One of the more advanced rootkits to have hit town in recent memory has got security researchers across the globe in a tizz, even though it hasn’t even been finished.
The Linux rootkit can inject an iFrame into any HTTP response sent by a web server, and is highly sophisticated in the way it can hide the malicious commands it’s carrying out.
This is significant because iFrames are used by cyber crooks to redirect people to exploit kits, which search for vulnerabilities on the victim’s system before uploading malware and doing other malicious things on the computer.
In the case of this smart new rootkit, which appears to still be in the development stage, the malicious iFrames are injected into HTTP traffic by “direct modification of the outgoing TCP packets”, explained Russian security firm Kaspersky.
Researchers believe the malware is aimed at the kernel in the 64-bit Debian Squeezy distribution of Linux. They also believe this case, which was only revealed after a victim posted details on the rootkit online at SecLists.org, marks a major gear shift in this kind of malware.
“In most of the drive-by download scenarios an automated injection mechanism is implemented as a simple PHP script. In the case described above, we are dealing with something far more sophisticated – a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before,” said Kaspersky Lab expert, Marta Janus, in a blog post.
“This rootkit, though it’s still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future.”
“The rootkit at hand seems to be the next step in iFrame injecting cyber crime operations, driving traffic to exploit kits. It could also be used in a Waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail,” a blog post from security firm CrowdStrike read.
The firm, looking at the tools, techniques and procedures employed and some background information it could not disclose, suggested the creator of the rootkit was likely to be Russian.
The attackers could update the iFrame injection, as the rootkit talks with a command and control server. It also ensures persistence by ensuring the kernel-level module loads on start up.
Meanwhile, F-Secure has uncovered a nasty new exploit kit, called ‘Cool’. It appears to be related to Blackhole, the most prevalent exploit kit today, as both exploit many of the same vulnerabilities.
What do you know about Internet security? Find out with our quiz!
Nvidia to replace Intel this week on Dow Jones Industrial Average after years of turmoil…
Joby Aviation and Toyota Motor complete demonstration flight in Shizuoka as companies prepare to bring…
SK Hynix says Nvidia chief executive Jensen Huang asked if production of next-gen HBM4 memory…
Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…
Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…
OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…
View Comments
I am still puzzled and wondering, how did this rootkit get onto the system in the first place? Is there a Zero-Day on up2date Debian Squeeze system or ?.
You don't just find a system magically with a rootkit installed, or a rootkit just popping out of the "void" materializing just in front of you or on your hard disc in /lib/modules/...