CrowdStrike - HTTP iframe Injecting Linux Rootkit (Vrius info) ~ Dons Deals

Monday, November 19, 2012

HTTP iframe Injecting Linux Rootkit

Georg Wicherski, Senior Security Researcher

On Tuesday, November 13, 2012, a previously unknown Linux rootkit was posted to the Full Disclosure mailing list by an anonymous victim. The rootkit was discovered on a web server that added an unknown iframe into any HTTP response sent by the web server.

The victim has recovered the rootkit kernel module file and attached it to the mailing list post, asking for any information on this threat. Until today, nobody has replied on this email thread. CrowdStrike has performed a brief static analysis of the kernel module in question, and these are our results. Our results seem to be in line with Kaspersky's findings; they also already added detection.

Key Findings

The rootkit at hand seems to be the next step in iframe injecting cyber crime operations, driving traffic to exploit kits. It could also be used in a Waterhole attack to conduct a targeted attack against a a specific target audience without leaving much forensic trail.
It appears that this is not a modification of a publicly available rootkit. It seems that this is contract work of an intermediate programmer with no extensive kernel experience.
Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely.

Functional Overview

Read More...
http://blog.crowdstrike.com/2012/11/http-iframe-injecting-linux-rootkit.html

I use Several Anti Virus and rootkit finding Apps in my Fedora and Debian Linux Systems. I Always install ClamAV (http://www.clamav.net/lang/en/) and Klam GUI which I really like. I find the GUI easy and fast to use. I install it on all of my Systems (Fedora and Debian). (http://sourceforge.net/projects/klamav/) and (http://klamav.sourceforge.net/index2.php?content=ka_tutorial) and (http://klamav.sourceforge.net/index2.php?content=ka_install_instructions).

I use Rootkit Hunter (http://rkhunter.sourceforge.net/) to Scan my Fedora and other Linux Systems for rootkits. And there is a nice GUI APP called, Chkrootkit (http://www.chkrootkit.org/). It will automatically open up a Command Line and check your system for rootkits, automatically.

The Web Site, is not in English (Translated Downloads Page, http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.chkrootkit.org%2Fdownload.htm). But, you can install it from the Fedora Repos and it runs in English. Or I imagine which ever language you have your system set to.

chkrootkit is a tool to locally check for signs of a rootkit. It contains:
* chkrootkit: shell script that checks system binaries for rootkit modification.
* ifpromisc: checks if the network interface is in promiscuous mode.
* chklastlog: checks for lastlog deletions.
* chkwtmp: checks for wtmp deletions.
* chkproc: checks for signs of LKM trojans.
* chkdirs: checks for signs of LKM trojans.
* strings: quick and dirty strings replacement.
* chkutmp: checks for utmp deletions.

Unhide is a forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique.

Unix/Linux version

Windows version

http://www.unhide-forensics.info/

Lynis

Description

Security and system auditing tool

Project information

Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).

Lynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOX (Sarbanes-Oxley) compliance audits.

Intended audience:
Security specialists, penetration testers, system auditors, system/network managers.

Examples of audit tests:
- Available authentication methods
- Expired SSL certificates
- Outdated software
- User accounts without password
- Incorrect file permissions
- Firewall auditing

Current state:
Stable releases are available, development is active.

System requirements:

- Compatible operating system (see 'Supported operating systems')
- Default shell

Supported operating systems

Tested on:
- Arch Linux
- CentOS
- Debian
- Fedora Core 4 and higher
- FreeBSD
- Gentoo
- Knoppix
- Mac OS X
- Mandriva 2007
- OpenBSD 4.x
- OpenSolaris
- OpenSuSE
- PcBSD
- PCLinuxOS
- Red Hat, RHEL 5.x
- Slackware 12.1
- Solaris 10
- Ubuntu

(did it work on your operating system? Let me know!)