New In-Memory Rootkit Discovered By German Hoster

New submitter einar2 writes "German hoster Hetzner informed customers that login data for their admin surface might have been compromised (Google translation of German original). At the end of last week, a backdoor in a monitoring server was found. Closer examination led to the discovery of a rootkit residing in memory. The rootkit does not touch files on storage but patches running processes in memory. Malicious code is directly injected into running processes. According to Hetzner the attack is surprisingly sophisticated."

Re:Kinda cool that they found it

Even if you notice strange traffic, how do you actually find something that is only in memory?

Through the power of Jesus Christ, our Lord and Savior.

EvaPharmacy has been doing this for years...

[AdamD1]

This has actually been around since at least 2006.

Russian spam operation EvaPharamacy have been using this approach to turn public servers they don't own into free hosting for all of their rogue pharmacy sites.

You can read a pretty detailed description of this here:

http://pharmalert.zoomshare.com/1.html

The people who run EvaPharmacy (criminals, in my opinion, but also in others' opinion) do a lot of destructive things to your server while installing their proxy hosting / DNS software on your server, and they leave no trace of any files at all.

ad

Re:Kinda cool that they found it

On a VMWare server I would create a snapshot and then analyze the contents of the memory

I don't always examine a couple gigs of raw memory with no context on a summer Friday but when I do I prefer Xen.

Do they tell us?

[theduk3]

I have a root server from Hetzner and got the disclosure mail, which was very detailed.
Customer data was compromised, including the hashed/salted passwords and the last 3 digits of credit card numbers (which should not really be an issue).

This is not the first major breach at Hetzner, in 2011 managed server account passwords were compromised as well.
Back then they advised customers to reset the passwords for all accounts for the admin panel.

The interesting question... is Hetzner sloppy about security, more so than it's competitors, or are they actually more vigilant and/or more forthcoming about breaches?
I have the uncomfortable hunch that we do not hear about a lot of breaches at all the cloud sevices/hosters out there.

Re:Do they tell us?

[Seranfall]

The interesting question... is Hetzner sloppy about security, more so than it's competitors, or are they actually more vigilant and/or more forthcoming about breaches? I have the uncomfortable hunch that we do not hear about a lot of breaches at all the cloud sevices/hosters out there.

My real fear is that it's not because of willful lack of reporting of the breeches, but that the breeches are going on completely undetected that we aren't hearing more about them.

Re:Kinda cool that they found it

[centipedes.in.my.vag]

You can walk-though and dump a running process' memory to file to analyze it later. Just reference the pid+offset and read. This style of patching a process (CREATE_SUSPENDED flag / Edit / ResumeThread) rather than editing the file itself is really popular when trying to defeat a CRC check, so methods to analyze it shouldn't surprise anyone.

Re:yank out the sticks

[centipedes.in.my.vag]

No, you're misreading the article.

"The rootkit does not touch files on storage but patches running processes in memory."

The rootkit isn't in RAM only. The way that it attacks the daemon processes is done entirely in RAM.

English version of the article

[datalife]

There is an english version of the article, so there is no need to Googletranslate the thing

http://www.h-online.com/news/item/Hetzner-web-hosting-service-hacked-customer-data-copied-1884574.html