Linux Webserver Rootkit Attacks Internet Users

By Wolfgang Gruener
published

Security software maker has released an analysis of a rootkit that recently showed up on the Full Disclosure mailing list.

Rootkit.Linux.Snakso.a is designed to infect the Linux kernel version 2.6.32-5-amd64 and adds an iframe to all served web pages by the infected Linux server via the nginx proxy.

The malware appears to be in its development stages as the code is rather large (more than 500k, including debugging information) and Kaspersky noted that "some of the functions don’t seem to be fully working or they are not fully implemented yet."

Security researcher Georg Wicherski said that the code does not seem to be a variant of a publicly available rootkit, but a result of "contract work of an intermediate programmer with no extensive kernel experience". The malware is also likely to have been customized by the buyer, which introduced critical flaws. Wicherski speculated that, based on his research, the rootkit may have been created by a Russia-based attacker.

The security researcher concluded that the "code quality would be unsatisfying for a serious targeted attack", including a "lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit".

Contact Us for News Tips, Corrections and Feedback

Wolfgang Gruener
15 Comments Comment from the forums
  • dormantreign
    Way to piss off the hacker, Now he's read this he'll be up all night eating pizza pockets fixing his program.
    Reply
  • DSpider
    2.6.32-5-amd64?

    I'm thinking Debian (stable).
    Reply
  • A Bad Day
    dormantreignWay to piss off the hacker, Now he's read this he'll be up all night eating pizza pockets fixing his program.
    And then the buyer will keep introducing new flaws to "improve" it.

    "What do you mean my rootkits got infected and zombiefied?"
    Reply
  • randomizer
    Ah, a typical case of the client thinking that they have to add their little bit to feel like they've made some contribution. Happens in every industry, even criminal. I don't even know why they bother to hire contractors if they think they can do a better job.
    Reply
  • mayankleoboy1
    2.6.32-5 is oldish. The version that still gets security updates is the 2.6.38 branch.
    Reply
  • randomizer
    mayankleoboy12.6.32-5 is oldish. The version that still gets security updates is the 2.6.38 branch.As does 2.6.32, depending on the distro. But yes, this is an older kernel. It's even older than the one that shipped with Debian Squeeze (same minor version, but an older build).
    Reply
  • WTF, what a sensationalist headline... Linux is an secure operating system, which is why it has over 90% of the web server market while Windows is tied with BSD with about 5%. Desktop Linux users will only have social engineering attacks to fear if Linux hits 100% of the desktop/laptop market, because if it were possible to own it, there's already more than enough incentive for hackers to attack those hundreds of millions of web servers. Instead, we only get these 'proof of concept' viruses that can't actually do anything.

    The headline would have you believe that there was a web server virus out there wreaking havoc as we speak, but it apparently only has the potential to infect the tiny percentage of web servers running that particular kernel. I wonder how much Microsoft paid for that headline, I expect the Microsoft PR bots to cite it constantly as "proof" that Linux is also insecure.
    Reply
  • A Bad Day
    Linux is an secure operating system

    Anything can be broken into, IF:

    1. It can be accessed by a human.
    Reply
  • in_the_loop
    Linux Webserver Rootkit Attacks Internet Users

    IS this really a correct headline?
    How does this rootkit attack us users in any kind of way?
    Isn't it the webservers that are infected?

    Or is this something that is spread to users?

    Nothing is told in what type of way we as users are being attacked?
    What kind of harm does do for us users directly?

    A really unclear written article that doesn't build further on the headline at all.
    Reply
  • serendipiti
    in_the_loopIS this really a correct headline?How does this rootkit attack us users in any kind of way?Isn't it the webservers that are infected?Or is this something that is spread to users?Nothing is told in what type of way we as users are being attacked?What kind of harm does do for us users directly?A really unclear written article that doesn't build further on the headline at all.
    "adds an iframe to all served web pages -> "adds (or tries to add, as I read) malware to all served web pages".
    I alsoL1npr0WTF, what a sensationalist headline... Linux is an secure operating system, which is why it has over 90% of the web server market while Windows is tied with BSD with about 5%. Desktop Linux users will only have social engineering attacks to fear if Linux hits 100% of the desktop/laptop market, because if it were possible to own it, there's already more than enough incentive for hackers to attack those hundreds of millions of web servers. Instead, we only get these 'proof of concept' viruses that can't actually do anything.The headline would have you believe that there was a web server virus out there wreaking havoc as we speak, but it apparently only has the potential to infect the tiny percentage of web servers running that particular kernel. I wonder how much Microsoft paid for that headline, I expect the Microsoft PR bots to cite it constantly as "proof" that Linux is also insecure.
    I like the idea that despite of desktop market share, the interesting things are in linux servers, which should be percentually more targeted... But anyways, Linux is secure while you keep in mind that (and why) could fail (isn't like the life itself ?)...
    Reply