Search My Blog

Thursday, November 22, 2012

CrowdStrike - HTTP iframe Injecting Linux Rootkit (Vrius info)

Monday, November 19, 2012

HTTP iframe Injecting Linux Rootkit

Georg Wicherski, Senior Security Researcher

On Tuesday, November 13, 2012, a previously unknown Linux rootkit was posted to the Full Disclosure mailing list by an anonymous victim. The rootkit was discovered on a web server that added an unknown iframe into any HTTP response sent by the web server.

The victim has recovered the rootkit kernel module file and attached it to the mailing list post, asking for any information on this threat. Until today, nobody has replied on this email thread. CrowdStrike has performed a brief static analysis of the kernel module in question, and these are our results. Our results seem to be in line with Kaspersky's findings; they also already added detection.

Key Findings

  • The rootkit at hand seems to be the next step in iframe injecting cyber crime operations, driving traffic to exploit kits. It could also be used in a Waterhole attack to conduct a targeted attack against a a specific target audience without leaving much forensic trail.
  • It appears that this is not a modification of a publicly available rootkit. It seems that this is contract work of an intermediate programmer with no extensive kernel experience.
  • Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely.

Functional Overview


I use Several Anti Virus and rootkit finding Apps in my Fedora and Debian Linux Systems. I Always install ClamAV ( and Klam GUI which I really like. I find the GUI easy and fast to use. I install it on all of my Systems (Fedora and Debian). ( and ( and (

I use Rootkit Hunter ( to Scan my Fedora and other Linux Systems for rootkits. And there is a nice GUI APP called, Chkrootkit ( It will automatically open up a Command Line and check your system for rootkits, automatically.

The Web Site, is not in English (Translated Downloads Page, But, you can install it from the Fedora Repos and it runs in English. Or I imagine which ever language you have your system set to.

chkrootkit is a tool to locally check for signs of a rootkit. It contains:
* chkrootkit: shell script that checks system binaries for rootkit modification.
* ifpromisc: checks if the network interface is in promiscuous mode.
* chklastlog: checks for lastlog deletions.
* chkwtmp: checks for wtmp deletions.
* chkproc: checks for signs of LKM trojans.
* chkdirs: checks for signs of LKM trojans.
* strings: quick and dirty strings replacement.
* chkutmp: checks for utmp deletions.

Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.

Unix/Linux version 

Windows version


Security and system auditing tool
Project information
Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOX (Sarbanes-Oxley) compliance audits.

Intended audience:
Security specialists, penetration testers, system auditors, system/network managers.

Examples of audit tests:
- Available authentication methods
- Expired SSL certificates
- Outdated software
- User accounts without password
- Incorrect file permissions
- Firewall auditing

Current state:
Stable releases are available, development is active.

System requirements:
- Compatible operating system (see 'Supported operating systems')
- Default shell

Supported operating systems
Tested on:
- Arch Linux
- CentOS
- Debian
- Fedora Core 4 and higher
- FreeBSD
- Gentoo
- Knoppix
- Mac OS X
- Mandriva 2007
- OpenBSD 4.x
- OpenSolaris
- OpenSuSE
- PCLinuxOS
- Red Hat, RHEL 5.x
- Slackware 12.1
- Solaris 10
- Ubuntu

(did it work on your operating system? Let me know!)

Extra information


Hope this helps...


Virus info Linux and Windows
trinity - Google Search
DonsDeals: BBC NEWS | Programmes | Click | BBC team exposes cyber crime risk
DonsDeals: Updated Conficker Ropes Victims into Rogue Antivirus Scam
DonsDeals: Jotti's malware scan
DonsDeals: Free Agent: Linux Firewalls and Antivirus--Needed or Not? - PCWorld
DonsDeals: Immunet v2 update on the way: adds multi-engine malware and virus scanning to cloud-powered core
DonsDeals: The first Linux botnet? | ITworld
DonsDeals: PC Hell: Free RootKit Removal Tools and Software
DonsDeals: Trinityhome : New TRK 3.4: easier than ever before
DonsDeals: Conficker Worm Called An Epidemic
DonsDeals: Setting up Avast Antivirus to Protect your Windows PC...
DonsDeals: - Free Multi-Engine Online Virus Scanner v1.02, Supports 37 AntiVirus Engines!
DonsDeals: M86 Security Finds URL Filters Anti Virus Scanners Ineffective
Jotti's malware scan
AVG Online Virus Scanner | Scan Web Pages | AVG LinkScanner Drop Zone - Free Multi-Engine Online Virus Scanner v1.02, Supports 36 AntiVirus Engines!
DonsDeals: Probably the Best Free Security List in the World
DonsDeals: Re: Viruses now penetrating deeper | Tech News on ZDNet
DonsDeals: Avast! AntiVirus For Both Window and Linux Home Edition
remove sasser virus - Google Search
remove sasser virus - Google Search
wine gecko - Google Search
crafted.win32file.ols - Google Search
DonsDeals: Best Free Rootkit Scanner/Remover
DonsDeals: New Kneber Botnet Tied To 75 000 Systems
DonsDeals: Facebook Users Targeted By Fake Virus Alert
Clam AntiVirus
avast! Linux Home Edition
ClamWin CD/USB - HowTo
Free Antivirus for Windows - Open source GPL virus scanner
WinPlanet Downloads for Windows Desktop Utilities
DonsDeals: Download Comodo System-Cleaner
DonsDeals: Firewall & Antivirus Software Suite - Internet Security | Comodo
DonsDeals: Free Desktop PC Security - Free Downloads Keep your PC Safe | Comodo
Trojans - Google Search
Trojan horse (computing) - Wikipedia, the free encyclopedia
worms computer - Google Search
Computer worm - Wikipedia, the free encyclopedia
rootkits computer - Google Search
How to Detect Rootkits on a Computer |
Rootkit - Wikipedia, the free encyclopedia
trojans computer - Google Search
Trojan - Trojans and Viruses in Computer Networking
Download System-Cleaner
Comodo - Google Search
Firewall & Antivirus Software Suite - Internet Security | Comodo
DonsDeals: There are Viruses, Trojans, Worms and Rootkits, that can infect a Linux OS
DonsDeals: Probably the best free security list in the world
Remote PC through VPN Access - Secure Remote Access | Comodo
News | VirusBlokAda
online virus scan file upload - Google Search
VirusTotal - Free Online Virus, Malware and URL Scanner
Antivirus scan for 5cb14d0745d7b09bcbeba3114cc06c5f at UTC - VirusTotal
trojan.tdss-7762 - Google Search
Clam AntiVirus
New Linux Rootkit Emerges | threatpost
CrowdStrike: HTTP iframe Injecting Linux Rootkit
The Rootkit Hunter project
Unhide homepage - Welcome
Google Translate -
klamav - Google Search
KlamAV - ClamAV for KDE | Free Development software downloads at
KlamAV GUI Screen Animation

Virus Software and How To's
Virus Effect Remover | Download Virus Effect Remover software for free at
RegRun Reanimator - free Trojan/Adware/Spyware removal tool - Greatis Software
Emsisoft BlitzBlank - Removes malware infections that nothing else removes
Threat Killer - Security Solutions & Information Technology - NoVirusThanks
Probably the Best Free Security List in the World
F-Secure Labs
Easy Clean, Free Virus Removal - Free Download | F-Secure
How to Use Stinger | McAfee Free Tools

Commercial free virus removal tools
PCH Search & Win: free virus removal
Security Response Removal Tools - Symantec Corp.
Virus Removal Tools
PC Tools AntiVirus Free - Download Antivirus and Antispyware Software for Windows®
Free Virus Removal Protection | Virus Removal Tools | McAfee
Free Online Tools

No comments: