Linux users targeted by mystery drive-by rootkit

[Edvard]

The malware is aimed at the 64-bit Debian Squeezy kernel and is distributed to would-be victims via an unusual form of iFrame injection attack

https://www.infoworl...nterprise_2012-11-21

Article says it looks so far like a work-in-progress, but just a reminder that we Linux users are not and never will be completely immune.
Stumps me why they chose Debian Squeeze, why not Ubuntu for the newb user base?  Why not Red Hat for all the delicious server exploit possibilities?
... And Bronx cheers to Infoworld for getting the distro name wrong (Squeezy? Really? Research much?)

from sumwhar ah ferget
Rootkit Icon by ? http://thethreatvect...s-cybersecurity-101/

[barney]

Stumps me why they chose Debian Squeeze, why not Ubuntu for the newb user base?

-Edvard (November 24, 2012, 12:06 AM)

Well, if it was me - it ain't - I'd test on a small sample, see how things work, then adapt and magnify  .  Even black hats need to test in the real world  .

Totally agree with the cheer - reporting should be accurate.

[Edvard]

Well, if it was me - it ain't - I'd test on a small sample, see how things work, then adapt and magnify

Judging by the details reported on, that may be exactly what's happening.  Debian proper is just generic enough to leave room for adaptation.

[barney]

For years, Apple was virus-proof, then it became popular enough to attract attention.  Same scenario is playing out now in the Linux arena.  Actually, I'm surprised that the Red Hat commercial bits have not been attacked before this.  But Ubuntu/Debian has become widespread enough to make it a target.  Kinda like Apple, it's a bigger target now, something that can provide bragging rights.

[SeraphimLabs]

If it aims for the Squeeze kernel, it would infect both Debian and Ubuntu as they come from the same sources. Ubuntu just has a faster release cycle.

Also, Squeeze is used in both server and client. Two of my own are Debian Squeeze, although if the infecton vector is an iframe it isn't going to bother them because I don't have GUIs installed on either one and cannot directly surf the internet using them.

Can't have anything nice, someone comes along and writes malware for it.

[40hz]

Well...we all knew it was only a matter of time before this sort of thing started happening.  

So be it. It will be dealt with.

In the meantime here's a detailed tech write-up of what this bad puppy is all about.

From the article:

Conclusion

Considering that this rootkit was used to non-selectively inject iframes into nginx webserver responses, it seems likely that this rootkit is part of a generic cyber crime operation and not a targeted attack. However, a Waterhole attack, where a site mostly visited from a certain target audience is infected, would also be plausible. Since no identifying strings yielded results in an Internet search (except for the ksocket library), it appears that this is not a modification of a publicly available rootkit. Rather, it seems that this is contract work of an intermediate programmer with no extensive kernel experience, later customized beyond repair by the buyer.

Although the code quality would be unsatisfying for a serious targeted attack, it is interesting to see the cyber-crime-oriented developers, who have partially shown great skill at developing Windows rootkits, move into the Linux rootkit direction. The lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit, is a further indicator that this is not part of a sophisticated, targeted attack.

Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely. It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely.

[mwb1100]

It will be dealt with.

-40hz (November 24, 2012, 12:18 PM)

As long as it's not dealt with by "Symantec Norton Security Suite for Linux". 

Please?

[40hz]

It will be dealt with.

-40hz (November 24, 2012, 12:18 PM)

As long as it's not dealt with by "Symantec Norton Security Suite for Linux".  

Please?

-mwb1100 (November 24, 2012, 01:11 PM)

Oh, Symantec is welcome to take a stab at it if they want. Kapersky already has, and now detects it.

But the Nix community takes care of its own. And it doesn't rely on commercial entities to provide security or fix its weaknesses like some do.

Like I said, it will be dealt with.

[f0dder]

Heh. Finally the year of the linux desktop, eh?

Don't kind yourselves that linux hasn't been massively exploited before, it has - the really juicy exploits are kept pretty private, though, since it's just so much more valuable being able to penetrate select targets rather than getting a (very) few zombie nodes...

The malware-serving part of this story isn't all that interesting - from reading the CrowdStrike analysis, the rootkit is relatively amateurishly written. What might be interesting, though, would be knowing how widespread this is... and the 'root' part of rootkit. How did the attackers get in?

[40hz]

Heh. Finally the year of the linux desktop, eh?

Don't kind yourselves that linux hasn't been massively exploited before, it has - the really juicy exploits are kept pretty private, though, since it's just so much more valuable being able to penetrate select targets rather than getting a (very) few zombie nodes...

-f0dder (November 24, 2012, 03:23 PM)

Care to share a few? I'm all ears!

[f0dder]

Heh. Finally the year of the linux desktop, eh?

Don't kind yourselves that linux hasn't been massively exploited before, it has - the really juicy exploits are kept pretty private, though, since it's just so much more valuable being able to penetrate select targets rather than getting a (very) few zombie nodes...

-f0dder (November 24, 2012, 03:23 PM)

Care to share a few? I'm all ears!

-40hz (November 24, 2012, 04:57 PM)

Oh, I don't have any myself - I'm not in that game. But just consider how long something like the linux IPX protocol nullptr deref in proto_ops was around before "it was found"? :-)