FLAMING RETORT: Linux rootkit news "provides some comic relief"

Filed Under: Featured, Linux, Malware

About two weeks ago, a posting on the Full Disclosure Mailing List announced a new Linux rootkit.

Indeed, the posting didn't just announce the malware, but included a fully-working sample.

For those not familiar with the online highways and byways of information security, Full Disclosure is something of an institution.

As the list itself points out, the "relaxed atmosphere [...] provides some comic relief and certain industry gossip," but with the caveat that "most of the posts are worthless drivel, so finding the gems takes patience."

Whilst I don't usually condone the open, public dissemination of malicious code, little harm was done in this case. The rootkit doesn't spread or install itself, and is tied to a specific version of Linux.

(If you're interested in the details of this malware, you can read a step-by-step analysis published by a moderately mysterious US company called Crowdstrike.)

So: what is a rootkit? Is this something new to Linux?

Not at all.

Julian Assange, for example, now better known for being holed up in the Ecuador embassy in London, worked on a transparent and deniable disk encryption system at the end of the 1990s. This system ran on Linux, amongst others, and made use of rootkit techniques.

Indeed, the term rootkit originally came from the UNIX world. It described the set of software tools a hacker might use to break into a system, acquire administrative access (known as getting root, after the superuser account, called root), and then hide his presence.

These days, however, rootkits are most commonly associated with Windows. The key "feature" of any modern rootkit is not that it acquires administrative access - which isn't necessary for malware, though it is certainly very handy - but that it provides a layer of stealth. A smokescreen, if you like, against detection.

This new rootkit, detected by Sophos products as Troj/SrvInjRk-A, uses a whole variety of hiding techniques, and reminds us that the same sort of malware trickery that can be wrought against Windows can be wrought against Linux, too.

Windows and Linux (and OS X, for that matter) are, from a high-level architectural perspective, much more similar than they are different.

Loosely speaking, the operating system is split in two.

There's a userland part, where programs run such as your web server, your photo editor, and Emacs vi.

And there's a kernel part, which you can think of as a the "administrator's administrator", to manage everything else: memory, use of the CPU, access to disks and other hardware devices, as well as which programs get to run, and what they are allowed to do.

So malware that loads inside the kernel - as this rootkit does - has a number of advantages. Firstly, it's running on an equal footing to the other kernel code that manages the security of the higher-level, less-privileged userland. Secondly, it gets to see, and, by design, to tweak and modify, everything that comes from userland or is returned to it.

For example, after Troj/SrvInjRk-A loads, it patches a number of kernel system functions. You can see the patches here:

The functions vfs_read and vfs_readdir deal with access to files and directories (vfs stands for virtual file system). Casually modifying those kernel functions like this is horrendously risky, of course, but for a malware author, it's good enough.

And by hooking tcp_sendmsg, the malware is able to inspect network packets after they've been transmitted by your web server, and modify them "in flight" to include malicious content. This means the malicious content never even exists in userland - neither on disk nor in memory.

Interestingly, the malware contains a list of 854 IP numbers and ranges to which it refuses to send modified content. The list is an eclectic mix, including as it does both Google servers and what look like mobile phones, but it reminds us how easy it is for cybercriminals to present a two-faced appearance to the world.

If search engines don't spot your malware while they're spidering, and if system administrators or web designers don't see the altered content even when they're looking out for changes, your malware will probably survive unnoticed for longer.

Could you be infected with this malware and not know about it?

The good news is, that's unlikely.

You'd need to be running the Linux kernel labelled 2.6.32-5-amd64 - that pretty much means the 64-bit version of Debian Squeeze 6.0.0. And you'll have an unexpected kernel module called /lib/modules/2.6.32-5-amd64/kernel/sound/module_init.ko.

We don't know where this thing came from. Crowdstrike suggests that, "[b]ased on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely," but that sort of unsubstantiated suggestion doesn't really help.

In short, we shall probably never know who wrote this thing. But it is one more existence proof for those who deny the very possibility of Linux malware.

, , , , ,

You might like

11 Responses to FLAMING RETORT: Linux rootkit news "provides some comic relief"

  1. YellowApple · 1043 days ago

    Oh boy! A piece of code that requires a vector to be of any potential threat. I'm shaking in my boots. Until information on the vector is actually disclosed, this article isn't really helpful to Linux administrators.

    Linux rootkits are loaded as kernel modules. That's how they're run as rootkits (rather than just sitting around as plain-old files in some directory). Loading a kernel module - especially a new one - requires root access. Once that root access is acquired, why stop at injecting iframes? Why not upload entire MySQL databases with password hashes, or replace grub.cfg's menu entries with a giant ASCII trollface?

    Thus, the rootkit itself is irrelevant; it's *how* the rootkit managed to get loaded that's important, a question which has yet to be answered by anyone. Yes, there are Linux "viruses", but so far every single one of these "viruses" are stuck at proof-of-concept level because there's no way for them to actually operate without being intentionally run, and this one doesn't seem to be an exception.

    However, Kapersky's name for it does give a hint. It's identified as a trojan. Trojans in the Unix/Linux realm are only dangerous when they are explicitly run, usually by tricking a sudo-capable user into running the program and giving it administrative access. I figure that's exactly what happened. Considering that so far we've only heard of one encounter with this rootkit, I would guess that a user with administrative access (either knowledge of the root password or the ability to run programs as root via sudo) decided to load the rootkit - either maliciously or accidentally - with administrative access. In that case, it wouldn't be the fault of the operating system at all, but rather of the user; it's best to be very wary of any program asking for root access.

    To summarize, this isn't a Linux error. This sounds like an administrator error, and even a truly-unbreakable system is no match against a malicious and/or incompetent user with root access.

    • Paul Ducklin · 1042 days ago

      Errrr, OK. If you say so.

      I think you may have your Ranty Linux Fanbuoy spectacles on just at the moment, though. (The article doesn't use the word "virus". Rootkits don't need to be implemented as kernel drivers. Sophos's name for this one also points out it's a "Trojan", as mentioned right here in the article. No, we don't know how it got loaded on the victim server, since the poster only uploaded the rootkit. Nowhere in the article was there even a sniff of a suggestion that this was a "Linux error". The text even goes out of its way to explain that it is unlikely that you'd get hit by this thing. It's just *interesting*. If you don't mind.)

      There is one small error in your comment. You say, "Yes, there are Linux 'viruses', but so far every single one of these 'viruses' are stuck at proof-of-concept level because there's no way for them to actually operate without being intentionally run."

      There is - or was - a *very* widespread Linux virus - entirely self-spreading, as it happens - called Linux/RST-B. Back in 2008, we measured it infecting more than 12,000 servers (and that's only the servers where it was running as root, which wasn't necessary for it to infect and spread further - just necessary for it to get noticed by our stats collector) over a three month period.

      Sure. Not that big of a deal. Only 4000 newly-auto-infected servers per month. But it's an existence proof. I linked to it in the article, but I guess you were in such a hurry to have your say you didn't spot it:

      • YellowApple · 1042 days ago

        Let me pull a quote from the article you referenced:

        "And we only counted computers on which the virus was running as root. It doesn't call home if it's not running as root, so the total number of active infections was probably significantly higher."

        Let's focus on a bit of that:

        "It doesn't call home if it's not running as root"

        Hm. Now let's head over to Sophos' page on Linux/RST-B (http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Linux~Rst-B/detailed-analysis.aspx):

        "If the virus is executed by a privileged user then it may attempt to
        create a backdoor on the system"

        Again, let's focus on that a bit:

        "If the virus is executed by a privileged user"

        So I fail to see how referencing RST-B invalidates my point. At all. You have to run it as root. A competent Linux sysadmin should know better than that. Likewise, they should know better than to utilize weak usernames/passwords for accounts with root access.

        And then there are phrases like the following (from https://nakedsecurity.sophos.com/2007/11/06/news-f...

        "...our Windows honeypots are attacked more frequently than our Linux ones, but Linux malware is far more interesting to blog about, isn't it?"

        I'm sensing a bit of bias in that statement. Then again, it's from a few years ago (though from an article referenced by the article you claimed I didn't read), so I'm *sure* it's not relevant, right?

        I'm not claiming that Linux is perfect; no software is perfect (including the products from Sophos, if recent reports of the recently-fixed buffer overflow induced by scanning PDFs are to go by). However, I do find the overhype which seems to be associated with this rootkit, well, disconcerting, to say the least. A number of articles have been written which imply quite blatantly that Linux is just as insecure as Windows (which, if the viability of Linux targets v. the number of actual infections is anything to go by, is statistically untrue), which is why my remarks were probably on the snippier side, and for that I apologize. The point of my post wasn't to try and claim that Linux is infallible (since that's impossible); the point was to emphasize that knowledge about the actual vector is what's needed right now so that Linux users can prevent this from happening to them (if there is a vector besides someone intentionally loading the rootkit as a sound driver, based on the location of the module itself in the filesystem and the line appended to rc.local pointing to it).

        Also, I didn't call this rootkit a "virus"; I merely referenced the number of existing "viruses" that are stuck at proof-of-concept levels because of a need for root access. I actually stated quite clearly that this rootkit is classified as a trojan and is, indeed, a rootkit. Please don't put words in my mouth; it's not very nice.

        • Paul Ducklin · 1042 days ago

          (To be fair to me, which I may as well be, you didn't so much "[state] quite clearly that this rootkit is classified as a trojan", as you sweetly say, as sarcastically point out that "Kapersky's name for it does give a hint. It's identified as a trojan." I knew that. I said that. Which is why I was a little testy that you tried to point it out as though I hadn't actually noticed.)

          Anyway. I hear what you're saying. "If you run something as root that isn't trustworthy, you can't blame the OS."

          Perhaps Linux administrators are more savvy that Windows admins. I suspect that may well be true, not least because many Windows admins have become admins almost "because Windows came with the territory" (so they have simply had to learn how), whereas not a few Linux admins do that job "because they chose Linux through knowing how to administer it."

          But there *is* a security problem in the Linux world. We uncover some 10,000 to 30,000 newly-infected web pages per day, mostly infected through SQL injections, poor password hygiene, software vulnerabilities and the like. I don't have the figures to hand, but the percentage of these that run Linux is high. Well over half, from memory.

          • Dominick · 947 days ago

            Most hacks target an application, and not the OS, whether it is running on Linux or Windows. Furthermore, people phish their way around software when needed. The OS itself can be as secure as Zues's porn locker, and that will only account for 10% of what one needs to worry about.

            Linux users can act as smart and as tough as they want, but even having a 100% secure OS - just won't save you.

        • Guest · 1037 days ago

          It sounds like someone needs a cranberry juice again.

        • Dominick · 947 days ago

          That's a great point of view. Essentially - There is no viruses for Linux because the presumption is that Linux users are all smart, and therefore the virus would in effect, never be installed by said smart user.

  2. jessi slaughter · 1043 days ago

    great post paul! you missed a word here " This system ran on Linux, amongst others, and made use [of] rootkit techniques.", but otherwise, very very interesting.

  3. Nick Nikiforakis · 1042 days ago


    I don't understand the title of this post.

    FLAMING RETORT: Linux rootkit news "provides some comic relief"

    First of all, the flaming retort series are, in my understanding, meant to be controversial. From the title of this post, I was expecting that you would make fun of the Linux rootkit, or classify it as a hoax or some other thing. But then you go ahead and explain what it does, how rootkits work and then end with the fact that you can get owned in any system, so watch out.

    Sure, the "comic relief" part is from the Full-Disclosure mailing list, but I don't get the connection here. Is it more of a "I want your attention"-type title, or is it some other thing?

    • Paul Ducklin · 1041 days ago

      I want your attention :-)

      Seriously, the Flaming Retorts aren't meant to be controversial - they're meant to put out flames, not fan them. I decided to call this a "Flaming Retort" because of the subject matter (Linux malware always seems to create some sort of flappery so I thought it fitted the bill.)

      I probably tried a bit hard with the headline. It was meant to imply that HERE'S REAL LINUX MALWARE AND A ROOTKIT NO LESS OFFERED FOR PUBLIC USE, yet there's still a touch of comedy about it (since the rootkit isn't that clever).

      But...I did provoke *some* controversy - see the "discussion" above with @YellowApple.

      Anyway, apologies if you feel a bit cheated by the headline. Hope the content was OK, if not as, ahhh, evocative as you might have liked.

      I *had* hoped to provoke a response from readers with my suggestion that "Windows and Linux (and OS X, for that matter) are, from a high-level architectural perspective, much more similar than they are different." You can usually start a bit of biffo by saying that. Perhaps our readers are coming round to my point of view? Or perhaps I'm mellowing out?

      PS. If you have any ideas for another Flaming Retort, feel free to drop me an email. Or post them here...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog