Feeds

Evildoers can now turn all sites on a Linux server into silent hell-pits

Admins won't even know they're poisoning their visitors

SANS - Survey on application security programs

An advanced Linux malware strain can automatically hijack websites hosted on compromised servers to attack web surfers with drive-by-downloads.

The software nasty targets machines running 64-bit GNU/Linux and a web server, and acts like a rootkit by hiding itself from administrators. A browser fetching a website served by the compromised system will be quietly directed via an HTML iframe to malicious sites loaded with malware to attack the web visitor's machine.

Details of the attack first surfaced in a post to the Full Disclosure mailing list.

Marta Janus, an antivirus analyst at security biz Kaspersky Labs, said the Linux malware appears to be a prototype and is possibly still undergoing development.

"The malware module was specially designed for the kernel version 2.6.32-5-amd64, which happens to be the latest kernel used in 64-bit Debian Squeezy," she wrote on her employer's Securelist blog. "The binary is more than 500KB, but its size is due to the fact that it hasn't been stripped (i.e. it was compiled with the debugging information).

"Perhaps it's still in the development stage, because some of the functions don’t seem to be fully working or they are not fully implemented yet."

Drive-by-downloads expose web surfers to malicious code that attempt to exploit unpatched software vulnerabilities in the web visitor's PC or handheld. Security holes in web browsers, Java and Flash plugins and the underlying operating system are typical targets.

What makes this Linux nasty extra crafty

The experimental Linux malware is indiscriminate: it doesn't just hijack one specific website, nor target a particular scripting language or web app platform. Instead, it infiltrates every site hosted by a HTTP server on the compromised box. The rootkit part, which burrows into the Linux kernel to prevent detection by software and superusers, ensures the cunning scam is not immediately blown - not until web surfers hitting the server complain of being hacked by the drive-by-download redirects, at least.

As such the malware is the equivalent of moving up from a rifle taking pot shots at users to a prototype buried gun turret that pops up to silently strafe anyone within reach.

The Linux malware is designed to load itself into memory on startup before hooking itself into kernel functions. Rootkit Linux Snakso-A, as Kaspersky Lab dubs the software, uses various ninja-style tricks to hide itself before crafting network data packets containing the HTML iframes; these are then tucked into the server's output to visiting web browsers. The malicious payload delivered to surfers through these iframes is pulled from a mastermind's command-and-control server.

"The iframe injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg - which is responsible for building TCP packets - with its own function, so the malicious iframes are injected into the HTTP traffic by direct modification of the outgoing TCP packets," Janus explained.

"In order to obtain the actual injection payload, the malware connects to the C&C server using an encrypted password for authentication."

Kaspersky Lab warned the malicious command-and-control server behind the attacks was still active at the time it completed its analysis.

Janus concluded the prototype malware uses a far more powerful and sophisticated attack strategy than has previously been seen in drive-by download attacks. She wrote:

So far, in most of the drive-by download scenarios an automated injection mechanism is implemented as a simple PHP script. In the case described above, we are dealing with something far more sophisticated - a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before. This rootkit, though it's still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future

A detailed analysis of the malware by security startup CrowdStrike asserted that the malware could be used to infect websites regularly frequented by employees at a targeted organisation as part of an espionage-style attack.

"The rootkit at hand seems to be the next step in iframe-injecting cyber-crime operations, driving traffic to exploit kits," Crowdstrike analysts concluded. "It could also be used in a waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail."

Crowdstrike reckoned the malware is the work of a contractor, probably based in Russia.

"It appears that this is not a modification of a publicly available rootkit," Georg Wicherski, senior security researcher at Crowdstrike wrote. "It seems that this is contract work of an intermediate programmer with no extensive kernel experience. Based on the tools, techniques, and procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely." ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.