A New Linux Rootkit
Details of a new Linux rootkit turned up on SecLists.Org’s Full Disclosure Mailing List last week: linux rootkit in combination with nginx.
CrowdStrike has excellent analysis of it here: HTTP iframe Injecting Linux Rootkit.
CrowdStrike’s key findings:
• The rootkit is generally crime related rather than a specialized targeted attack. It drives traffic to exploit kits.
• It appears to be new rather than a modified version of known rootkits.
• It is probably Russian in origin.
Our analysts are investigating the sample now.
On 20/11/12 At 11:48 AM