Advanced Linux Malware Compromises Servers
Evildoers can now turn all sites on a Linux server into silent hell-pits:
Complete details at site.
An advanced Linux malware strain can automatically hijack websites hosted on compromised servers to attack web surfers with drive-by-downloads.
The software nasty targets machines running 64-bit GNU/Linux and a web server, and acts like a rootkit by hiding itself from administrators. A browser fetching a website served by the compromised system will be quietly directed via an HTML iframe to malicious sites loaded with malware to attack the web visitor's machine.
Marta Janus, an antivirus analyst at security biz Kaspersky Labs, said the Linux malware appears to be a prototype and is possibly still undergoing development.
"The malware module was specially designed for the kernel version 2.6.32-5-amd64, which happens to be the latest kernel used in 64-bit Debian Squeezy," she wrote on her employer's Securelist blog. "The binary is more than 500KB, but its size is due to the fact that it hasn't been stripped (i.e. it was compiled with the debugging information).
"Perhaps it's still in the development stage, because some of the functions dont seem to be fully working or they are not fully implemented yet."
Janus concluded the prototype malware uses a far more powerful and sophisticated attack strategy than has previously been seen in drive-by download attacks. She wrote:
So far, in most of the drive-by download scenarios an automated injection mechanism is implemented as a simple PHP script. In the case described above, we are dealing with something far more sophisticated - a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before. This rootkit, though it's still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future.
A detailed analysis
of the malware by security startup CrowdStrike asserted that the malware could be used to infect websites regularly frequented by employees at a targeted organisation as part of an espionage-style attack.
Please stop scaring Windows users and dare to post it in Unix forum ( its here, on DSLReports ).
So, it was found only on ONE SERVER running linux;
no automatic spread - compromised by hacker and installed by hand;
NO LINUX CLIENTS was hurt.
"Marta Janus, an antivirus analyst at security biz Kaspersky Labs, said the Linux malware appears to be a prototype and is possibly still undergoing development."
said by Velnias:This is the Security forum. Facts are facts.
Please stop scaring Windows users.
No scare intended. Naturally readers are free to experience their own reactions.
said by Velnias:Exactly.
"...the Linux malware appears to be a prototype and is possibly still undergoing development."
And, thanks to you, more likely Security theater forum .
|reply to FF4m3 |
I read a detailed analysis of this malware. The author said the programmer appeared to be "intermediate" and didn't understand the Linux kernel all that well. They also said it was likely a Russian programmer.
And, as has been said, this is a hand-installed rootkit. They are nothing new and have been around on Unix/Linux forever. This is not a "drive-by" for Linux clients, but an attack on Linux servers which will serve drive-by's to Windows clients.
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999
Here is another article about this: »www.infoworld.com/d/security/lin···12-11-21
|reply to KodiacZiller |
said by KodiacZiller:Right.
This is not a "drive-by" for Linux clients, but an attack on Linux servers which will serve drive-by's to Windows clients.
|reply to FF4m3 |
Hmm, I run a server with this kernel.
So as long as the admins are trusted, infection possibilities remain near 0%?
~ Project Hope ~
said by EUS:Me, too.
After reading the posts and articles it's still unclear to me how this gets on to the server.
said by CrowdStrike :
iFrame injection attack
...this rootkit was used to non-selectively inject iframes into nginx webserver responses...
It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely.
Hi, I'm poor new micro linux rootkit, please help me to spread!
From now you can download and compile complete source code on your camputer - it takes only 15 ( fifteen ) minutes long.
For further information please contact not our, but still very good, service center at KashPerSki.
BranoI hate VogonsPremium,MVMReviews:
What's your problem Velnias ? This is a security forum, if someone has a fridge with internet connectivity and a malware would exist a posting here would be the right place.
We've seen much weirder posts here than this (and I think this one is quite relevant to be posted here).