Results 1 to 3 of 3

Thread: is this heads up of interest?

  1. #1
    Join Date
    Mar 2005
    Beans
    1,372

    is this heads up of interest?

    Just seen this on twitter from

    ===============================
    Mikko Hypponen @mikko
    Remarkable new Linux rootkit: http://blog.crowdstrike.com/2012/11/...x-rootkit.html … Capable of injecting malicious iframes into web traffic. Analysis by @ochsff
    ===============================

    I am no expert and I would appreciate any informed comments

  2. #2
    Join Date
    Dec 2007
    Location
    California
    Beans
    4,900
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: is this heads up of interest?

    I see it works on a specific kernel, 2.6.32-5, that's a *very* old kernel. I didn't see anything about whether it works on other kernels or not.
    "You can't expect to hold supreme executive power just because some watery tart lobbed a sword at you"

    "Don't let your mind wander -- it's too little to be let out alone."

  3. #3
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: is this heads up of interest?

    Even I'm a bit confused here. The analysis in the Crowdstrike post seems to me to be implying this is client-side malware, but the Full Disclosure post looks like they're talking about a server being compromised in such a way that it injected code in http responses which were then directing other clients to malware. To me a server compromise seems more likely, but it's already been cleaned up and identifying information on the attackers has not been made available.

    Edit: I checked out the Kaspersky link as well. It's on a server, and it is kind of a novel approach. Rather than using a shotgun approach of remote file inclusion exploits with PHP, they are instead (somehow, not specified in the posts) installing the rootkit, which is more persistent and more versatile. The end game still appears to be directing people who browse the sites to other places for malware though, which is nothing new at all. This leaves the malware risk to desktop Linux users in the same place it was before.
    Last edited by OpSecShellshock; November 20th, 2012 at 02:49 AM. Reason: Further reading. Sigh.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •