New Linux Rootkit Targets 64-bit Linux Systems
Security firms, Kaspersky and CrowdStrike have recently identified and analyzed a new Linux malware. Though the rootkit is designed to target 64-bit platforms and is functional, but through some of the techniques imbibed within it could really make it a great weapon for targeted attacks and drive-by download scenarios.
Yet, in the views of the experts, the malicious element is not related to any known rootkit in anyways. A number of functions of the malware do not work properly and the analysis of the variant lacks proper HTTP response parsing. This likely indicates the fact that the programmer must be some mediocre level programmer with not kernel experience.
In order to ensure that it can start playing each time on the infected computer being started, the rootkit adds an entry to the /etc/rc.local script.
However, to conceal it existence, the threat hooks several kernel functions including "vfs_read" or "filldir64." It is accomplished by relying on inline hooking or through replacement of their addresses in memory with pointers to its forged functions.
In his blog also he described that the data will then be retrieved from the buffer to TCP code and then encapsulated in a TCP packet for transmission.
Georg also adds that on the basis of tools, techniques and procedures employed in this venture and also keeping in mind the background information, it is quite difficult to comment anything regarding the Russia-based attacker. The question still remains open as to how the attackers might have gained the root privileges for installing the rootkit. Nevertheless, on consideration of the code quality, the escalation exploit of a custom privilege still seems to be quite unlikely.
While commenting on the same malware, Marta Janus, a Kaspersky Researcher held that the malware communicates with its command and control server by employing an encrypted password. However, the rootkit is still in a nascent stage and exhibits a new approach to the drive-by download schema, and we can definitely anticipate more such malware in the future, as published by scmagazine.com on November 20, 2012.
Related article: New Spam Mail Charges For IPod
» SPAMfighter News - 27-11-2012