New Linux rootkit
On a number of web-servers, we found a new rootkit that is used to secretly insert malicious substitution given off in HTTP-server content. Rootkit infects 64-bit Linux-servers running Debian Squeeze with kernel 2.6.32-5-amd64.
After activation in the core of the system to load the module, covering the traces of the rootkit and substitution occurs in the generated local web-server HTTP-traffic iframe-block code for exploiting vulnerabilities in client browsers and plug-ins installed in them.
In contrast to the commonly used technique of malicious code in the server-side html-pages, the rootkit can leave files intact, carrying the substitution under the impact of content http-server. Since the components of the rootkit masked and hidden from the monitoring tools, at first glance there is no malicious activity. The first information about the new rootkit was published a few days ago on the mailing list Full Disclosure. The administrator of one of the affected systems led primary analysis strange activity on your server, because of which went to the outside data with the substitution of malicious iframe, but locally the following substitutions were observed malicious code, including whether to return content nginx checking through strace gave in network socket correct data.
In the future, one of the security researchers with access to the infected system, analyzed the rootkit iopublikoval detailed report of its working methods. The most important conclusion is that the detected rootkit is a new development, not based on any of the previously available rootkits or tools to create them. The realization and the quality of the evidence of a rootkit is that it was not created for targeted attacks, as well as an initial attempt to create another means to distribute malware.
After loading the rootkit intercepts it control some functions of the kernel Linux (vfs_readdir, vfs_read, filldir64 and filldir), necessary for hiding rootkit files on disk. To hide the load the kernel module by modifying the list of active modules in the appropriate data structure core Linux. Failover is performed by overwriting some bytes of the code directly in the intercepted functions (add the command jmp rel32 calculated and copied to the stack offset). Starting rootkit is a kernel module loading Linux. But as the team “insmod / lib/modules/2.6.32-5-amd64/kernel/sound/module_init.ko” appended to the file / etc / rc.local, and Debian file / etc / rc.local ends by calling exit 0, the command module load is placed after the call to exit, ie reboot the rootkit is not activated.
Substitution of malicious code in the traffic carried by intercepting function tcp_sendmsg, used to build the outgoing TCP-packets. Rootkit handler analyzes transmitted content and add after the line with the tag body block iframe. To control the rootkit is a special interface that receives commands from a remote management server. In particular, after applying the rootkit to the management server, it returns a block of data that should be implemented in the traffic, and the parameters of the substitution. For example, supported the installation of rules for what is a host to implement substitution, determine the type of implementation (JavaScript / iframe).
Links:
http://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012
MALWARELIST.net - Your Information Security Source 