A new Rootkit designed to target Linux 64-bit machines has been discovered this week by an anonymous source. This is the latest development in methods of compromising websites.
The Rootkit was discovered on a company server after reports from customers that they were being directed to malicious websites.
The Rootkit itself is a fairly simple device, but what makes it unusual is that it hides and infects servers at kernel-level. By hiding within the kernel the kit is given advanced command and control system privileges. The exploit then goes on to infect the server through watering hole techniques. The rootkit can also attack by infecting sites hosted on a compromised HTTP server.
What makes this Rootkit different is that it doesn’t target individual desktops, but the servers that host websites. It uses an IFRAME injection which modifies the response of HTTP requests send via the web server, this results in users being redirected to another site.
A kernel mode binary component is a sophisticated tool. It uses hooking techniques to action low level transparent injections. This angle of attack is a new approach in drive by download attacks.