Feeds

Evildoers can now turn all sites on a Linux server into silent hell-pits

Admins won't even know they're poisoning their visitors

Seven Steps to Software Security

An advanced Linux malware strain can automatically hijack websites hosted on compromised servers to attack web surfers with drive-by-downloads.

The software nasty targets machines running 64-bit GNU/Linux and a web server, and acts like a rootkit by hiding itself from administrators. A browser fetching a website served by the compromised system will be quietly directed via an HTML iframe to malicious sites loaded with malware to attack the web visitor's machine.

Details of the attack first surfaced in a post to the Full Disclosure mailing list.

Marta Janus, an antivirus analyst at security biz Kaspersky Labs, said the Linux malware appears to be a prototype and is possibly still undergoing development.

"The malware module was specially designed for the kernel version 2.6.32-5-amd64, which happens to be the latest kernel used in 64-bit Debian Squeezy," she wrote on her employer's Securelist blog. "The binary is more than 500KB, but its size is due to the fact that it hasn't been stripped (i.e. it was compiled with the debugging information).

"Perhaps it's still in the development stage, because some of the functions don’t seem to be fully working or they are not fully implemented yet."

Drive-by-downloads expose web surfers to malicious code that attempt to exploit unpatched software vulnerabilities in the web visitor's PC or handheld. Security holes in web browsers, Java and Flash plugins and the underlying operating system are typical targets.

What makes this Linux nasty extra crafty

The experimental Linux malware is indiscriminate: it doesn't just hijack one specific website, nor target a particular scripting language or web app platform. Instead, it infiltrates every site hosted by a HTTP server on the compromised box. The rootkit part, which burrows into the Linux kernel to prevent detection by software and superusers, ensures the cunning scam is not immediately blown - not until web surfers hitting the server complain of being hacked by the drive-by-download redirects, at least.

As such the malware is the equivalent of moving up from a rifle taking pot shots at users to a prototype buried gun turret that pops up to silently strafe anyone within reach.

The Linux malware is designed to load itself into memory on startup before hooking itself into kernel functions. Rootkit Linux Snakso-A, as Kaspersky Lab dubs the software, uses various ninja-style tricks to hide itself before crafting network data packets containing the HTML iframes; these are then tucked into the server's output to visiting web browsers. The malicious payload delivered to surfers through these iframes is pulled from a mastermind's command-and-control server.

"The iframe injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg - which is responsible for building TCP packets - with its own function, so the malicious iframes are injected into the HTTP traffic by direct modification of the outgoing TCP packets," Janus explained.

"In order to obtain the actual injection payload, the malware connects to the C&C server using an encrypted password for authentication."

Kaspersky Lab warned the malicious command-and-control server behind the attacks was still active at the time it completed its analysis.

Janus concluded the prototype malware uses a far more powerful and sophisticated attack strategy than has previously been seen in drive-by download attacks. She wrote:

So far, in most of the drive-by download scenarios an automated injection mechanism is implemented as a simple PHP script. In the case described above, we are dealing with something far more sophisticated - a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before. This rootkit, though it's still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future

A detailed analysis of the malware by security startup CrowdStrike asserted that the malware could be used to infect websites regularly frequented by employees at a targeted organisation as part of an espionage-style attack.

"The rootkit at hand seems to be the next step in iframe-injecting cyber-crime operations, driving traffic to exploit kits," Crowdstrike analysts concluded. "It could also be used in a waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail."

Crowdstrike reckoned the malware is the work of a contractor, probably based in Russia.

"It appears that this is not a modification of a publicly available rootkit," Georg Wicherski, senior security researcher at Crowdstrike wrote. "It seems that this is contract work of an intermediate programmer with no extensive kernel experience. Based on the tools, techniques, and procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely." ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.