December 17, 2010, 11:55AM
Rootkit Being Used in Attacks on Exim Bug
Comment Attackers have begun using the bug in the Exim mailer that was disclosed earlier this week to install a rootkit on machines running vulnerable versions of the software.
The vulnerability in Exim, which is a mail transfer agent used on Unix-based machines, came to light on Monday and can result in remote code execution. US-CERT said in an advisory on Monday that the bug already was being exploited in the wild by the time it was disclosed.
"The internal string handling functions of the Exim software contain a function called string_format(). The version of this function included with Exim versions prior to 4.70 contains a flaw that can result in a buffer overflow. An attacker can exploit this vulnerability by crafting message headers that are subsequently supplied to Exim logging functions," the advisory said.
Several users running Debian Linux said in a discussion thread on Reddit that they'd found a rootkit on some of their machines that were running vulnerable versions of Exim. The malware installs itself and creates some temporary files. Here's a description of the rootkit's behavior:
To get in, it created a number of temporary files in /var/spool/exim4, including a small C program which it compiled and setuid to get root access and run a shell as root:
-rw------- 1 Debian-exim Debian-exim 117 Dec 15 16:41 a.conf
-rw------- 1 Debian-exim Debian-exim 119 Dec 15 16:41 e.conf
drwxr-xr-x 3 root root 75 Dec 16 18:00 rk
-rw------- 1 root root 4421289 Dec 15 20:13 rk.tgz
-rw-r--r-- 1 root root 0 Dec 16 13:26 s
-rw-r--r-- 1 root root 0 Dec 16 13:26 s.c
-rwsr-xr-x 1 root root 6764 Dec 15 23:29 setuid
-rw------- 1 Debian-exim Debian-exim 3120 Dec 15 16:41 setuid.1
-rw------- 1 Debian-exim Debian-exim 130 Dec 15 16:41 setuid.c
Note that the rk directory contained the installer for the root kit.
Other users also noted seeing the same kind of malware on their Debian machines. One of the signs that users noticed that led them to find the infections was that their email stopped working.
The bug has been fixed in new version of Exim. The latest version can be downloaded on the Exim site.
Commenting on this Article is closed.
Today's Most Popular
- Report: Diablo III Users Find Accounts Hacked, Gold Stolen And New 'Mystery' Friends
- Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
- Why Google Won't Protect You From Big Brother
- Dear Jailbreaker, Apple Wants to Have a Word with You
Most Commented Stories
-
Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops (8)
-
Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest (7)
-
Why Google Won't Protect You From Big Brother (2)
-
New P2P Zeus Variant Targets Popular Sites with Bogus Offers (1)
-
Dear Jailbreaker, Apple Wants to Have a Word with You (2)
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
21%
Only connect to password-protected, secure connections
39%
Only use websites with HTTPS
27%
I don’t pay attention to how I access the internet while traveling
13%
Total votes: 62
Follow Threatpost
 |  |  |  |
| Tumblr |
