There’s a very new rootkit going around. Instead of infecting desktops, it’s aimed at infecting servers doing shared web hosting. Loaded on a shared host, it infects every hosted website with ‘iframes’ that redirect visitors to malicious drive-by downloads.
The problem here is twofold. First, the website-owners will get emails about their site being hacked, upload new copies & change passwords, and maybe think that’s the end of it… only it’s not.
And since the rootkit is apparently still in development, it’s quite possible the next version will be a bit more clever about hiding its presence from the server admin — making for a somewhat higher-level version of the previous process.
In both cases these are extreme examples of false victories: where you think you’ve won, but the threat is still there. These happen to a lesser degree all the time, when a reasonably smart adversary concludes they’re beat and makes a point of folding and running. Only problem is, they ran away so they could fight another day.
(This is again where thoroughness comes in… paying attention to the unpleasant yet easily ignored details that say things aren’t as rosy as they seem. That the malicious iframe wasn’t in the original page source, for example.)
“The experimental Linux malware is indiscriminate: it doesn’t just hijack one specific website, nor target a particular scripting language or web app platform. Instead, it infiltrates every site hosted by a HTTP server on the compromised box. The rootkit part, which burrows into the Linux kernel to prevent detection by software and superusers, ensures the cunning scam is not immediately blown – not until web surfers hitting the server complain of being hacked by the drive-by-download redirects, at least.
As such the malware is the equivalent of moving up from a rifle taking pot shots at users to a prototype buried gun turret that pops up to silently strafe anyone within reach.
The Linux malware is designed to load itself into memory on startup before hooking itself into kernel functions. Rootkit Linux Snakso-A, as Kaspersky Lab dubs the software, uses various ninja-style tricks to hide itself before crafting network data packets containing the HTML iframes; these are then tucked into the server’s output to visiting web browsers. The malicious payload delivered to surfers through these iframes is pulled from a mastermind’s command-and-control server.
“The iframe injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg – which is responsible for building TCP packets – with its own function, so the malicious iframes are injected into the HTTP traffic by direct modification of the outgoing TCP packets,” Janus explained.
“In order to obtain the actual injection payload, the malware connects to the C&C server using an encrypted password for authentication.”
Kaspersky Lab warned the malicious command-and-control server behind the attacks was still active at the time it completed its analysis.”