Debian Linux Vulnerable to Drive-By Rootkit Infection

A new, apparently beta status Linux rootkit is doing the rounds at the moment. Delivered using via drive-by download from an infected site running the nginx web server in an unusual form of iFrame inhection attack, the somewhat large 500K rootkit doesn’t appear to do anything at the moment, except infect a very specific Linux distribution: the 64-bit Debian Squeezy kernel, version 2.6.32-5.

The find was posted anonymously to Full Disclosure on November 13 and has since been confirmed by CrowdStrike and Kaspersky Lab, who dubbed it ‘Rootkit.Linux.Snakso.a’. When the code was analyzed, it was found in what appeared to be a beta status, with various coding rough edges and plenty of debug code still in it.

As significant as its design is where it might have come from. In the view of the CrowdStrike analyst, Russia is the most likely origin which would put it in the realm of the professional cybercriminals.


Comments are closed.