All the latest UK technology news, reviews and analysis


Researchers dissect Linux server rootkit

21 Nov 2012
First Shellshock malware emerges

A recently discovered rootkit could provide researchers with insight on the direction being taken in the malware space, security experts have claimed.

Security researchers have begun issuing reports on an unnamed and previously unknown Linux rootkit posted earlier this month to a security mailing list.

While early analysis has found that the attack is relatively crude by Windows rootkit standards, the attack has caught the eye of vendors at it appears to be a commercially-designed sample rather than a targeted attack.

Researchers believe that the rootkit is intended for use on web servers, infecting 64-bit Linux kernels and then injecting further attack code into web pages.

The discovery of the rootkit could indicate that cybercriminals are increasingly looking to infect Linux systems with sophisticated attacks. Rootkits, which run at the kernel level of a system, have emerged as a favourite means for avoiding the detection of conventional antivirus software.

"Although the code quality would be unsatisfying for a serious targeted attack, it is interesting to see the cyber-crime-oriented developers, who have partially shown great skill at developing Windows rootkits, move into the Linux rootkit direction," security firm CrowdStrike wrote in its analysis of the malware.

"The lack of any obfuscation and proper HTTP response parsing, which ultimately also led to discovery of this rootkit, is a further indicator that this is not part of a sophisticated, targeted attack."

CrowdStrike researchers also suggested the attack is likely the work of a specially-contracted developer and has since been modified by the buyer.

Marta Janus, a researcher with Kaspersky Labs, suggested that the attack could also signal a shift away from high-level attacks on HTTP servers to more sophisticated methods with infect the server itself and poison hosted web pages.

"This rootkit, though it's still in the development stage, shows a new approach to the drive-by download schema and we can certainly expect more such malware in the future," Janus wrote.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Shaun Nichols
About

Shaun Nichols is the US correspondent for V3.co.uk. He has been with the company since 2006, originally joining as a news intern at the site's San Francisco offices.

More on Security
What do you think?
blog comments powered by Disqus
Poll

Windows 10 poll

What are your first impressions of Windows 10?
12%
5%
10%
4%
20%
3%
46%

Popular Threads

Powered by Disqus
V3 Sungard roundtable event - Cloud computing security reliability and scalability discussion

CIOs debate how to overhaul businesses for the digital era

V3 hosts roundtable with Sungard Availability Services

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

PHP Web Developer - Milton Keynes

PHP Developer - MySQL / HTML / CSS / JavaScript - Innovative...

Senior Server Engineer/3rd Line Support

DV Cleared Senior Server Engineer/3rd Line Support Engineer...

1st Line Application Support - Southampton, Hampshire - £20K

1st Line Application Support - Southampton, Hampshire...

Java Software Engineer

Role: Java Software Engineer Duration: 6 months...
To send to more than one email address, simply separate each address with a comma.