Linux Webserver Rootkit Attacks Internet Users
Security software maker has released an analysis of a rootkit that recently showed up on the Full Disclosure mailing list.
Rootkit.Linux.Snakso.a is designed to infect the Linux kernel version 2.6.32-5-amd64 and adds an iframe to all served web pages by the infected Linux server via the nginx proxy.
The malware appears to be in its development stages as the code is rather large (more than 500k, including debugging information) and Kaspersky noted that "some of the functions don’t seem to be fully working or they are not fully implemented yet."
Security researcher Georg Wicherski said that the code does not seem to be a variant of a publicly available rootkit, but a result of "contract work of an intermediate programmer with no extensive kernel experience". The malware is also likely to have been customized by the buyer, which introduced critical flaws. Wicherski speculated that, based on his research, the rootkit may have been created by a Russia-based attacker.
The security researcher concluded that the "code quality would be unsatisfying for a serious targeted attack", including a "lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit".
I'm thinking Debian (stable).
And then the buyer will keep introducing new flaws to "improve" it.
"What do you mean my rootkits got infected and zombiefied?"
As does 2.6.32, depending on the distro. But yes, this is an older kernel. It's even older than the one that shipped with Debian Squeeze (same minor version, but an older build).
The headline would have you believe that there was a web server virus out there wreaking havoc as we speak, but it apparently only has the potential to infect the tiny percentage of web servers running that particular kernel. I wonder how much Microsoft paid for that headline, I expect the Microsoft PR bots to cite it constantly as "proof" that Linux is also insecure.
Anything can be broken into, IF:
1. It can be accessed by a human.
IS this really a correct headline?
How does this rootkit attack us users in any kind of way?
Isn't it the webservers that are infected?
Or is this something that is spread to users?
Nothing is told in what type of way we as users are being attacked?
What kind of harm does do for us users directly?
A really unclear written article that doesn't build further on the headline at all.
"adds an iframe to all served web pages -> "adds (or tries to add, as I read) malware to all served web pages".
I also
I like the idea that despite of desktop market share, the interesting things are in linux servers, which should be percentually more targeted... But anyways, Linux is secure while you keep in mind that (and why) could fail (isn't like the life itself ?)...
the head line could read new linux virus targets 'the cloud' and it would be 1 million times more accurate.
this virus was made to target something specific using that older kernel. what? idk we'll just have to wait and find out. probably some 'anonymous' member at school training for a career in the anti virus industry where they can actually do something real and tangibly positive for the world instead of all that made up nerd rage they prance about in tutu's patting themselves on the backs for doing nothing positive in this world.
Thats most of it.
Locking out the webservers is not going to garner such info and will stop the crooks getting to the babyboomers that will.