Monday, November 19, 2012
HTTP iframe Injecting Linux Rootkit
Georg Wicherski, Senior Security ResearcherOn Tuesday, November 13, 2012, a previously unknown Linux rootkit was posted to the Full Disclosure mailing list by an anonymous victim. The rootkit was discovered on a web server that added an unknown iframe into any HTTP response sent by the web server.
The victim has recovered the rootkit kernel module file and attached it to the mailing list post, asking for any information on this threat. Until today, nobody has replied on this email thread. CrowdStrike has performed a brief static analysis of the kernel module in question, and these are our results. Our results seem to be in line with Kaspersky's findings; they also already added detection.
- The rootkit at hand seems to be the next step in iframe injecting cyber crime operations, driving traffic to exploit kits. It could also be used in a Waterhole attack to conduct a targeted attack against a a specific target audience without leaving much forensic trail.
- It appears that this is not a modification of a publicly available rootkit. It seems that this is contract work of an intermediate programmer with no extensive kernel experience.
- Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely.
Functional OverviewRead More...
I use Several Anti Virus and rootkit finding Apps in my Fedora and Debian Linux Systems. I Always install ClamAV (http://www.clamav.net/lang/en/) and Klam GUI which I really like. I find the GUI easy and fast to use. I install it on all of my Systems (Fedora and Debian). (http://sourceforge.net/projects/klamav/) and (http://klamav.sourceforge.net/index2.php?content=ka_tutorial) and (http://klamav.sourceforge.net/index2.php?content=ka_install_instructions).
I use Rootkit Hunter (http://rkhunter.sourceforge.net/) to Scan my Fedora and other Linux Systems for rootkits. And there is a nice GUI APP called, Chkrootkit (http://www.chkrootkit.org/). It will automatically open up a Command Line and check your system for rootkits, automatically.
The Web Site, is not in English (Translated Downloads Page, http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.chkrootkit.org%2Fdownload.htm). But, you can install it from the Fedora Repos and it runs in English. Or I imagine which ever language you have your system set to.
chkrootkit is a tool to locally check for signs of a rootkit. It contains:
* chkrootkit: shell script that checks system binaries for rootkit modification.
* ifpromisc: checks if the network interface is in promiscuous mode.
* chklastlog: checks for lastlog deletions.
* chkwtmp: checks for wtmp deletions.
* chkproc: checks for signs of LKM trojans.
* chkdirs: checks for signs of LKM trojans.
* strings: quick and dirty strings replacement.
* chkutmp: checks for utmp deletions.
Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.
Security and system auditing toolProject information
Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.System requirements:
This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).
Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOX (Sarbanes-Oxley) compliance audits.
Security specialists, penetration testers, system auditors, system/network managers.
Examples of audit tests:
- Available authentication methods
- Expired SSL certificates
- Outdated software
- User accounts without password
- Incorrect file permissions
- Firewall auditing
Stable releases are available, development is active.
- Compatible operating system (see 'Supported operating systems')Supported operating systems
- Default shell
Tested on:Extra information
- Arch Linux
- Fedora Core 4 and higher
- Mac OS X
- Mandriva 2007
- OpenBSD 4.x
- Red Hat, RHEL 5.x
- Slackware 12.1
- Solaris 10
(did it work on your operating system? Let me know!)
Hope this helps...
- Virus info Linux and Windows
- trinity - Google Search
- DonsDeals: BBC NEWS | Programmes | Click | BBC team exposes cyber crime risk
- DonsDeals: Updated Conficker Ropes Victims into Rogue Antivirus Scam
- DonsDeals: Jotti's malware scan
- DonsDeals: Free Agent: Linux Firewalls and Antivirus--Needed or Not? - PCWorld
- DonsDeals: Immunet v2 update on the way: adds multi-engine malware and virus scanning to cloud-powered core
- DonsDeals: The first Linux botnet? | ITworld
- DonsDeals: PC Hell: Free RootKit Removal Tools and Software
- DonsDeals: Trinityhome : New TRK 3.4: easier than ever before
- DonsDeals: Conficker Worm Called An Epidemic
- DonsDeals: Setting up Avast Antivirus to Protect your Windows PC...
- DonsDeals: VirSCAN.org - Free Multi-Engine Online Virus Scanner v1.02, Supports 37 AntiVirus Engines!
- DonsDeals: M86 Security Finds URL Filters Anti Virus Scanners Ineffective
- Jotti's malware scan
- AVG Online Virus Scanner | Scan Web Pages | AVG LinkScanner Drop Zone
- VirSCAN.org - Free Multi-Engine Online Virus Scanner v1.02, Supports 36 AntiVirus Engines!
- DonsDeals: Probably the Best Free Security List in the World
- DonsDeals: Re: Viruses now penetrating deeper | Tech News on ZDNet
- DonsDeals: Avast! AntiVirus For Both Window and Linux Home Edition
- remove sasser virus - Google Search
- remove sasser virus - Google Search
- wine gecko - Google Search
- crafted.win32file.ols - Google Search
- DonsDeals: Best Free Rootkit Scanner/Remover
- DonsDeals: New Kneber Botnet Tied To 75 000 Systems
- DonsDeals: Facebook Users Targeted By Fake Virus Alert
- Clam AntiVirus
- avast! Linux Home Edition
- ClamWin CD/USB - HowTo
- Free Antivirus for Windows - Open source GPL virus scanner
- WinPlanet Downloads for Windows Desktop Utilities
- DonsDeals: Download Comodo System-Cleaner
- DonsDeals: Firewall & Antivirus Software Suite - Internet Security | Comodo
- DonsDeals: Free Desktop PC Security - Free Downloads Keep your PC Safe | Comodo
- Trojans - Google Search
- Trojan horse (computing) - Wikipedia, the free encyclopedia
- worms computer - Google Search
- Computer worm - Wikipedia, the free encyclopedia
- rootkits computer - Google Search
- How to Detect Rootkits on a Computer | eHow.com
- Rootkit - Wikipedia, the free encyclopedia
- trojans computer - Google Search
- Trojan - Trojans and Viruses in Computer Networking
- Download System-Cleaner
- Comodo - Google Search
- Firewall & Antivirus Software Suite - Internet Security | Comodo
- DonsDeals: There are Viruses, Trojans, Worms and Rootkits, that can infect a Linux OS
- DonsDeals: Probably the best free security list in the world
- Remote PC through VPN Access - Secure Remote Access | Comodo
- News | VirusBlokAda
- online virus scan file upload - Google Search
- VirusTotal - Free Online Virus, Malware and URL Scanner
- Antivirus scan for 5cb14d0745d7b09bcbeba3114cc06c5f at UTC - VirusTotal
- trojan.tdss-7762 - Google Search
- Clam AntiVirus
- New Linux Rootkit Emerges | threatpost
- CrowdStrike: HTTP iframe Injecting Linux Rootkit
- The Rootkit Hunter project
- Unhide homepage - Welcome
- Google Translate - http://www.chkrootkit.org/download.htm
- klamav - Google Search
- KlamAV - ClamAV for KDE | Free Development software downloads at SourceForge.net
- KlamAV GUI Screen Animation
- Virus Software and How To's
- Virus Effect Remover | Download Virus Effect Remover software for free at SourceForge.net
- RegRun Reanimator - free Trojan/Adware/Spyware removal tool - Greatis Software
- Emsisoft BlitzBlank - Removes malware infections that nothing else removes
- Threat Killer - Security Solutions & Information Technology - NoVirusThanks
- Probably the Best Free Security List in the World
- F-Secure Labs
- Easy Clean, Free Virus Removal - Free Download | F-Secure
- How to Use Stinger | McAfee Free Tools
- Free Online Tools