Linux rootkit dissected; reveals latest cybercriminal techniques

By Editor Posted on November 21,12

A newly discovered Linux rootkit has been analysed by the research team with Crowdstrike and found to allow an unknown iFrame injection to be inserted into any HTTP response generated by a Web server.

According to Georg Wicherski, a senior security researcher with the US headquartered IT security research and analysis firm, the anonymous victim of the malware recovered the rootkit kernel module file and, after posting the code to a code list, requested listers for information on the threat.

Crowdstrike – which was founded Dmitri Alperovitch and Gregg Marston, and specialises in mining big data generated on the Internet – says it is has carried out a brief static analysis of the kernel module in question.

The rootkit, says Wicherski, seems to be the next step in iframe injecting cyber crime operations, driving traffic to exploit kits.

It could also, he adds, be used in a waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail.

Interestingly, the Crowdstrike researcher asserts that the code is not a modification of a publicly available rootkit, but the work of an intermediate level programmer – possibly from Russia – with no extensive kernel experience.

“In order to actually inject the iFrames (or JavaScript code references) into the HTTP traffic, the rootkit inline hooks the tcp_sendmsg function. This function receives one or multiple buffers to be sent out to the target and [then] appends them to a connections outgoing buffer,” he says in his detailed analysis of the malware code.

Considering that this rootkit was used to non-selectively inject iFrames into `nginx’ Web server responses, Wicherski says that it seems likely that this rootkit is part of a generic cyber crime operation and not a targeted attack.

However, he adds, a waterhole attack – where a site mostly visited from a certain target audience is infected – would also be plausible.

“Although the code quality would be unsatisfying for a serious targeted attack, it is interesting to see the cyber-crime-oriented developers, who have partially shown great skill at developing Windows rootkits, move into the Linux rootkit direction,” he says.

“The lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit, is a further indicator that this is not part of a sophisticated, targeted attack,” he adds.

SG

|