[ale] New Linux Rootkit
David Tomaschik
david at systemoverlord.com
Tue Nov 20 17:46:48 EST 2012
On Tue, Nov 20, 2012 at 12:11 PM, Jay Lozier <jslozier at gmail.com> wrote:
> On 11/20/2012 02:18 PM, David Tomaschik wrote:
>
> Looks like it's targeting 64-bit Debian:
> https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012
>
> --
> David Tomaschik
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
> Quick question - how does determine if the rootkit is running? I tried ps
> -u foo and did not see any listings for its processes. Also, the article
> was some what confusing about who is at risk. The kernel mentioned is used
> by Debian but it is an older version (2 something) not a 3 series and it is
> not clear to me if that is important.
>
If you want the technical details, see
http://blog.crowdstrike.com/2012/11/http-iframe-injecting-linux-rootkit.html.
But basically, the version in the wild does a terrible job of hiding
itself. It fails to hide from ps, instead showing kernel threads of
[get_http_inj_fr] and [write_startup_c] in ps. That and the traces in
/etc/rc.local are probably enough to find the current incarnation easily.
That being said, there's nothing on how the attacker is getting root in
the first place, and I suspect new versions with better hiding will come
out soon.
--
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20121120/c06370b8/attachment-0001.html>
More information about the Ale
mailing list