First spotted on Seclists’ Full Disclosure Mailing List the rootkit specifically targets Linux kernel version 2.6.32-5-amd64 that is found on 64-bit Debian Squeezy systems and uses “advanced techniques to hide itself,” while infecting websites hosted on compromised webservers by injecting malicious iFrames into the HTTP response traffic by directly modifying the TCP packets. This particular mechanism can be used to carry out drive-by-downloads on systems used by users to access sites hosted on compromised HTTP servers.
Kaspersky researchers have explained the working of the rootkit in their securelist posting. Researchers have revealed that the malware accesses kernel variables as well as extracts memory addresses of several kernel functions and stores them for later use. To ensure its persistent execution every time the system boots, it inserts an entry in the /etc/rc.local script. Next, to ensure that it goes undetected, it hooks to a few kernel functions and attempts to hide quite a few other files and threads.
The most advanced part of the malware is the manner in which it carries out its iFrame injection for drive-by-downloads. The malware goes on to substitute the system function tcp_sendmsg with its own function using which it can injected malicious iFrames into the HTTP response traffic by directly modifying the outgoing TCP packets. This is completely different from what has been used so far. “So far, in most of the drive-by download scenarios an automated injection mechanism is implemented as a simple PHP script,” notes Kaspersky.
“…we are dealing with something far more sophisticated – a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before.”
CrowdStrike has an extensive analysis of the rootkit and it notes “The rootkit at hand seems to be the next step in iFrame injecting cyber crime operations, driving traffic to exploit kits.”