Researchers Raving Over Remarkable Rootkit

Rootkit can inject malicious iFrames into any HTTP response sent by a server and is rather good at hiding itself… and it’s not even ready yet

One of the more advanced rootkits to have hit town in recent memory has got security researchers across the globe in a tizz, even though it hasn’t even been finished.

The Linux rootkit can inject an iFrame into any HTTP response sent by a web server, and is highly sophisticated in the way it can hide the malicious commands it’s carrying out.

This is significant because iFrames are used by cyber crooks to redirect people to exploit kits, which search for vulnerabilities on the victim’s system before uploading malware and doing other malicious things on the computer.

A rootkit’s aim is to keep nefarious activity hidden. By getting such a sophisticated rootkit onto a web server, sitting at such a low level, an attacker would potentially be able to infect numerous sites and remain undetected. In turn, they would snare countless numbers of victims if the infected sites were popular, or if they were able to successfully redirect users to those websites.

Serious rootkit skills

In the case of this smart new rootkit, which appears to still be in the development stage, the malicious iFrames are injected into HTTP traffic by “direct modification of the outgoing TCP packets”, explained Russian security firm Kaspersky.

Researchers believe the malware is aimed at the kernel in the 64-bit Debian Squeezy distribution of Linux. They also believe this case, which was only revealed after a victim posted details on the rootkit online at, marks a major gear shift in this kind of malware.

“In most of the drive-by download scenarios an automated injection mechanism is implemented as a simple PHP script. In the case described above, we are dealing with something far more sophisticated – a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before,” said Kaspersky Lab expert, Marta Janus, in a blog post.

“This rootkit, though it’s still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future.”

“The rootkit at hand seems to be the next step in iFrame injecting cyber crime operations, driving traffic to exploit kits. It could also be used in a Waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail,” a blog post from security firm CrowdStrike read.

The firm, looking at the tools, techniques and procedures employed and some background information it could not disclose, suggested the creator of the rootkit was likely to be Russian.

The attackers could update the iFrame injection, as the rootkit talks with a command and control server. It also ensures persistence by ensuring the kernel-level module loads on start up.

Meanwhile, F-Secure has uncovered a nasty new exploit kit, called ‘Cool’. It appears to be related to Blackhole, the most prevalent exploit kit today, as both exploit many of the same vulnerabilities.

What do you know about Internet security? Find out with our quiz!