A New 64-bit Linux Rootkit Has Been Discovered

A report on threatpost.com, the Kaspersky Lab Security News Service, warns of a new rootkit for 64-bit Linux.   Researchers who have analyzed its code report that it “appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks.”

“The iFrame injection mechanism is quite interesting:  the malware substitutes the system function tcpsendmsg – which is responsible for building TCP packets – with its own function, so the malicious iFrames are injected into the packets,” Marta Janus, a Kaspersky Lab expert, stated in her report on the rootkit.

The malware attempts to ensure its startup by adding an entry to the /etc/rc.local script:
insmod /lib/modules/2.6.32-5-amd64/kernel/sound/module_init.ko

The good news so far is that on a Debian Squeeze default install (and thus on Ubuntu, which is based on Debian) the /etc/rc.local script ends in the exit 0 command, so the rootkit is never loaded.

2 Responses to “A New 64-bit Linux Rootkit Has Been Discovered”

  1. 2 anthonyvenable110 November 21, 2012 at 6:38 pm

    Reblogged this on anthonyvenable110.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


November 2012

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 21 other followers

%d bloggers like this: