New Linux malware was recently discovered by a user who published its details on the Full Disclosure mailing list.
"The anonymous poster, who runs a web service, found the rootkit on company servers after customers said they were redirected to malicious sites," writes SC Magazine's Danielle Walker.
"The binary is more than 500k, but its size is due to the fact that it hasn't been stripped (i.e. it was compiled with the debugging information)," writes Kaspersky's Marta Janus. "Perhaps it's still in the development stage, because some of the functions don’t seem to be fully working or they are not fully implemented yet."
"The software nasty targets machines running 64-bit GNU/Linux and a web server, and acts like a rootkit by hiding itself from administrators," writes The Register's John Leyden. "A browser fetching a website served by the compromised system will be quietly directed via an HTML iframe to malicious sites loaded with malware to attack the web visitor's machine."
"Considering that this rootkit was used to non-selectively inject iframes into nginx webserver responses, it seems likely that this rootkit is part of a generic cyber crime operation and not a targeted attack," CrowdStrike senior security researcher Georg Wicherski wrote in a detailed analysis. "However, a Waterhole attack, where a site mostly visited from a certain target audience is infected, would also be plausible. Since no identifying strings yielded results in an Internet search ... it appears that this is not a modification of a publicly available rootkit. Rather, it seems that this is contract work of an intermediate programmer with no extensive kernel experience, later customized beyond repair by the buyer."
"The firm, looking at the tools, techniques and procedures employed and some background information it could not disclose, suggested the creator of the rootkit was likely to be Russian," writes TechWeekEurope's Tom Brewster.