(Possible) linux rootkit in combination with nginx

[menotu]

From seclists.org/fulldisclosure

Hi there, We've discovered something which looks to us like a rootkit working together with proxy software like nginx. Our OS is debian squeeze and nginx 1.2.3.

Here is what happened:

We are running a web service and we got notified by some customers of us that they are getting redirected to some malicious sites. Somehow a hacker managed to inject an iframe into our http responses.

I tried to do a telnet test on our nginx proxy and saw that even the "bad request" response which gets served directly from nginx contained the malicious iframe code.

further details

[menotu]

by Dennis Fisher - November 20, 2012

New Linux Rootkit Emerges

A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems, and while it has some interesting features, it does not appear to be the work of high-level programmer or be meant for use in targeted attacks.

The new Linux rootkit is loaded into memory and once there, it pulls out some memory addresses and then stores them for use later. It also then hooks into several kernel functions as a way to hide some of its files on the machine.

"To hook private functions that are called without indirection (e.g., through a function pointer), the rootkit employs inline code hooking. In order to hook a function, the rootkit simply overwrites the start of the function with an e9 byte. This is the opcode for a jmp rel32 instruction, which, as its only operand, has 4 bytes relative offset to jump to," Georg Wicherski of CrowdStrike wrote in a detailed analysis of the new Linux malware.

"The rootkit, however, calculates an 8-byte or 64-bit offset in a stack buffer and then copies 19 bytes (8 bytes offset, 11 bytes unitialized) behind the e9 opcode into the target function. By pure chance the jump still works, because amd64 is a little endian architecture, so the high extra 4 bytes offset are simply ignored."

The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said that his site had been targeted by the malware and some of his customers had been redirected to malicious sites.

The rootkit, like many pieces of malware, relies on a remote command-and-control server for some instructions. The server is still active right now and researchers said that it has some other related tools stored on it, as well. In order to inject the iframes onto targeted sites the rootkit uses a custom method.

https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012

[Wildman]

These may very well be the ""Testing Phase"" for the Linux Virus and Mal-ware to follow...They write these things and then open them slowly to the Internet, to see what and how they preform....called field testing........once they learn how and where to apply, then wham they start flooding the world with their garbage...they are one group I'd have no mercy for...