An advanced Linux malware strain can automatically hijack websites hosted on compromised servers to attack web surfers with drive-by-downloads.
The software nasty targets machines running 64-bit GNU/Linux and a web server, and acts like a rootkit by hiding itself from administrators. A browser fetching a website served by the compromised system will be quietly directed via an HTML iframe to malicious sites loaded with malware to attack the web visitor's machine.
Details of the attack first surfaced in a post to the Full Disclosure mailing list.
Marta Janus, an antivirus analyst at security biz Kaspersky Labs, said the Linux malware appears to be a prototype and is possibly still undergoing development.
"The malware module was specially designed for the kernel version 2.6.32-5-amd64, which happens to be the latest kernel used in 64-bit Debian Squeezy," she wrote on her employer's Securelist blog. "The binary is more than 500KB, but its size is due to the fact that it hasn't been stripped (i.e. it was compiled with the debugging information).
"Perhaps it's still in the development stage, because some of the functions don’t seem to be fully working or they are not fully implemented yet."
Drive-by-downloads expose web surfers to malicious code that attempt to exploit unpatched software vulnerabilities in the web visitor's PC or handheld. Security holes in web browsers, Java and Flash plugins and the underlying operating system are typical targets.
What makes this Linux nasty extra crafty
The experimental Linux malware is indiscriminate: it doesn't just hijack one specific website, nor target a particular scripting language or web app platform. Instead, it infiltrates every site hosted by a HTTP server on the compromised box. The rootkit part, which burrows into the Linux kernel to prevent detection by software and superusers, ensures the cunning scam is not immediately blown - not until web surfers hitting the server complain of being hacked by the drive-by-download redirects, at least.
As such the malware is the equivalent of moving up from a rifle taking pot shots at users to a prototype buried gun turret that pops up to silently strafe anyone within reach.
The Linux malware is designed to load itself into memory on startup before hooking itself into kernel functions. Rootkit Linux Snakso-A, as Kaspersky Lab dubs the software, uses various ninja-style tricks to hide itself before crafting network data packets containing the HTML iframes; these are then tucked into the server's output to visiting web browsers. The malicious payload delivered to surfers through these iframes is pulled from a mastermind's command-and-control server.
"The iframe injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg - which is responsible for building TCP packets - with its own function, so the malicious iframes are injected into the HTTP traffic by direct modification of the outgoing TCP packets," Janus explained.
"In order to obtain the actual injection payload, the malware connects to the C&C server using an encrypted password for authentication."
Kaspersky Lab warned the malicious command-and-control server behind the attacks was still active at the time it completed its analysis.
Janus concluded the prototype malware uses a far more powerful and sophisticated attack strategy than has previously been seen in drive-by download attacks. She wrote:
So far, in most of the drive-by download scenarios an automated injection mechanism is implemented as a simple PHP script. In the case described above, we are dealing with something far more sophisticated - a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before. This rootkit, though it's still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future
A detailed analysis of the malware by security startup CrowdStrike asserted that the malware could be used to infect websites regularly frequented by employees at a targeted organisation as part of an espionage-style attack.
"The rootkit at hand seems to be the next step in iframe-injecting cyber-crime operations, driving traffic to exploit kits," Crowdstrike analysts concluded. "It could also be used in a waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail."
Crowdstrike reckoned the malware is the work of a contractor, probably based in Russia.
"It appears that this is not a modification of a publicly available rootkit," Georg Wicherski, senior security researcher at Crowdstrike wrote. "It seems that this is contract work of an intermediate programmer with no extensive kernel experience. Based on the tools, techniques, and procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely." ®