Feeds

Evildoers can now turn all sites on a Linux server into silent hell-pits

Admins won't even know they're poisoning their visitors

Protecting against web application threats using SSL

An advanced Linux malware strain can automatically hijack websites hosted on compromised servers to attack web surfers with drive-by-downloads.

The software nasty targets machines running 64-bit GNU/Linux and a web server, and acts like a rootkit by hiding itself from administrators. A browser fetching a website served by the compromised system will be quietly directed via an HTML iframe to malicious sites loaded with malware to attack the web visitor's machine.

Details of the attack first surfaced in a post to the Full Disclosure mailing list.

Marta Janus, an antivirus analyst at security biz Kaspersky Labs, said the Linux malware appears to be a prototype and is possibly still undergoing development.

"The malware module was specially designed for the kernel version 2.6.32-5-amd64, which happens to be the latest kernel used in 64-bit Debian Squeezy," she wrote on her employer's Securelist blog. "The binary is more than 500KB, but its size is due to the fact that it hasn't been stripped (i.e. it was compiled with the debugging information).

"Perhaps it's still in the development stage, because some of the functions don’t seem to be fully working or they are not fully implemented yet."

Drive-by-downloads expose web surfers to malicious code that attempt to exploit unpatched software vulnerabilities in the web visitor's PC or handheld. Security holes in web browsers, Java and Flash plugins and the underlying operating system are typical targets.

What makes this Linux nasty extra crafty

The experimental Linux malware is indiscriminate: it doesn't just hijack one specific website, nor target a particular scripting language or web app platform. Instead, it infiltrates every site hosted by a HTTP server on the compromised box. The rootkit part, which burrows into the Linux kernel to prevent detection by software and superusers, ensures the cunning scam is not immediately blown - not until web surfers hitting the server complain of being hacked by the drive-by-download redirects, at least.

As such the malware is the equivalent of moving up from a rifle taking pot shots at users to a prototype buried gun turret that pops up to silently strafe anyone within reach.

The Linux malware is designed to load itself into memory on startup before hooking itself into kernel functions. Rootkit Linux Snakso-A, as Kaspersky Lab dubs the software, uses various ninja-style tricks to hide itself before crafting network data packets containing the HTML iframes; these are then tucked into the server's output to visiting web browsers. The malicious payload delivered to surfers through these iframes is pulled from a mastermind's command-and-control server.

"The iframe injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg - which is responsible for building TCP packets - with its own function, so the malicious iframes are injected into the HTTP traffic by direct modification of the outgoing TCP packets," Janus explained.

"In order to obtain the actual injection payload, the malware connects to the C&C server using an encrypted password for authentication."

Kaspersky Lab warned the malicious command-and-control server behind the attacks was still active at the time it completed its analysis.

Janus concluded the prototype malware uses a far more powerful and sophisticated attack strategy than has previously been seen in drive-by download attacks. She wrote:

So far, in most of the drive-by download scenarios an automated injection mechanism is implemented as a simple PHP script. In the case described above, we are dealing with something far more sophisticated - a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before. This rootkit, though it's still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future

A detailed analysis of the malware by security startup CrowdStrike asserted that the malware could be used to infect websites regularly frequented by employees at a targeted organisation as part of an espionage-style attack.

"The rootkit at hand seems to be the next step in iframe-injecting cyber-crime operations, driving traffic to exploit kits," Crowdstrike analysts concluded. "It could also be used in a waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail."

Crowdstrike reckoned the malware is the work of a contractor, probably based in Russia.

"It appears that this is not a modification of a publicly available rootkit," Georg Wicherski, senior security researcher at Crowdstrike wrote. "It seems that this is contract work of an intermediate programmer with no extensive kernel experience. Based on the tools, techniques, and procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely." ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.