Tag Archive | 64-bit

New iFrame Rootkit on Linux – Read the dirty details

Linux users and developers alike can expect some trouble with a new rootkit on the move. This time, it’s working as an iFrame attack on HTTP servers. The sample itself is pretty dynamic overall, and has the ability to infect Linux successfully AND hide its presence on the system.

The attack is characteristic of a drive-by download scenario, in which the rootkit attempts to attack an HTTP server through iFrame-related injections. Now for the dirty details…

  • Attempts to ‘call’ modules in the file system by using set_http_injection_conf, start_get_command_web_injection_from_server_thread, cs:start_get_command_web_injection_from_server_value, hide_folder_and_files, hide_process_init, etc.
  • It currently works on Debian Squeezy kernel version 2.6.32-5-amd64  (at least it matches).
  • Unstripped coding size is 500K.
  • Some functions are not fully working, so some have assumed it is in development stages or not fully complete.
  • Adds startup entry to /etc/rc.local script: insmod /lib/modules/2.6.32-5-amd64/kernel/sound/module_init.ko
  • Uses one of two methods to retrieve kernel symbols to /.kallsyms_tmp:
    /bin/bash -c cat /proc/kallsyms > /.kallsyms_tmp
    /bin/bash -c cat /boot/System.map-`uname -r` > /.kallsyms_tmp
  • Other than that, it does a good job trying to hide files/folders/processes/etc.
  • The inject mechanism is neatly designed as a PHP script, which is pretty common for contemporary injections.
  • Substitutes the TCP building functions by tcp_sendmsg to its own function.
  • Once the C&C callback is done on the command server, the command server sends back malicious code specific for the situation.
  • Probably being used in cybercrime operations rather than just targeted attacks.
  • A Russia-based attacker is likely. Experts are not revealing any names, and seCURE Connexion has no information sadly.
  • This was discovered on Seclists’s Full Disclosure Mailing List.

ZeroAccess/Sirefef infects up to 9 million PCs

The ZeroAccess rootkit, some know as Sirefef, has grown its command and control servers over the past year. Now, it has spanned all around the globe to infect up to 9 million PCs. It’s botnet started growing rapidly once it hit one million infections, and now has multiplied it by 9.

Like the new TDL4 variant, it can create its own hidden partition, which can be problematic for PC users, especially because it normally is unknown that a hidden partition exists. Tools like TDSSKiller, though, can see through its disguise. There are two total botnets, each for a 32-bit and 64-bit version (totaling 4 botnets), and usually distributed by exploits.

Fast facts:

The latest versions seem to have no kernel mode components, therefore they do not infect drivers like previously did. It instead uses usermode components and drops their own GUID (CLSID) in the following locations:

  • c:\windows\installer\{GUID STRING}
  • c:\users\<user>\AppData\Local\{GUID STRING}
  • C:\Windows\System32\config\systemprofile\AppData\Local\{GUID STRING}

It also parks its own infections in these locations:

  • C:\Windows\assembly\GAC\Desktop.ini
  • If on x64: c:\windows\assembly\GAC_32\Desktop.ini AND c:\windows\assembly\GAC_64\Desktop.ini
  • Infects c:\windows\system32\services.exe

For the ports that it uses for each version of the botnet:

  1. Port numbers 16464 and 16465 are used by one botnet for both 32 and 64 bit platforms.
  2. Post numbers 16470 and 16471 are used by the other botnet for both platforms.

It commits two types of fraudulent activity:

  1. Click fraud
  2. Bitcoin mining


Get the review of Malwarebytes’ Anti-Malware

%d bloggers like this: