New Linux Rootkit Emerges - The rootkit is designed specifically for 64-bit

A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of high-level programmer or be meant for use in targeted attacks.

The new Linux rootkit is loaded into memory and once there, it pulls out some memory addresses and then stores them for use later. It also then hooks into several kernel functions as a way to hide some of its files on the machine.

Read more: Threatpost | The first stop for security news

Hi Seany007,

Thanks for the info. Nice! Here we go!

Below is another poem by me in this forum (Ohhh!.. some people are sick of those … I know)

[i]We always are waiting
We are anticipating…
What clever guys creating?
They do, they keep their rating
And we are just debating

Attached is compilation
Of “here we go!” citation
It’s not my best creation
Please, spare me from damnation

Listen, enjoy & relax :smiley:

Cheers all!

[attachment deleted by admin]

Ha ha ha LOL! Good one ;D :-TU

sounds like a really nasty infection.

!ot! Well, I’m supposed to be out, but a good friend of mine asked me to come back and delay my going for a while. At least until another year or so until he finishes his thesis. 88) !ot!

No, not really. The article is rather… lacking… in necessary information which includes (but not limited to):

  1. How did it get root privileges?
    a. was it allowed by the user?
    b. did it manage to insert itself in the repositories? or pose as another software (highly unlikely since nearly everything can be found in the repositories)?
  2. How do you prevent such infections if it needs preventing at all?
  3. What Linuxes are affected? Saying it’s for 64-bit doesn’t really cut it that much. It states it doesn’t seem to be a targeted attack so am I to assume that the malware tries a hit-or-miss mechanism?
  4. What about the modules? Is the malware portable? or is it dependent on another software (vulnerability exploit)?
  5. How did it load itself bypassing gksudo/sudo or commands of the like?

Pretty much a question of how. It’s not as nasty as it looks from what the article contains. Most Linux distros (if not all) does not allow automated launching, much less as root (and bypassing such things require to be root as well. I can’t even do it at boot up or even before completely shutting down). The only way I could think of for this to be possible is if someone (un)intentionally installed the rootkit himself. Otherwise, chances of this rootkit to infect anything at all is rapidly dwindling. I still see no reason for this to be an issue.