New Even-Sneakier Web Backdoor Discovered (and great uses of access control, and a litte more eschatology)

One of Germany’s largest web hosts has found perhaps the world’s sneakiest software backdoor… a really-only-in-memory rootkit that doesn’t change any files at all.

It sounds like a more advanced version of a backdoor I covered a while back that stored all its configuration in memory and altered only the binary file. (

This one doesn’t even change the file. Implications? Since there’s no persistence across reboots, the server would have to be manually (automatically?) re-compromised every time. Sounds like the work of someone who really, really didn’t want to get caught and was willing to put in a lot of extra work to minimize chances of detection.

Great uses of access control: to provide a full audit trail for enabling/disabling remote network access. And provide hot coffee for the sysadmin when he walks in the building every morning. Seems like a great way to minimize both attack surface and security fuck-ups.

A little more eschatology: As much as I hate mentioning anything related to the “circenses” that are politics over there (well, everywhere really, but y’all got a particularly bad case) this is just too good.

The headphones remind me all too much of this guy ( —
doubly ironic since the recent leaks are in many respects a reprise of rather more comprehensive documents the Stasi/MfS famously acquired decades ago.

“To our knowledge, the malicious program that we have discovered is as yet unknown and has never appeared before.

The malicious code used in the “backdoor” exclusively infects the RAM. First analysis suggests that the malicious code directly infiltrates running Apache and sshd processes. Here, the infection neither modifies the binaries of the service which has been compromised, nor does it restart the service which has been affected.

The standard techniques used for analysis such as the examination of checksum or tools such as “rkhunter” are therefore not able to track down the malicious code.

We have commissioned an external security company with a detailed analysis of the incident to support our in-house administrators. At this stage, analysis of the incident has not yet been completed. “

%d bloggers like this: