Linux Webserver Rootkit Attacks Internet Users

Rootkit.Linux.Snakso.a is designed to infect the Linux kernel version 2.6.32-5-amd64 and adds an iframe to all served web pages by the infected Linux server via the nginx proxy.

The malware appears to be in its development stages as the code is rather large (more than 500k, including debugging information) and Kaspersky noted that "some of the functions don’t seem to be fully working or they are not fully implemented yet."

Security researcher Georg Wicherski said that the code does not seem to be a variant of a publicly available rootkit, but a result of "contract work of an intermediate programmer with no extensive kernel experience". The malware is also likely to have been customized by the buyer, which introduced critical flaws. Wicherski speculated that, based on his research, the rootkit may have been created by a Russia-based attacker.

The security researcher concluded that the "code quality would be unsatisfying for a serious targeted attack", including a "lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit".

 

Contact Us for News Tips, Corrections and Feedback

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
15 comments
    Your comment
  • dormantreign
    Way to piss off the hacker, Now he's read this he'll be up all night eating pizza pockets fixing his program.
    9
  • DSpider
    2.6.32-5-amd64?

    I'm thinking Debian (stable).
    4
  • A Bad Day
    dormantreignWay to piss off the hacker, Now he's read this he'll be up all night eating pizza pockets fixing his program.


    And then the buyer will keep introducing new flaws to "improve" it.

    "What do you mean my rootkits got infected and zombiefied?"
    4