Now both CrowdStrike and Kaspersky Lab have published detailed analyses with similar conclusions: the author would appear to “an intermediate programmer with no extensive kernel experience.” Other conclusions suggest that this may have been the work of a contract malware writer “later customized beyond repair by the buyer,” (suggests Georg Wicherski, senior security researcher at CrowdStrike).
Wicherski suggests that “a Russia-based attacker is likely,” but that how the attackers gained the root privileges necessary to install the rootkit remains an open question.
However, despite general reservations on the ability of the code author, Kaspersky Lab’s Marta Janus notes that, “The iFrame injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg - which is responsible for building TCP packets - with its own function, so the malicious iFrames are injected into the HTTP traffic by direct modification of the outgoing TCP packets.” The iFrame payload is obtained from a C&C which is connected via an encrypted authentication. Kaspersky wasn’t able to connect to the C&C server, but adds that “the malicious server is still active and it hosts other *NIX based tools, such as log cleaners.”
Janus adds that in the traditional drive-by scenario, the malware injection is by a simple PHP script. In this case, however, “we are dealing with something far more sophisticated - a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before.” It may be new, but “we can certainly expect more such malware in the future.”
The rootkit itself is larger than usual – more than 500 kb – mainly because it was compiled with the debugging information intact. Janus suggests that it may be still in the developmental phase “because some of the functions don’t seem to be fully working or they are not fully implemented yet.” It is possible, then, that a contract work-in-progress was tested by the buyer before the project was complete.
The purpose of the malware is unclear. Since it “was used to non-selectively inject iframes into nginx webserver responses, it seems likely that this rootkit is part of a generic cyber crime operation and not a targeted attack,” suggests Wicherski. “However, a Waterhole attack, where a site mostly visited from a certain target audience is infected, would also be plausible.”