You are not logged in.

Pages: 1

#1 2013-06-08 07:35:11

Ashren
Member
From: Denmark
Registered: 2007-06-13
Posts: 1,229
Website

Disturbing: Rootkit manipulating processes in RAM instead of files

http://www.h-online.com/security/news/i … 84574.html

According to Hetzner, the attackers displayed an unusually high level of sophistication: apparently, they used a previously unknown rootkit that doesn't touch any hard disk files. "Instead, it patches processes that are already running on the system and injects its malicious code directly into the target process image", explained Martin Hetzner. The executive said that the rootkit seamlessly manipulated the OpenSSH daemon and Apache in RAM, apparently without the need to restart the services. According to Hetzner, the rootkit is probably also able to manipulate ProFTPD. The number of reported incidents during which attackers manipulated the daemons of important programs is currently increasing. What appears to be a new approach is that the manipulation was carried out exclusively in RAM.

I find this very disturbing.

What can be done to prevent this, besides a proper firewall?

Last edited by Ashren (2013-06-08 07:36:11)

Use LVM2!

XMobar/XMonad - Click Workspaces :: Blog about Linux (mostly) :: Script for repetitive scrotting :: ISC DHCP Git Hooks

Offline

#2 2013-06-08 11:47:48

teateawhy
Member
From: GER
Registered: 2012-03-05
Posts: 1,138
Website

Re: Disturbing: Rootkit manipulating processes in RAM instead of files

reboot
Edit: That is unlikely to help with the origin of the attack, where things should be fixed instead.

Last edited by teateawhy (2013-06-08 11:50:29)

Offline

#3 2013-06-09 01:07:20

tritron4
Member
Registered: 2012-04-14
Posts: 153

Re: Disturbing: Rootkit manipulating processes in RAM instead of files

Well the biggest question is how did the  rootkit  infected the system.  You can keep the system of the internet on separate network. you can run ssh on different port than default or disable it all together. It spread over network but there must be a file with code that get executed first and that file has to get one of the systems. like being on usb driver

Offline

#4 2013-06-09 11:02:49

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: Disturbing: Rootkit manipulating processes in RAM instead of files

I wonder if we are going to see this [1] (or similar) all over again.

[1] http://www.h-online.com/security/news/i … 14039.html

R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

Pages: 1

Board footer

Powered by FluxBB