Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in you inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
  • Go

New Linux Rootkit Targets 64-bit Linux Systems

Security firms, Kaspersky and CrowdStrike have recently identified and analyzed a new Linux malware. Though the rootkit is designed to target 64-bit platforms and is functional, but through some of the techniques imbibed within it could really make it a great weapon for targeted attacks and drive-by download scenarios.

Yet, in the views of the experts, the malicious element is not related to any known rootkit in anyways. A number of functions of the malware do not work properly and the analysis of the variant lacks proper HTTP response parsing. This likely indicates the fact that the programmer must be some mediocre level programmer with not kernel experience.

In order to ensure that it can start playing each time on the infected computer being started, the rootkit adds an entry to the /etc/rc.local script.

However, to conceal it existence, the threat hooks several kernel functions including "vfs_read" or "filldir64." It is accomplished by relying on inline hooking or through replacement of their addresses in memory with pointers to its forged functions.

According to Georg Wicherski, Senior Security Researcher at CrowdStrike, in order to implement the iframes (or JavaScript code references) into the HTTP traffic, the rootkit hooks the tcp_sendmsg function that receives one or multiple buffers that are to be sent out to the target and appends them to a connections for outgoing buffer, as reported by darkreading.com on November 20, 2012.

In his blog also he described that the data will then be retrieved from the buffer to TCP code and then encapsulated in a TCP packet for transmission.

Georg also adds that on the basis of tools, techniques and procedures employed in this venture and also keeping in mind the background information, it is quite difficult to comment anything regarding the Russia-based attacker. The question still remains open as to how the attackers might have gained the root privileges for installing the rootkit. Nevertheless, on consideration of the code quality, the escalation exploit of a custom privilege still seems to be quite unlikely.

While commenting on the same malware, Marta Janus, a Kaspersky Researcher held that the malware communicates with its command and control server by employing an encrypted password. However, the rootkit is still in a nascent stage and exhibits a new approach to the drive-by download schema, and we can definitely anticipate more such malware in the future, as published by scmagazine.com on November 20, 2012.

Related article: New Spam Mail Charges For IPod

ยป SPAMfighter News - 27-11-2012

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next