A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of high-level programmer or be meant for use in targeted attacks.

The new Linux rootkit is loaded into memory and once there, it pulls out some memory addresses and then stores them for use later. It also then hooks into several kernel functions as a way to hide some of its files on the machine.

“To hook private functions that are called without indirection (e.g., through a function pointer), the rootkit employs inline code hooking. In order to hook a function, the rootkit simply overwrites the start of the function with an e9 byte. This is the opcode for a jmp rel32 instruction, which, as its only operand, has 4 bytes relative offset to jump to,” Georg Wicherski of CrowdStrike wrote in a detailed analysis of the new Linux malware.
“The rootkit, however, calculates an 8-byte or 64-bit offset in a stack buffer and then copies 19 bytes (8 bytes offset, 11 bytes unitialized) behind the e9 opcode into the target function. By pure chance the jump still works, because amd64 is a little endian architecture, so the high extra 4 bytes offset are simply ignored.”

The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said that his site had been targeted by the malware and some of his customers had been redirected to malicious sites.

The rootkit, like many pieces of malware, relies on a remote command-and-control server for some instructions. The server is still active right now and researchers said that it has some other related tools stored on it, as well. In order to inject the iframes onto targeted sites the rootkit uses a custom method.

“The iFrame injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg – which is responsible for building TCP packets – with its own function, so the malicious iFrames are injected into the HTTP traffic by direct modification of the outgoing TCP packets,” Marta Janus of Kaspersky Lab said in her analysis of the rootkit.

“In order to obtain the actual injection payload, the malware connects to the C&C server using an encrypted password for authentication. We weren’t able to connect to the C&C on the port used by malware, but the malicious server is still active and it hosts other *NIX based tools, such as log cleaners.”

Once the rootkit connects to the C&C server, the server sends back instructions about what code the malware should inject onto the target site. The C&C server will send details on whether it should inject JavaScript or an iframe and the specific code to be used. Wicherski said that the rootkit’s method for maintaining persistence on the infected machine is somewhat sloppy.

“Since the command is appended to the end of rc.local, there might actually be shell commands that result in the command not being executed as intended. On a default Debian squeeze install, /etc/rc.local ends in an exit 0 command, so that the rootkit is effectively never loaded,” he wrote.

Researchers believe that the Linux rootkit likely is being used in cybercrime operations rather than in targeted attacks, as the quality of the code isn’t high enough to have come from one of the groups engaged in the upper level attacks right now.

“Although the code quality would be unsatisfying for a serious targeted attack, it is interesting to see the cyber-crime-oriented developers, who have partially shown great skill at developing Windows rootkits, move into the Linux rootkit direction. The lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit, is a further indicator that this is not part of a sophisticated, targeted attack,” Wicherski said.