New iFrame Rootkit on Linux – Read the dirty details

Linux users and developers alike can expect some trouble with a new rootkit on the move. This time, it’s working as an iFrame attack on HTTP servers. The sample itself is pretty dynamic overall, and has the ability to infect Linux successfully AND hide its presence on the system.

The attack is characteristic of a drive-by download scenario, in which the rootkit attempts to attack an HTTP server through iFrame-related injections. Now for the dirty details…

  • Attempts to ‘call’ modules in the file system by using set_http_injection_conf, start_get_command_web_injection_from_server_thread, cs:start_get_command_web_injection_from_server_value, hide_folder_and_files, hide_process_init, etc.
  • It currently works on Debian Squeezy kernel version 2.6.32-5-amd64  (at least it matches).
  • Unstripped coding size is 500K.
  • Some functions are not fully working, so some have assumed it is in development stages or not fully complete.
  • Adds startup entry to /etc/rc.local script: insmod /lib/modules/2.6.32-5-amd64/kernel/sound/module_init.ko
  • Uses one of two methods to retrieve kernel symbols to /.kallsyms_tmp:
    /bin/bash -c cat /proc/kallsyms > /.kallsyms_tmp
    /bin/bash -c cat /boot/`uname -r` > /.kallsyms_tmp
  • Other than that, it does a good job trying to hide files/folders/processes/etc.
  • The inject mechanism is neatly designed as a PHP script, which is pretty common for contemporary injections.
  • Substitutes the TCP building functions by tcp_sendmsg to its own function.
  • Once the C&C callback is done on the command server, the command server sends back malicious code specific for the situation.
  • Probably being used in cybercrime operations rather than just targeted attacks.
  • A Russia-based attacker is likely. Experts are not revealing any names, and seCURE Connexion has no information sadly.
  • This was discovered on Seclists’s Full Disclosure Mailing List.

Tags: , , , , ,

About Dr Jay

%d bloggers like this: