New In-Memory Rootkit Discovered By German Hoster 91
New submitter einar2 writes "German hoster Hetzner informed customers that login data for their admin surface might have been compromised (Google translation of German original). At the end of last week, a backdoor in a monitoring server was found. Closer examination led to the discovery of a rootkit residing in memory. The rootkit does not touch files on storage but patches running processes in memory. Malicious code is directly injected into running processes. According to Hetzner the attack is surprisingly sophisticated."
Kinda cool that they found it (Score:2, Interesting)
Even if you notice strange traffic, how do you actually find something that is only in memory?
EvaPharmacy has been doing this for years... (Score:5, Interesting)
This has actually been around since at least 2006.
Russian spam operation EvaPharamacy have been using this approach to turn public servers they don't own into free hosting for all of their rogue pharmacy sites.
You can read a pretty detailed description of this here:
http://pharmalert.zoomshare.com/1.html [zoomshare.com]
The people who run EvaPharmacy (criminals, in my opinion, but also in others' opinion) do a lot of destructive things to your server while installing their proxy hosting / DNS software on your server, and they leave no trace of any files at all.
ad
Re:Do they tell us? (Score:5, Interesting)
The interesting question... is Hetzner sloppy about security, more so than it's competitors, or are they actually more vigilant and/or more forthcoming about breaches? I have the uncomfortable hunch that we do not hear about a lot of breaches at all the cloud sevices/hosters out there.
My real fear is that it's not because of willful lack of reporting of the breeches, but that the breeches are going on completely undetected that we aren't hearing more about them.