Memory-Only Backdoors (and kids teaching themselves)

Verry clever software backdoor — after hacking a server, the attackers replace the Apache httpd with a custom binary, changing nothing else on the system. All configuration is stored in memory, and configuration is sent to the backdoor via special obfuscated HTTP GET requests that don’t make it to the normal logs.

In other words, the attackers make as few changes as possible… and then communicate via traffic that’s as close to the proper behavior of the backdoor’ed software as possible.

Kind of like breaking no branches and packing out your trash when you go hiking — except in computer security terms.

Tripwire et al should still spot this, but FOSS Tripwire hasn’t been updated in years. Anyone know what the generally accepted replacement is?

Kids teaching themselves: this is awesome. Drop off pallets of laptops at African village, explain nothing, and leave. Within five months otherwise illiterate kids have hacked the OS to restore intentionally disabled hardware features. Benefits of not being exposed to the Western (Prussian-designed explicitly to produce industrial workers) public school system?

“On cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one. This new backdoor is very sophisticated and we worked with our friends from ESET to provide this report on what we are seeing.[…]

A good and reliable way to identify the modified binary is by searching for “open_tty” on the httpd directory:

# grep -r open_tty /usr/local/apache/

If it finds open_tty in your Apache binary, it is likely compromised, since the original Apache binary does not contain a call to open_tty. Another interesting point is that if you try to just replace the bad binary with a good one, you will be denied, because they set the file attribute to immutable. So you have to run chattr -ai before replacing it:

# chattr -ai /usr/local/apache/bin/httpd […]

he backdoor leaves no traces on the hard drive of compromised hosts other than its modified httpd binary. All the information related to the backdoor is stored in shared memory, the configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system. ..
The HTTP server is equipped with a reverse connect backdoor that can be triggered via a special HTTP GET request. It is invoked when a request to a special path is done with a query string in a particular format, containing the hostname and port to connect. The client IP of the HTTP dialog is used as a key to decrypt the query string as a 4 byte XOR key. Additionally, IP specified in X-Real-IP or X-Forwarded-For headers will override the client IP as the XOR key. This means we can craft a X-Real-IP header that will in effect be a “\x00\x00\x00\x00” key… “

%d bloggers like this: