A new Linux malware has been identified. The rootkit, designed to target 64-bit platforms, appears to be in the works, but some of the techniques it uses could make it a great weapon for targeted attacks and drive-by download scenarios.Researchers from both Kaspersky and CrowdStrike have analyzed this piece of malware, which was posted around one week ago on the Full Disclosure mailing list.
According to experts, the malicious element doesn’t seem to be related to any known rootkit. It’s believed that it might have been developed by a Russian programmer.
Many of the malware’s functions don’t work properly and the variant analyzed by researchers isn’t obfuscated and it lacks proper HTTP response parsing. This indicates that the creator might be an intermediate programmer with no extensive kernel experience.
To ensure that it can step into play each time the infected computer is started, the rootkit adds an entry to the /etc/rc.local script.
Then, in order to hide its presence, the threat hooks various kernel functions such as “vfs_read” or “filldir64.” In does that by relying on “inline hooking or by replacing their addresses in memory with pointers to its own malicious functions.”
In order to inject iframes, the malware replaces the “tcp_sendmsg” function with its own. The iframes are injected into the HTTP traffic by modifying the outgoing TCP packets.
Finally, the rootkit connects to a command and control server – currently still active – to obtain the injection payload. An encrypted password is utilized for authentication.
For now, it remains a mystery as to how the attacker managed to gain root privileges to install the rootkit, but experts believe a custom privilege escalation is unlikely.
This particular piece of malware shows that cybercriminals are coming up with new and more sophisticated approaches to drive-by downloads and it’s likely that more such threats will be seen in the future.