The H – (International) Rootkit infects Linux web servers. A previously unknown rootkit is infecting Linux Web servers and injecting malicious code into Web pages served by infected servers. The rootkit was discovered by a user of security mailing list Full Disclosure, who posted his observations, including the suspicious kernel module, to the mailing list. The malware adds an iframe to every Web page served by the infected system via the nginx proxy – including error pages. Anyone who visits a Web page on the server is then attacked by a specially crafted web page which is loaded in an iframe. Once an exploitable hole is identified, it is used to install malware on the visitor’s system. The Web server is ultimately being used to redirect users to another Web server which can then infect their system, such as poorly maintained Windows systems, with malware. Kaspersky Lab analysed the malware and dubbed it Rootkit.Linux.Snakso.a. The rootkit is designed to target 64-bit systems and has been compiled for kernel version 2.6.32-5, used in Debian Squeeze. After booting, it determines the memory address of a number of kernel functions, which it then hooks into. The rootkit obtains deployment instructions from a command and control server. According to Kaspersky, the rootkit may still be under development, as it has been compiled with debug information in situ.
Ali Loney, on November 21, 2012