New In-Memory Rootkit Discovered By German Hoster

← Back to Stories (view on slashdot.org)

New In-Memory Rootkit Discovered By German Hoster

Posted by Soulskill on Friday June 7, 2013 @09:13AM from the malware-arms-race dept.

New submitter einar2 writes "German hoster Hetzner informed customers that login data for their admin surface might have been compromised (Google translation of German original). At the end of last week, a backdoor in a monitoring server was found. Closer examination led to the discovery of a rootkit residing in memory. The rootkit does not touch files on storage but patches running processes in memory. Malicious code is directly injected into running processes. According to Hetzner the attack is surprisingly sophisticated."

22 of 91 comments (clear)

Min score:

Reason:

Sort:

Kinda cool that they found it by Anonymous Coward · 2013-06-07 09:16 · Score: 2, Interesting

Even if you notice strange traffic, how do you actually find something that is only in memory?
1. Re:Kinda cool that they found it by Anonymous Coward · 2013-06-07 09:22 · Score: 5, Funny
  
  Even if you notice strange traffic, how do you actually find something that is only in memory?
  Through the power of Jesus Christ, our Lord and Savior.
2. Re:Kinda cool that they found it by Anonymous Coward · 2013-06-07 09:43 · Score: 5, Funny
  
  On a VMWare server I would create a snapshot and then analyze the contents of the memory
  I don't always examine a couple gigs of raw memory with no context on a summer Friday but when I do I prefer Xen.
3. Re:Kinda cool that they found it by centipedes.in.my.vag · 2013-06-07 10:00 · Score: 5, Informative
  
  You can walk-though and dump a running process' memory to file to analyze it later. Just reference the pid+offset and read. This style of patching a process (CREATE_SUSPENDED flag / Edit / ResumeThread) rather than editing the file itself is really popular when trying to defeat a CRC check, so methods to analyze it shouldn't surprise anyone.
  
  --
  Only on /. can I lose karma with 2x "5, Funny" posts.
4. Re:Kinda cool that they found it by zlives · 2013-06-07 10:16 · Score: 3, Funny
  
  i think you mean XXen
5. Re:Kinda cool that they found it by MasterPatricko · 2013-06-08 01:20 · Score: 2
  
  If you're serious about computer security you bring the analysis tools with you, from an independent known-good source, not using anything from the possibly-compromised machine.
  
  --
  I'd tell a UDP joke, but you may not get it. I'd tell a TCP joke, but I'd have to keep repeating it until you got it.
Re:Address space layout randomization? by Heretic2 · 2013-06-07 09:26 · Score: 2

Forgive my ignorance, but how did ASLR not stop this?
Because it was on Linux and not Windows?
Anyway, sounds like they weren't running TXT or selinux.
Re:Address space layout randomization? by bloodhawk · 2013-06-07 09:26 · Score: 2

ASLR is an important part of defence in depth, but it is by no means a guarantee that you can't be exploited through a vulnerability, it makes it that little bit harder.
EvaPharmacy has been doing this for years... by AdamD1 · 2013-06-07 09:38 · Score: 5, Interesting

This has actually been around since at least 2006.
Russian spam operation EvaPharamacy have been using this approach to turn public servers they don't own into free hosting for all of their rogue pharmacy sites.
You can read a pretty detailed description of this here:
http://pharmalert.zoomshare.com/1.html
The people who run EvaPharmacy (criminals, in my opinion, but also in others' opinion) do a lot of destructive things to your server while installing their proxy hosting / DNS software on your server, and they leave no trace of any files at all.
ad

--
Because I can! [Brainrub.com]
1. Re:EvaPharmacy has been doing this for years... by Anonymous Coward · 2013-06-07 10:31 · Score: 3, Informative
  
  I believe they mean with chattr, not with permissions:
  $ sudo -s # touch file # chmod 000 file # ls -l file ---------- 1 root root 0 Jun 7 15:28 file # cat > file asdf # cat file asdf # chattr +i file # cat > file bash: file: Permission denied
yank out the sticks by SpaceManFlip · 2013-06-07 09:41 · Score: 2

Quick! Pull all the RAM sticks from the servers!
Throw them in the fire! Then piss into the fire with a frosty Heineken pee pee....
Cauterize the germs!
My main question is how the rootkit process made its way into the RAM of the afflicted machines (?).
1. Re:yank out the sticks by danceswithtrees · 2013-06-07 09:54 · Score: 2
  
  Joking aside, wouldn't you expect a restart to eradicate a RAM resident rootkit? Granted the vulnerability still exists and it is possible to be reinfected/rerooted, a simple reboot should get rid of this.
2. Re:yank out the sticks by techno-vampire · 2013-06-07 10:38 · Score: 2
  
  I was thinking that too. However, I can see it calling home every few minutes to let the control machine know it's still there and running. (No response needed.) If it misses a scheduled call, the control machine launches a new attack and re-infects it. Don't know how well it would work in practice, but it sounds reasonable.
  
  --
  Good, inexpensive web hosting
3. Re:yank out the sticks by centipedes.in.my.vag · 2013-06-07 10:40 · Score: 4, Informative
  
  No, you're misreading the article.
  
  "The rootkit does not touch files on storage but patches running processes in memory."
  The rootkit isn't in RAM only. The way that it attacks the daemon processes is done entirely in RAM.
  
  --
  Only on /. can I lose karma with 2x "5, Funny" posts.
4. Re:yank out the sticks by Nutria · 2013-06-07 10:55 · Score: 2
  
  So the statement rootkit does not touch files on storage but patches running processes in memory is wrong (or at the very least, misleading?
  
  --
  "I don't know, therefore Aliens" Wafflebox1
Do they tell us? by theduk3 · 2013-06-07 09:44 · Score: 5, Informative

I have a root server from Hetzner and got the disclosure mail, which was very detailed.
Customer data was compromised, including the hashed/salted passwords and the last 3 digits of credit card numbers (which should not really be an issue).
This is not the first major breach at Hetzner, in 2011 managed server account passwords were compromised as well.
Back then they advised customers to reset the passwords for all accounts for the admin panel.
The interesting question... is Hetzner sloppy about security, more so than it's competitors, or are they actually more vigilant and/or more forthcoming about breaches?
I have the uncomfortable hunch that we do not hear about a lot of breaches at all the cloud sevices/hosters out there.
1. Re:Do they tell us? by Seranfall · 2013-06-07 09:56 · Score: 5, Interesting
  
  The interesting question... is Hetzner sloppy about security, more so than it's competitors, or are they actually more vigilant and/or more forthcoming about breaches? I have the uncomfortable hunch that we do not hear about a lot of breaches at all the cloud sevices/hosters out there.
  My real fear is that it's not because of willful lack of reporting of the breeches, but that the breeches are going on completely undetected that we aren't hearing more about them.
2. Re:Do they tell us? by K.+S.+Kyosuke · 2013-06-07 10:30 · Score: 3, Funny
  
  My real fear is that it's not because of willful lack of reporting of the breeches, but that the breeches are going on completely undetected that we aren't hearing more about them.
  Bah, I can usually detect breeches by means of a quick visual scan, so I don't think that they can go undetected. I suspect that breeches are seldom reported these days because of the declining horse population.
  
  --
  Ezekiel 23:20
3. Re:Do they tell us? by Inda · 2013-06-09 22:31 · Score: 2
  
  >>and the last 3 digits of credit card numbers (which should not really be an issue).
  
  It is an issue. With those three numbers, I can possibly gain authetication from another company for another account owned by the credit card holder. "Can you just confirm the last three digits of your credit card please?"
  
  It's all about gaining one little piece of information at a time until the full picture is seen.
  
  --
  This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
Re:Address space layout randomization? by K.+S.+Kyosuke · 2013-06-07 10:24 · Score: 2

Forgive my ignorance, but how did ASLR not stop this?
I think a much better question is why do we have remotely exploitable systems when we have tons of methodologies for constructing construct provably correct and safe programs.

--
Ezekiel 23:20
English version of the article by datalife · 2013-06-07 11:04 · Score: 5, Informative

There is an english version of the article, so there is no need to Googletranslate the thing
http://www.h-online.com/news/item/Hetzner-web-hosting-service-hacked-customer-data-copied-1884574.html

--
There are only 10 types of people in the world: Those who understand binary and those who don't.
Re:Address space layout randomization? by zwarte+piet · 2013-06-08 02:50 · Score: 2

More compiler specific than distro. And linux seems to be GCC always.