A newly discovered form of malware that targets Linux servers acting as Web servers allows an attacker to directly inject code into any page on infected servers—including error pages. The rootkit, which was first publicly discussed on the Full Disclosure security e-mail list on November 13, appears to be crafted for servers running the 64-bit version of Debian Squeeze and NGINX.
An analysis of the rootkit by Kaspersky Labs found that the malware inserts HTML iframe elements into every page served up to Web browsers connecting to the server. It does this by replacing the code that builds TCP/IP packets (tcp_sendmsg) with its own code. The malware then retrieves the code to be inserted into the iframe by connecting, botnet-like, to a command and control network with an encrypted password.
The rootkit, designated as Rootkit.Linux.Snakso.a by Kaspersky, is a new approach to drive-by downloads. They usually are based on PHP script—not code injected into the kernel of the operating system. Because the new rootkit infects the entire server and not just a specific page, the malware could affect dozens or even hundreds of websites at a time if it infects the server of a Web hosting provider.
According to Georg Wicherski, senior security researcher at Crowdstrike, the rootkit is most likely the work of a Russian hacker—and not necessarily a very skilled one. “It seems that this is contract work of an intermediate programmer with no extensive kernel experience,” Wicherski said in a blog post. But he said that the approach used “seems to be the next step in iframe-injecting cyber crime operations, driving traffic to exploit kits. It could also be used in a Waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail.”