One of the more advanced rootkits to have hit town in recent memory has got security researchers across the globe in a tizz, even though it hasn’t even been finished.
The Linux rootkit can inject an iFrame into any HTTP response sent by a web server, and is highly sophisticated in the way it can hide the malicious commands it’s carrying out.
This is significant because iFrames are used by cyber crooks to redirect people to exploit kits, which search for vulnerabilities on the victim’s system before uploading malware and doing other malicious things on the computer.
In the case of this smart new rootkit, which appears to still be in the development stage, the malicious iFrames are injected into HTTP traffic by “direct modification of the outgoing TCP packets”, explained Russian security firm Kaspersky.
Researchers believe the malware is aimed at the kernel in the 64-bit Debian Squeezy distribution of Linux. They also believe this case, which was only revealed after a victim posted details on the rootkit online at SecLists.org, marks a major gear shift in this kind of malware.
“In most of the drive-by download scenarios an automated injection mechanism is implemented as a simple PHP script. In the case described above, we are dealing with something far more sophisticated – a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before,” said Kaspersky Lab expert, Marta Janus, in a blog post.
“This rootkit, though it’s still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future.”
“The rootkit at hand seems to be the next step in iFrame injecting cyber crime operations, driving traffic to exploit kits. It could also be used in a Waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail,” a blog post from security firm CrowdStrike read.
The firm, looking at the tools, techniques and procedures employed and some background information it could not disclose, suggested the creator of the rootkit was likely to be Russian.
The attackers could update the iFrame injection, as the rootkit talks with a command and control server. It also ensures persistence by ensuring the kernel-level module loads on start up.
Meanwhile, F-Secure has uncovered a nasty new exploit kit, called ‘Cool’. It appears to be related to Blackhole, the most prevalent exploit kit today, as both exploit many of the same vulnerabilities.
What do you know about Internet security? Find out with our quiz!
Good news for creditors. CEO John Ray III says bankrupt crypto exchange FTX will be…
Chip giants Intel and Qualcomm complain of sales impact after United States revokes some of…
Using the Digital Services Act, European Commission asks X (formerly Twitter) for details over reduction…
Payroll records of nearly all members of the UK's armed forces have been exposed, reportedly…
Updates arrive for two iPad models (iPad Air and iPad Pro) as well as some…
US government sued by TikTok in bid to block law that will force sale of…
View Comments
I am still puzzled and wondering, how did this rootkit get onto the system in the first place? Is there a Zero-Day on up2date Debian Squeeze system or ?.
You don't just find a system magically with a rootkit installed, or a rootkit just popping out of the "void" materializing just in front of you or on your hard disc in /lib/modules/...