Sign in with
Sign up | Sign in

Linux Webserver Rootkit Attacks Internet Users

By - Source: Kaspersky | B 15 comments

Security software maker has released an analysis of a rootkit that recently showed up on the Full Disclosure mailing list.

Rootkit.Linux.Snakso.a is designed to infect the Linux kernel version 2.6.32-5-amd64 and adds an iframe to all served web pages by the infected Linux server via the nginx proxy.

The malware appears to be in its development stages as the code is rather large (more than 500k, including debugging information) and Kaspersky noted that "some of the functions don’t seem to be fully working or they are not fully implemented yet."

Security researcher Georg Wicherski said that the code does not seem to be a variant of a publicly available rootkit, but a result of "contract work of an intermediate programmer with no extensive kernel experience". The malware is also likely to have been customized by the buyer, which introduced critical flaws. Wicherski speculated that, based on his research, the rootkit may have been created by a Russia-based attacker.

The security researcher concluded that the "code quality would be unsatisfying for a serious targeted attack", including a "lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit".

 

Contact Us for News Tips, Corrections and Feedback

Discuss
Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 9 Hide
    dormantreign , December 2, 2012 5:41 AM
    Way to piss off the hacker, Now he's read this he'll be up all night eating pizza pockets fixing his program.
  • 4 Hide
    DSpider , December 2, 2012 5:49 AM
    2.6.32-5-amd64?

    I'm thinking Debian (stable).
  • 4 Hide
    A Bad Day , December 2, 2012 6:26 AM
    dormantreignWay to piss off the hacker, Now he's read this he'll be up all night eating pizza pockets fixing his program.


    And then the buyer will keep introducing new flaws to "improve" it.

    "What do you mean my rootkits got infected and zombiefied?"
  • Display all 15 comments.
  • 3 Hide
    randomizer , December 2, 2012 6:49 AM
    Ah, a typical case of the client thinking that they have to add their little bit to feel like they've made some contribution. Happens in every industry, even criminal. I don't even know why they bother to hire contractors if they think they can do a better job.
  • 2 Hide
    mayankleoboy1 , December 2, 2012 8:58 AM
    2.6.32-5 is oldish. The version that still gets security updates is the 2.6.38 branch.
  • 0 Hide
    randomizer , December 2, 2012 9:52 AM
    mayankleoboy12.6.32-5 is oldish. The version that still gets security updates is the 2.6.38 branch.

    As does 2.6.32, depending on the distro. But yes, this is an older kernel. It's even older than the one that shipped with Debian Squeeze (same minor version, but an older build).
  • 5 Hide
    Anonymous , December 2, 2012 11:53 AM
    WTF, what a sensationalist headline... Linux is an secure operating system, which is why it has over 90% of the web server market while Windows is tied with BSD with about 5%. Desktop Linux users will only have social engineering attacks to fear if Linux hits 100% of the desktop/laptop market, because if it were possible to own it, there's already more than enough incentive for hackers to attack those hundreds of millions of web servers. Instead, we only get these 'proof of concept' viruses that can't actually do anything.

    The headline would have you believe that there was a web server virus out there wreaking havoc as we speak, but it apparently only has the potential to infect the tiny percentage of web servers running that particular kernel. I wonder how much Microsoft paid for that headline, I expect the Microsoft PR bots to cite it constantly as "proof" that Linux is also insecure.
  • 5 Hide
    A Bad Day , December 2, 2012 2:12 PM
    Quote:
    Linux is an secure operating system


    Anything can be broken into, IF:

    1. It can be accessed by a human.
  • 3 Hide
    in_the_loop , December 2, 2012 2:52 PM
    Quote:
    Linux Webserver Rootkit Attacks Internet Users


    IS this really a correct headline?
    How does this rootkit attack us users in any kind of way?
    Isn't it the webservers that are infected?

    Or is this something that is spread to users?

    Nothing is told in what type of way we as users are being attacked?
    What kind of harm does do for us users directly?

    A really unclear written article that doesn't build further on the headline at all.
  • 1 Hide
    serendipiti , December 2, 2012 3:59 PM
    in_the_loopIS this really a correct headline?How does this rootkit attack us users in any kind of way?Isn't it the webservers that are infected?Or is this something that is spread to users?Nothing is told in what type of way we as users are being attacked?What kind of harm does do for us users directly?A really unclear written article that doesn't build further on the headline at all.


    "adds an iframe to all served web pages -> "adds (or tries to add, as I read) malware to all served web pages".
    I also
    L1npr0WTF, what a sensationalist headline... Linux is an secure operating system, which is why it has over 90% of the web server market while Windows is tied with BSD with about 5%. Desktop Linux users will only have social engineering attacks to fear if Linux hits 100% of the desktop/laptop market, because if it were possible to own it, there's already more than enough incentive for hackers to attack those hundreds of millions of web servers. Instead, we only get these 'proof of concept' viruses that can't actually do anything.The headline would have you believe that there was a web server virus out there wreaking havoc as we speak, but it apparently only has the potential to infect the tiny percentage of web servers running that particular kernel. I wonder how much Microsoft paid for that headline, I expect the Microsoft PR bots to cite it constantly as "proof" that Linux is also insecure.


    I like the idea that despite of desktop market share, the interesting things are in linux servers, which should be percentually more targeted... But anyways, Linux is secure while you keep in mind that (and why) could fail (isn't like the life itself ?)...
  • 4 Hide
    bit_user , December 2, 2012 5:07 PM
    They didn't say what's the infection vector of the root kit. That's the important part.
  • 0 Hide
    Tomtompiper , December 2, 2012 6:31 PM
    This is a non story, about a non event.
  • 1 Hide
    f-14 , December 3, 2012 12:43 AM
    the head line is about as accurate as a blind man navigating the ocean in a row boat.

    the head line could read new linux virus targets 'the cloud' and it would be 1 million times more accurate.

    this virus was made to target something specific using that older kernel. what? idk we'll just have to wait and find out. probably some 'anonymous' member at school training for a career in the anti virus industry where they can actually do something real and tangibly positive for the world instead of all that made up nerd rage they prance about in tutu's patting themselves on the backs for doing nothing positive in this world.
  • 0 Hide
    daglesj , December 3, 2012 10:09 AM
    No point in attacking Linux webservers. Most attacks nowadays are ransomware to get folks that are not very IT literate to hand over their credit card details.

    Thats most of it.

    Locking out the webservers is not going to garner such info and will stop the crooks getting to the babyboomers that will.
  • 0 Hide
    extremepcs , December 3, 2012 10:50 AM
    Lies. Linux is immune to viruses, just like Mac's.