IFRAME-injecting Linux rootkit discovered

Researchers are analyzing a new rootkit that they believe signals the latest development in criminals' attempts to secretly compromise websites with the goal of directing users to exploits.

Details of the rootkit were posted anonymously Tuesday on the Full Disclosure mailing list, leading researchers from security firms CrowdStrike and Kaspersky Lab to study the malware. The anonymous poster, who runs a web service, found the rootkit on company servers after customers said they were redirected to malicious sites.

Georg Wicherski, senior security researcher at CrowdStrike, told Tuesday that it is still unknown how the 64-bit Linux rootkit got on the victim's server and how many others may have been infected by it.

Researchers said the rootkit is not particularly complex. But what makes it fascinating is that it hides at the kernel level to infect web servers and computers by way of watering hole tactics, or infecting sites hosted on a compromised HTTP server.

Wicherski posted an analysis of the rootkit Monday on CrowdStrike's blog.

"It's a very interesting piece of malware in that it's not used to infect a desktop, but to infect servers that host websites," Wicherski said.

The rootkit modifies the response of HTTP requests sent by the web server, using an IFRAME injection mechanism, he explained.

“It internally redirects the visiting user's browser to another site,” Wicherski said.

Information gleaned from the command-and-control server led CrowdStrike to determine that the attacker was likely based in Russia. 

Kaspersky also published a blog post on the rootkit, reporting similar findings.

Marta Janus, a Kaspersky researcher, said the malware is targeting 64-bit Linux platforms and hid itself within the kernel, giving the rootkit advanced system privileges. It communicates with its command-and-control server using an encrypted password.

“We are dealing with something far more sophisticated -- a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before,” Janus wrote. “This rootkit, though it's still in the development stage, shows a new approach to the drive-by download schema, and we can certainly expect more such malware in the future.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.