Feeds

Evildoers can now turn all sites on a Linux server into silent hell-pits

Admins won't even know they're poisoning their visitors

Securing Web Applications Made Simple and Scalable

An advanced Linux malware strain can automatically hijack websites hosted on compromised servers to attack web surfers with drive-by-downloads.

The software nasty targets machines running 64-bit GNU/Linux and a web server, and acts like a rootkit by hiding itself from administrators. A browser fetching a website served by the compromised system will be quietly directed via an HTML iframe to malicious sites loaded with malware to attack the web visitor's machine.

Details of the attack first surfaced in a post to the Full Disclosure mailing list.

Marta Janus, an antivirus analyst at security biz Kaspersky Labs, said the Linux malware appears to be a prototype and is possibly still undergoing development.

"The malware module was specially designed for the kernel version 2.6.32-5-amd64, which happens to be the latest kernel used in 64-bit Debian Squeezy," she wrote on her employer's Securelist blog. "The binary is more than 500KB, but its size is due to the fact that it hasn't been stripped (i.e. it was compiled with the debugging information).

"Perhaps it's still in the development stage, because some of the functions don’t seem to be fully working or they are not fully implemented yet."

Drive-by-downloads expose web surfers to malicious code that attempt to exploit unpatched software vulnerabilities in the web visitor's PC or handheld. Security holes in web browsers, Java and Flash plugins and the underlying operating system are typical targets.

What makes this Linux nasty extra crafty

The experimental Linux malware is indiscriminate: it doesn't just hijack one specific website, nor target a particular scripting language or web app platform. Instead, it infiltrates every site hosted by a HTTP server on the compromised box. The rootkit part, which burrows into the Linux kernel to prevent detection by software and superusers, ensures the cunning scam is not immediately blown - not until web surfers hitting the server complain of being hacked by the drive-by-download redirects, at least.

As such the malware is the equivalent of moving up from a rifle taking pot shots at users to a prototype buried gun turret that pops up to silently strafe anyone within reach.

The Linux malware is designed to load itself into memory on startup before hooking itself into kernel functions. Rootkit Linux Snakso-A, as Kaspersky Lab dubs the software, uses various ninja-style tricks to hide itself before crafting network data packets containing the HTML iframes; these are then tucked into the server's output to visiting web browsers. The malicious payload delivered to surfers through these iframes is pulled from a mastermind's command-and-control server.

"The iframe injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg - which is responsible for building TCP packets - with its own function, so the malicious iframes are injected into the HTTP traffic by direct modification of the outgoing TCP packets," Janus explained.

"In order to obtain the actual injection payload, the malware connects to the C&C server using an encrypted password for authentication."

Kaspersky Lab warned the malicious command-and-control server behind the attacks was still active at the time it completed its analysis.

Janus concluded the prototype malware uses a far more powerful and sophisticated attack strategy than has previously been seen in drive-by download attacks. She wrote:

So far, in most of the drive-by download scenarios an automated injection mechanism is implemented as a simple PHP script. In the case described above, we are dealing with something far more sophisticated - a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before. This rootkit, though it's still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future

A detailed analysis of the malware by security startup CrowdStrike asserted that the malware could be used to infect websites regularly frequented by employees at a targeted organisation as part of an espionage-style attack.

"The rootkit at hand seems to be the next step in iframe-injecting cyber-crime operations, driving traffic to exploit kits," Crowdstrike analysts concluded. "It could also be used in a waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail."

Crowdstrike reckoned the malware is the work of a contractor, probably based in Russia.

"It appears that this is not a modification of a publicly available rootkit," Georg Wicherski, senior security researcher at Crowdstrike wrote. "It seems that this is contract work of an intermediate programmer with no extensive kernel experience. Based on the tools, techniques, and procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely." ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.