A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of high-level programmer or be meant for use in targeted attacks.
The new Linux rootkit is loaded into memory and once there, it pulls out some memory addresses and then stores them for use later. It also then hooks into several kernel functions as a way to hide some of its files on the machine.
!ot! Well, I’m supposed to be out, but a good friend of mine asked me to come back and delay my going for a while. At least until another year or so until he finishes his thesis. 88) !ot!
No, not really. The article is rather… lacking… in necessary information which includes (but not limited to):
How did it get root privileges?
a. was it allowed by the user?
b. did it manage to insert itself in the repositories? or pose as another software (highly unlikely since nearly everything can be found in the repositories)?
How do you prevent such infections if it needs preventing at all?
What Linuxes are affected? Saying it’s for 64-bit doesn’t really cut it that much. It states it doesn’t seem to be a targeted attack so am I to assume that the malware tries a hit-or-miss mechanism?
What about the modules? Is the malware portable? or is it dependent on another software (vulnerability exploit)?
How did it load itself bypassing gksudo/sudo or commands of the like?
Pretty much a question of how. It’s not as nasty as it looks from what the article contains. Most Linux distros (if not all) does not allow automated launching, much less as root (and bypassing such things require to be root as well. I can’t even do it at boot up or even before completely shutting down). The only way I could think of for this to be possible is if someone (un)intentionally installed the rootkit himself. Otherwise, chances of this rootkit to infect anything at all is rapidly dwindling. I still see no reason for this to be an issue.