The malware is aimed at the 64-bit Debian Squeezy kernel and is distributed to would-be victims via an unusual form of iFrame injection attack
Stumps me why they chose Debian Squeeze, why not Ubuntu for the newb user base?-Edvard (November 24, 2012, 12:06 AM)
Well, if it was me - it ain't - I'd test on a small sample, see how things work, then adapt and magnifyJudging by the details reported on, that may be exactly what's happening. Debian proper is just generic enough to leave room for adaptation.
Conclusion
Considering that this rootkit was used to non-selectively inject iframes into nginx webserver responses, it seems likely that this rootkit is part of a generic cyber crime operation and not a targeted attack. However, a Waterhole attack, where a site mostly visited from a certain target audience is infected, would also be plausible. Since no identifying strings yielded results in an Internet search (except for the ksocket library), it appears that this is not a modification of a publicly available rootkit. Rather, it seems that this is contract work of an intermediate programmer with no extensive kernel experience, later customized beyond repair by the buyer.
Although the code quality would be unsatisfying for a serious targeted attack, it is interesting to see the cyber-crime-oriented developers, who have partially shown great skill at developing Windows rootkits, move into the Linux rootkit direction. The lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit, is a further indicator that this is not part of a sophisticated, targeted attack.
Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely. It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely.
It will be dealt with.-40hz (November 24, 2012, 12:18 PM)
It will be dealt with.-40hz (November 24, 2012, 12:18 PM)
As long as it's not dealt with by "Symantec Norton Security Suite for Linux".
Please?-mwb1100 (November 24, 2012, 01:11 PM)
Heh. Finally the year of the linux desktop, eh? ;)
Don't kind yourselves that linux hasn't been massively exploited before, it has - the really juicy exploits are kept pretty private, though, since it's just so much more valuable being able to penetrate select targets rather than getting a (very) few zombie nodes...-f0dder (November 24, 2012, 03:23 PM)
Oh, I don't have any myself - I'm not in that game. But just consider how long something like the linux IPX protocol nullptr deref in proto_ops was around before "it was found"? :-)Heh. Finally the year of the linux desktop, eh? ;)Care to share a few? I'm all ears! 8)
Don't kind yourselves that linux hasn't been massively exploited before, it has - the really juicy exploits are kept pretty private, though, since it's just so much more valuable being able to penetrate select targets rather than getting a (very) few zombie nodes...-f0dder (November 24, 2012, 03:23 PM)-40hz (November 24, 2012, 04:57 PM)