On a number of web-servers, we found a new rootkit that is used to secretly insert malicious substitution given off in HTTP-server content. Rootkit infects 64-bit Linux-servers running Debian Squeeze with kernel 2.6.32-5-amd64.
After activation in the core of the system to load the module, covering the traces of the rootkit and substitution occurs in the generated local web-server HTTP-traffic iframe-block code for exploiting vulnerabilities in client browsers and plug-ins installed in them.
In contrast to the commonly used technique of malicious code in the server-side html-pages, the rootkit can leave files intact, carrying the substitution under the impact of content http-server. Since the components of the rootkit masked and hidden from the monitoring tools, at first glance there is no malicious activity. The first information about the new rootkit was published a few days ago on the mailing list Full Disclosure. The administrator of one of the affected systems led primary analysis strange activity on your server, because of which went to the outside data with the substitution of malicious iframe, but locally the following substitutions were observed malicious code, including whether to return content nginx checking through strace gave in network socket correct data.
In the future, one of the security researchers with access to the infected system, analyzed the rootkit iopublikoval detailed report of its working methods. The most important conclusion is that the detected rootkit is a new development, not based on any of the previously available rootkits or tools to create them. The realization and the quality of the evidence of a rootkit is that it was not created for targeted attacks, as well as an initial attempt to create another means to distribute malware.
After loading the rootkit intercepts it control some functions of the kernel Linux (vfs_readdir, vfs_read, filldir64 and filldir), necessary for hiding rootkit files on disk. To hide the load the kernel module by modifying the list of active modules in the appropriate data structure core Linux. Failover is performed by overwriting some bytes of the code directly in the intercepted functions (add the command jmp rel32 calculated and copied to the stack offset). Starting rootkit is a kernel module loading Linux. But as the team “insmod / lib/modules/2.6.32-5-amd64/kernel/sound/module_init.ko” appended to the file / etc / rc.local, and Debian file / etc / rc.local ends by calling exit 0, the command module load is placed after the call to exit, ie reboot the rootkit is not activated.