https://www.securelist.com/en/blog/208193935/New_64_bit_Linux_Rootkit_Doing_i...
Ъ:
A few days ago, an interesting piece of Linux malware came up on the Full Disclosure mailing-list. It's an outstanding sample, not only because it targets 64-bit Linux platforms and uses advanced techniques to hide itself, but primarily because of the unusual functionality of infecting the websites hosted on attacked HTTP server - and therefore working as a part of drive-by download scenario.
...
The iFrame injection mechanism is quite interesting: the malware substitutes the system function tcp_sendmsg - which is responsible for building TCP packets - with its own function, so the malicious iFrames are injected into the HTTP traffic by direct modification of the outgoing TCP packets.
ЪЪ: вредоносный модуль для дебиановского 64-битного ядра, который внедряет iframe-ы прямо правя пакеты.
Пора сваливать на фрю?
