Slashdot Mirror

← Back to Stories (view on slashdot.org)

New In-Memory Rootkit Discovered By German Hoster

Posted by Soulskill on from the malware-arms-race dept.

New submitter einar2 writes "German hoster Hetzner informed customers that login data for their admin surface might have been compromised (Google translation of German original). At the end of last week, a backdoor in a monitoring server was found. Closer examination led to the discovery of a rootkit residing in memory. The rootkit does not touch files on storage but patches running processes in memory. Malicious code is directly injected into running processes. According to Hetzner the attack is surprisingly sophisticated."

11 of 91 comments (clear)

  1. Re:Kinda cool that they found it by Anonymous Coward · · Score: 5, Funny

    Even if you notice strange traffic, how do you actually find something that is only in memory?

    Through the power of Jesus Christ, our Lord and Savior.

  2. EvaPharmacy has been doing this for years... by AdamD1 · · Score: 5, Interesting

    This has actually been around since at least 2006.

    Russian spam operation EvaPharamacy have been using this approach to turn public servers they don't own into free hosting for all of their rogue pharmacy sites.

    You can read a pretty detailed description of this here:

    http://pharmalert.zoomshare.com/1.html

    The people who run EvaPharmacy (criminals, in my opinion, but also in others' opinion) do a lot of destructive things to your server while installing their proxy hosting / DNS software on your server, and they leave no trace of any files at all.

    ad

    --
    Because I can! [Brainrub.com]
    1. Re:EvaPharmacy has been doing this for years... by Anonymous Coward · · Score: 3, Informative

      I believe they mean with chattr, not with permissions:


      $ sudo -s
      # touch file
      # chmod 000 file
      # ls -l file
      ---------- 1 root root 0 Jun 7 15:28 file
      # cat > file
      asdf
      # cat file
      asdf
      # chattr +i file
      # cat > file
      bash: file: Permission denied

  3. Re:Kinda cool that they found it by Anonymous Coward · · Score: 5, Funny

    On a VMWare server I would create a snapshot and then analyze the contents of the memory

    I don't always examine a couple gigs of raw memory with no context on a summer Friday but when I do I prefer Xen.

  4. Do they tell us? by theduk3 · · Score: 5, Informative

    I have a root server from Hetzner and got the disclosure mail, which was very detailed.
    Customer data was compromised, including the hashed/salted passwords and the last 3 digits of credit card numbers (which should not really be an issue).

    This is not the first major breach at Hetzner, in 2011 managed server account passwords were compromised as well.
    Back then they advised customers to reset the passwords for all accounts for the admin panel.

    The interesting question... is Hetzner sloppy about security, more so than it's competitors, or are they actually more vigilant and/or more forthcoming about breaches?
    I have the uncomfortable hunch that we do not hear about a lot of breaches at all the cloud sevices/hosters out there.

    1. Re:Do they tell us? by Seranfall · · Score: 5, Interesting

      The interesting question... is Hetzner sloppy about security, more so than it's competitors, or are they actually more vigilant and/or more forthcoming about breaches? I have the uncomfortable hunch that we do not hear about a lot of breaches at all the cloud sevices/hosters out there.

      My real fear is that it's not because of willful lack of reporting of the breeches, but that the breeches are going on completely undetected that we aren't hearing more about them.

    2. Re:Do they tell us? by K.+S.+Kyosuke · · Score: 3, Funny

      My real fear is that it's not because of willful lack of reporting of the breeches, but that the breeches are going on completely undetected that we aren't hearing more about them.

      Bah, I can usually detect breeches by means of a quick visual scan, so I don't think that they can go undetected. I suspect that breeches are seldom reported these days because of the declining horse population.

      --
      Ezekiel 23:20
  5. Re:Kinda cool that they found it by centipedes.in.my.vag · · Score: 5, Informative

    You can walk-though and dump a running process' memory to file to analyze it later. Just reference the pid+offset and read. This style of patching a process (CREATE_SUSPENDED flag / Edit / ResumeThread) rather than editing the file itself is really popular when trying to defeat a CRC check, so methods to analyze it shouldn't surprise anyone.

    --
    Only on /. can I lose karma with 2x "5, Funny" posts.
  6. Re:Kinda cool that they found it by zlives · · Score: 3, Funny

    i think you mean XXen

  7. Re:yank out the sticks by centipedes.in.my.vag · · Score: 4, Informative

    No, you're misreading the article.

    "The rootkit does not touch files on storage but patches running processes in memory."

    The rootkit isn't in RAM only. The way that it attacks the daemon processes is done entirely in RAM.

    --
    Only on /. can I lose karma with 2x "5, Funny" posts.
  8. English version of the article by datalife · · Score: 5, Informative

    There is an english version of the article, so there is no need to Googletranslate the thing

    http://www.h-online.com/news/item/Hetzner-web-hosting-service-hacked-customer-data-copied-1884574.html

    --
    There are only 10 types of people in the world: Those who understand binary and those who don't.