The Inquirer-Home

Security researchers take apart a Linux server rootkit

Malware writers seek to infect servers from the inside out
Wed Nov 21 2012, 11:07
First Shellshock malware emerges

A FRESHLY DISCOVERED Linux rootkit could give researchers insight into evolving malware techniques.

Security researchers have started issuing reports on an unnamed and previously unknown Linux rootkit posted earlier this month to a security mailing list.

While early analysis found that the attack is relatively crude and insecure by Windows rootkit standards, the attack has caught the eye of security vendors because it appears to be a commercially designed sample rather than a targeted attack.

Researchers believe that the rootkit is intended to attack web servers, infecting 64-bit Linux kernels and then injecting further attack code into web pages.

The discovery of the rootkit could indicate that cyber criminals are increasingly looking to infect Linux systems with sophisticated attacks. Rootkits, which run at the operating system kernel level of a system, have emerged as a favourite means for avoiding detection by conventional anti-virus software.

"Although the code quality would be unsatisfying for a serious targeted attack, it is interesting to see the cyber-crime-oriented developers, who have partially shown great skill at developing Windows rootkits, move into the Linux rootkit direction," security firm Crowdstrike wrote in its analysis of the malware sample.

"The lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit, is a further indicator that this is not part of a sophisticated, targeted attack."

Crowdstrike researchers went on to suggest that the attack is likely the work of a contracted malware developer and has since been modified by the buyer.

Marta Janus, a researcher with Kaspersky Lab, suggested that the attack could also signal a shift away from high-level attacks on HTTP servers to more sophisticated methods that infect the server itself and poison hosted web pages.

"This rootkit, though it's still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future," Janus wrote. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Existing User
Please fill in the field below to receive your profile link.
Sign-up for the INQBot weekly newsletter
Click here
INQ Poll

Microsoft Windows 10 poll

Which feature of Windows 10 are you most excited about?