topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Monday March 18, 2024, 9:19 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Linux users targeted by mystery drive-by rootkit  (Read 5819 times)

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 3,017
    • View Profile
    • Donate to Member
Linux users targeted by mystery drive-by rootkit
« on: November 24, 2012, 12:06 AM »
The malware is aimed at the 64-bit Debian Squeezy kernel and is distributed to would-be victims via an unusual form of iFrame injection attack


Article says it looks so far like a work-in-progress, but just a reminder that we Linux users are not and never will be completely immune.
Stumps me why they chose Debian Squeeze, why not Ubuntu for the newb user base?  Why not Red Hat for all the delicious server exploit possibilities?
... And Bronx cheers to Infoworld for getting the distro name wrong (Squeezy? Really? Research much?)


from sumwhar ah ferget
Rootkit Icon by ? http://thethreatvect...s-cybersecurity-101/

barney

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,294
    • View Profile
    • Donate to Member
Re: Linux users targeted by mystery drive-by rootkit
« Reply #1 on: November 24, 2012, 12:40 AM »
Stumps me why they chose Debian Squeeze, why not Ubuntu for the newb user base?

Well, if it was me - it ain't - I'd test on a small sample, see how things work, then adapt and magnify  :huh:.  Even black hats need to test in the real world  :o.

Totally agree with the cheer - reporting should be accurate.

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 3,017
    • View Profile
    • Donate to Member
Re: Linux users targeted by mystery drive-by rootkit
« Reply #2 on: November 24, 2012, 01:14 AM »
Well, if it was me - it ain't - I'd test on a small sample, see how things work, then adapt and magnify
Judging by the details reported on, that may be exactly what's happening.  Debian proper is just generic enough to leave room for adaptation.

barney

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,294
    • View Profile
    • Donate to Member
Re: Linux users targeted by mystery drive-by rootkit
« Reply #3 on: November 24, 2012, 01:43 AM »
For years, Apple was virus-proof, then it became popular enough to attract attention.  Same scenario is playing out now in the Linux arena.  Actually, I'm surprised that the Red Hat commercial bits have not been attacked before this.  But Ubuntu/Debian has become widespread enough to make it a target.  Kinda like Apple, it's a bigger target now, something that can provide bragging rights.

SeraphimLabs

  • Participant
  • Joined in 2012
  • *
  • Posts: 497
  • Be Ready
    • View Profile
    • SeraphimLabs
    • Donate to Member
Re: Linux users targeted by mystery drive-by rootkit
« Reply #4 on: November 24, 2012, 08:22 AM »
If it aims for the Squeeze kernel, it would infect both Debian and Ubuntu as they come from the same sources. Ubuntu just has a faster release cycle.

Also, Squeeze is used in both server and client. Two of my own are Debian Squeeze, although if the infecton vector is an iframe it isn't going to bother them because I don't have GUIs installed on either one and cannot directly surf the internet using them.

Can't have anything nice, someone comes along and writes malware for it.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Linux users targeted by mystery drive-by rootkit
« Reply #5 on: November 24, 2012, 12:18 PM »
Well...we all knew it was only a matter of time before this sort of thing started happening.  :-\

So be it. It will be dealt with. 8)

In the meantime here's a detailed tech write-up of what this bad puppy is all about.

From the article:

Conclusion

Considering that this rootkit was used to non-selectively inject iframes into nginx webserver responses, it seems likely that this rootkit is part of a generic cyber crime operation and not a targeted attack. However, a Waterhole attack, where a site mostly visited from a certain target audience is infected, would also be plausible. Since no identifying strings yielded results in an Internet search (except for the ksocket library), it appears that this is not a modification of a publicly available rootkit. Rather, it seems that this is contract work of an intermediate programmer with no extensive kernel experience, later customized beyond repair by the buyer.

Although the code quality would be unsatisfying for a serious targeted attack, it is interesting to see the cyber-crime-oriented developers, who have partially shown great skill at developing Windows rootkits, move into the Linux rootkit direction. The lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit, is a further indicator that this is not part of a sophisticated, targeted attack.

Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely. It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely.



mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Re: Linux users targeted by mystery drive-by rootkit
« Reply #6 on: November 24, 2012, 01:11 PM »
It will be dealt with.

As long as it's not dealt with by "Symantec Norton Security Suite for Linux". 

Please?

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Linux users targeted by mystery drive-by rootkit
« Reply #7 on: November 24, 2012, 01:54 PM »
It will be dealt with.

As long as it's not dealt with by "Symantec Norton Security Suite for Linux".  

Please?

Oh, Symantec is welcome to take a stab at it if they want. Kapersky already has, and now detects it.

But the Nix community takes care of its own. And it doesn't rely on commercial entities to provide security or fix its weaknesses like some do.

Like I said, it will be dealt with. 8) :Thmbsup:

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Linux users targeted by mystery drive-by rootkit
« Reply #8 on: November 24, 2012, 03:23 PM »
Heh. Finally the year of the linux desktop, eh? ;)

Don't kind yourselves that linux hasn't been massively exploited before, it has - the really juicy exploits are kept pretty private, though, since it's just so much more valuable being able to penetrate select targets rather than getting a (very) few zombie nodes...

The malware-serving part of this story isn't all that interesting - from reading the CrowdStrike analysis, the rootkit is relatively amateurishly written. What might be interesting, though, would be knowing how widespread this is... and the 'root' part of rootkit. How did the attackers get in?
- carpe noctem

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: Linux users targeted by mystery drive-by rootkit
« Reply #9 on: November 24, 2012, 04:57 PM »
Heh. Finally the year of the linux desktop, eh? ;)

Don't kind yourselves that linux hasn't been massively exploited before, it has - the really juicy exploits are kept pretty private, though, since it's just so much more valuable being able to penetrate select targets rather than getting a (very) few zombie nodes...

Care to share a few? I'm all ears! 8)

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Linux users targeted by mystery drive-by rootkit
« Reply #10 on: November 27, 2012, 08:48 AM »
Heh. Finally the year of the linux desktop, eh? ;)

Don't kind yourselves that linux hasn't been massively exploited before, it has - the really juicy exploits are kept pretty private, though, since it's just so much more valuable being able to penetrate select targets rather than getting a (very) few zombie nodes...
Care to share a few? I'm all ears! 8)
Oh, I don't have any myself - I'm not in that game. But just consider how long something like the linux IPX protocol nullptr deref in proto_ops was around before "it was found"? :-)
- carpe noctem