IFRAME-injecting Linux rootkit discovered

Share this article:

Researchers are analyzing a new rootkit that they believe signals the latest development in criminals' attempts to secretly compromise websites with the goal of directing users to exploits.

Details of the rootkit were posted anonymously Tuesday on the Full Disclosure mailing list, leading researchers from security firms CrowdStrike and Kaspersky Lab to study the malware. The anonymous poster, who runs a web service, found the rootkit on company servers after customers said they were redirected to malicious sites.

Georg Wicherski, senior security researcher at CrowdStrike, told SCMagazine.com Tuesday that it is still unknown how the 64-bit Linux rootkit got on the victim's server and how many others may have been infected by it.

Researchers said the rootkit is not particularly complex. But what makes it fascinating is that it hides at the kernel level to infect web servers and computers by way of watering hole tactics, or infecting sites hosted on a compromised HTTP server.

Wicherski posted an analysis of the rootkit Monday on CrowdStrike's blog.

"It's a very interesting piece of malware in that it's not used to infect a desktop, but to infect servers that host websites," Wicherski said.

The rootkit modifies the response of HTTP requests sent by the web server, using an IFRAME injection mechanism, he explained.

“It internally redirects the visiting user's browser to another site,” Wicherski said.

Information gleaned from the command-and-control server led CrowdStrike to determine that the attacker was likely based in Russia. 

Kaspersky also published a blog post on the rootkit, reporting similar findings.

Marta Janus, a Kaspersky researcher, said the malware is targeting 64-bit Linux platforms and hid itself within the kernel, giving the rootkit advanced system privileges. It communicates with its command-and-control server using an encrypted password.

“We are dealing with something far more sophisticated -- a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before,” Janus wrote. “This rootkit, though it's still in the development stage, shows a new approach to the drive-by download schema, and we can certainly expect more such malware in the future.”

Share this article:

Sign up to our newsletters

More in News

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Bill would restrict Calif. retailers from storing certain payment data

The bill would ban businesses from storing sensitive payment data, for any long than required, even if it is encrypted.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in ...

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.