An interesting HTTP injection rootkit

November 26, 2012 Technical, General

We came across this story last week, it’s particularly interesting and relevant to us as a webhosting company. The LWN writeup describes a kernel module that maliciously intercepts HTTP requests and injects iframe tags into the HTML.

This sort of behaviour isn’t terribly new to us. We see code injection attacks fairly frequently, mostly against PHP-based sites, but they’re usually done through an FTP account with a weak password. This one is interesting because it doesn’t leave obvious evidence on the system.

Website code is usually hackishly modified by injecting some obfuscated PHP at the beginning of the file, which often causes visible errors on the site and is very easy to detect. That’s not necessary with this attack because it hooks into the system at a low level, looking for HTTP responses and inserting the iframe tags as appropriate.

CrowdStrike has a far more in-depth writeup of the malware. If you’re technically-inclined it’s pretty interesting; while hardly A-grade code, it does a good number of practical things to help ensure consistent behaviour, making detection less likely.

We’re not terribly worried about seeing this on our servers. Inserting the kernel module requires root privileges to start with, which is substantially mitigated by our strict patching regimen. That’s not to say it couldn’t be inserted through a zero-day exploit, but keeping on top of updates goes a long way. In addition, it seems fairly unreliable at keeping itself persistently loaded, and it’s noted that it’s highly likely to be impotent on Debian systems following a reboot.

We’ll get Liam, our resident intrusion-detection maestro, to make sure our IDS is keeping an eye out for this one. Along with the injected PHP code, connection attempts to the command-and-control servers in Europe should be more than enough to act as warning flags for a potential infection.