a Kaspersky Lab Expert who examined the rootkit sample. “This rootkit, though it's still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future.”