Rootkit.Linux.Snakso.a is designed to infect the Linux kernel version 2.6.32-5-amd64 and adds an iframe to all served web pages by the infected Linux server via the nginx proxy.
The malware appears to be in its development stages as the code is rather large (more than 500k, including debugging information) and Kaspersky noted that "some of the functions don’t seem to be fully working or they are not fully implemented yet."
Security researcher Georg Wicherski said that the code does not seem to be a variant of a publicly available rootkit, but a result of "contract work of an intermediate programmer with no extensive kernel experience". The malware is also likely to have been customized by the buyer, which introduced critical flaws. Wicherski speculated that, based on his research, the rootkit may have been created by a Russia-based attacker.
The security researcher concluded that the "code quality would be unsatisfying for a serious targeted attack", including a "lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit".