Jump to content
YOUR-AD-HERE
HOSTING
TOOLS

Locked New Linux rootkit injects malicious HTML into Web servers


loading

Recommended Posts

A newly discovered form of malware that targets Linux servers acting as Web servers allows an attacker to directly inject code into any page on infected servers—including error pages. The rootkit, which was first publicly discussed on the

This is the hidden content, please

 

list on November 13, appears to be crafted for servers running the 64-bit version of

This is the hidden content, please
and
This is the hidden content, please

An analysis of the rootkit by Kaspersky Labs found that the malware inserts HTML iframe elements into every page served up to Web browsers connecting to the server. It does this by replacing the code that builds TCP/IP packets (tcp_sendmsg) with its own code. The malware then retrieves the code to be inserted into the iframe by connecting, botnet-like, to a command and control network with an encrypted password.

 

The rootkit, designated as Rootkit.Linux.Snakso.a by Kaspersky, is a new approach to drive-by downloads. They usually are based on PHP script—not code injected into the kernel of the operating system. Because the new rootkit infects the entire server and not just a specific page, the malware could affect dozens or even hundreds of websites at a time if it infects the server of a Web hosting provider.

 

According to Georg Wicherski, senior security researcher at Crowdstrike, the rootkit is most likely the work of a Russian hacker—and not necessarily a very skilled one. "It seems that this is contract work of an intermediate programmer with no extensive kernel experience," Wicherski said in a

This is the hidden content, please

But he said that the approach used "seems to be the next step in iframe-injecting cyber crime operations, driving traffic to exploit kits. It could also be used in a Waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail."

 

Fuente :

This is the hidden content, please

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.