|FROM ||Ruben Safir
|SUBJECT ||Subject: [NYLXS - HANGOUT] Linux security news
|From owner-hangout-outgoing-at-mrbrklyn.com Fri Nov 23 07:18:18 2012
Received: by www2.mrbrklyn.com (Postfix)
id C98B93A604; Fri, 23 Nov 2012 07:18:17 -0500 (EST)
Received: by www2.mrbrklyn.com (Postfix, from userid 28)
id B87AE3B572; Fri, 23 Nov 2012 07:18:17 -0500 (EST)
Received: from mailbackend.panix.com (mailbackend.panix.com [126.96.36.199])
by www2.mrbrklyn.com (Postfix) with ESMTP id 661E23A604
for ; Fri, 23 Nov 2012 07:18:17 -0500 (EST)
Received: from [10.0.0.36] (www2.mrbrklyn.com [188.8.131.52])
by mailbackend.panix.com (Postfix) with ESMTP id 1942D361D6
for ; Fri, 23 Nov 2012 07:18:49 -0500 (EST)
Date: Fri, 23 Nov 2012 07:19:06 -0500
From: Ruben Safir
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121025 Thunderbird/16.0.2
Subject: [NYLXS - HANGOUT] Linux security news
Content-Type: text/plain; charset=windows-1252; format=flowed
New Linux Rootkit Uncovered
The malware appears to be contract work by an intermediate-level Russian
programmer, according to an analysis by CrowdStrike.
By Jeff Goldman | November 22, 2012
New Linux malware was recently discovered by a user who published its
details on the Full Disclosure mailing list.
"The anonymous poster, who runs a web service, found the rootkit on
company servers after customers said they were redirected to malicious
sites," writes SC Magazine's Danielle Walker.
"The binary is more than 500k, but its size is due to the fact that it
hasn't been stripped (i.e. it was compiled with the debugging
information)," writes Kaspersky's Marta Janus. "Perhaps it's still in
the development stage, because some of the functions don’t seem to be
fully working or they are not fully implemented yet."
"The software nasty targets machines running 64-bit GNU/Linux and a web
server, and acts like a rootkit by hiding itself from administrators,"
writes The Register's John Leyden. "A browser fetching a website served
by the compromised system will be quietly directed via an HTML iframe to
malicious sites loaded with malware to attack the web visitor's machine."
"Considering that this rootkit was used to non-selectively inject
iframes into nginx webserver responses, it seems likely that this
rootkit is part of a generic cyber crime operation and not a targeted
attack," CrowdStrike senior security researcher Georg Wicherski wrote in
a detailed analysis. "However, a Waterhole attack, where a site mostly
visited from a certain target audience is infected, would also be
plausible. Since no identifying strings yielded results in an Internet
search ... it appears that this is not a modification of a publicly
available rootkit. Rather, it seems that this is contract work of an
intermediate programmer with no extensive kernel experience, later
customized beyond repair by the buyer."
"The firm, looking at the tools, techniques and procedures employed and
some background information it could not disclose, suggested the creator
of the rootkit was likely to be Russian," writes TechWeekEurope's Tom