Wednesday, November 21, 2012

New virus replaces packages Linux web servers

Analysts from the company "Kaspersky Lab" found a conceptually new type of malware for Linux. 

The virus, known as «Rootkit Linux Snakso-A» on the internal classification system infects Linux-kernel-level submenus are web servers. Thus, all web sites hosted on the compromised server, is dangerous for the visitors. Web server is running in normal mode, only send packets at a low level insert special tags «iFrame», in which the hidden links to download malicious content hidden.

According to reports, the new virus affects 64-bit systems with kernel kernel 2.6.32-5-amd64 and popular web server Nginx. The executable file, found in the "wild", is about 500 KB, but experts justify such an unnaturally large size of the fact that while the virus compiled to include all debug messages. The danger is that the server has virtually no way of determining the existence of "tabs" on the server. And threats to Internet users visiting a site served by an infected machine. Each time when coming to such a site, they receive an additional hidden links that are not in the output of the web server. In fact, the virus replaces outgoing TCP-packets sent by web site visitors.

The researchers believe that the virus is detected in an early stage of development. A number of features in it is not fully implemented, and some features have yet to see in action. To some extent, it can be considered a prototype of the future server superbugs. By itself, the virus does not spread malicious content - this task was assigned to the auxiliary server located elsewhere. Another unusual feature of the virus - the connection to the control server is done using the encrypted password.

Implementation mechanism iframe-tag was pretty interesting. The virus does not affect the vulnerability in Java, Flash, the web servers and other technology. Instead frames are introduced directly into the outgoing HTTP-traffic by replacing the system function «tcp_sendmsg».

Additional analysis of the virus Snakso-A British company had CrowdStrike. At the request of British experts, the chances of the virus on websites that are frequented by members of various organizations, as part of a campaign of espionage. The virus also can be used in the attacks of the "watering hole" where the chosen victim safely enter a trusted resource that has already infected by malicious users.

According to experts of Crowdstrike, the virus could be created to order programmers from Russia, and the average programmers without extensive knowledge in working with the kernel Linux. On Russian origin indicate the tools and techniques used in creating the virus, as well as some factors that the company refused to disclose Crowdstrike.


No comments:

Post a Comment