A previously unknown rootkit is infecting Linux web servers and injecting malicious code into web pages served by infected servers. The rootkit was discovered by a user of security mailing list Full Disclosure, who has posted his observations, including the suspicious kernel module, to the mailing list. The malware adds an iframe to every web page served by the infected system via the nginxproxy – including error pages.
Anyone who visits a web page on the server is then attacked by a specially crafted web page which is loaded in an iframe. Criminals typically use exploit kits such as BlackHole to examine the system of the victim to establish which one of a number of vulnerabilities in Flash, Java and other applications can be exploited. Once an exploitable hole is identified, it is used to install malware on the visitor’s system. The web server is ultimately being used to redirect users to another web server which can then infect their system, such as poorly maintained Windows systems, with malware.
Anti-virus software company Kaspersky Lab has analysed the malware. According to them, the rootkit, which it has dubbed Rootkit.Linux.Snakso.a, is designed to target 64-bit systems and has been compiled for kernel version 2.6.32-5, used in Debian Squeeze. The rootkit adds the line
insmod /lib/modules/2.6.32 5-amd64/kernel/sound/module_init.ko to the /etc/rc.local script, ensuring that the malicious module is executed each time the system boots.
After booting, it determines the memory address of a number of kernel functions, which it then hooks into. This allows it both to hide itself from the user and to manipulate the server’s network traffic. The rootkit obtains deployment instructions from a command and control server. According to Kaspersky, the rootkit may still be under development, as it has been compiled with debug information in situ.
Security expert Georg Wicherski has also analysed the rootkit, and suggests that it was developed by an advanced beginner who does not yet have a great deal of experience with the kernel. According to Wicherski, the attacker who deployed the rootkit is probably based in Russia.