back to article Revealed: Malware that skulks in memory, invisibly collecting sysadmins' passwords

Cybercriminals have hit scores of enterprises in 40 countries using hidden malware. Banks, telecommunication companies and government organisations in the US, South America, Europe and Africa have already been hit by the ongoing (and stealthy) attacks. Kaspersky Lab experts report that the attacks harness widely available …

  1. Anonymous Coward
    Anonymous Coward

    How is this new?

    Meterpreter has existed for a very long time now, and is well known for being memory resident, which is why you can bypass 'traditional' AV which ususally looks at binaries on disk access. Wrap your meterpreter payload in msfvenom or veil-evasion and voila - you have an AV bypass. Invoking mimikatz with powershell to dump the credentials is also a common pentester habit - but again, hardly new.

  2. Version 1.0 Silver badge

    Who reboots these days?

    It will be interesting if this has made the transition from servers to workstations, all of our workstations in the office just sleep at night and only reboot to apply an update.

    1. Rich 11 Silver badge

      Re: Who reboots these days?

      I'm paranoid and shut my PC down at the end of the day. I'd do the same to my servers, but my boss won't let me...

      1. MrDamage

        Re: Who reboots these days?

        Take a leaf out of Simon's book, and shut the boss down.

        Bonus points if you "accidentally" make it permanent.

  3. Anonymous Coward

    Cybercriminals and open source exploit code

    "The use of open source exploit code, common Windows utilities and unknown domains makes it almost impossible to determine the group responsible – or even whether it is a single group or several groups sharing the same tools"

    Do you have a link to the license for this 'open source exploit code'. How exactly does Meterpreter initally infect the target Windows computer?

    1. DJ Smiley

      Re: Cybercriminals and open source exploit code

      The infectee runs a exectuable.

      1. PatientOne

        Re: Cybercriminals and open source exploit code

        So the person infecting the system has to have access to the system to execute the code... or are they sending the code in via infected e-mail (suchg as a binary) or drive-by from a web page (such as a javascript exploit?).

        I'd guess it's someone getting into the system and executing the code from their computer, or they remove the executionable once the code is in memory, so the problem is still with the initial intrusion. Doesn't make it any better, of cause, but understanding the process is important in developing a counter - and to be honest, what AV / Malware protection doesn't periodically scan the memory anyway? Or is it simply that the scripts don't show as malicious so go unreported?

        Would be interesting to see what emerges from the investigation - if anything.

        1. tr1ck5t3r

          Re: Cybercriminals and open source exploit code

          Ask yourself if any of your devices, beit an addon graphics card, HD, bios/uefi, can have its firmware updated?

          If it can, then ask yourself if the typical default option in UEFI to allow virtualisation would make it possible to run virtual malware loaded via a shim in the UEFI, before the main OS.

          I suspect Kasperksy may not have found the treasure chest, just a gold coin.

          Even the NSA's TENS can update your bios/uefi and other malware if its connect to the net.

          So you think by setting a user and/or admin password for your bios/uefi means your system is secure?

          Once that password has been put in, can you update your bios/uefi from the OS?

          Do device manufacturers and rebranders provide any software to validate their firmware?

          Can you update the firmware of your addon graphics cards without having to short some jumper pins?

          Can you update the firmware of your hard disk like a Samsung Evo SSD without having to short some jumper pins?

          Sometimes your only clue you have been hacked is to watch the network lights and the hard disk lights when your machine boots up.

          EG. If you switch on your PC and before it displays the bios/UEFI screen, you see a flurry of disk light activity, chances are your Bios/UEFI has a shim inserted, a simple couple lines of assembler, which directs your Bios/UEFI to another address which might be on your hard drive, or in your graphics card.

          As these firmware chips always have space for future updates, its never detected. Has anyone checked the source code of their favourite Pen Testing distro and know what its doing?

          So many people trust what they buy or download, they offload their responsibilities.

          Who knows that BT & TalkTalk stream their TV & Film services over IPv6?

          Simple test if you have one of these services, watch something online and then download something massive like a Linux distro from your computer over IPv4. Your IPv4 download will come down at max speed, provided your firewall allows IPv6.

          Spot the anomalies and you cant spot the spooks, but they also play their games over decades, as it starts with your school reports and medical records, if not your parents or relatives if they weren't socially compliant and docile!

          Tarred with the same brush springs to mind, in the name of Defence.

          Who said Signal Intelligence was just hacking computers? Everybody is known to the spooks, its just they cant predict when someone loses it. Lets face it, most people cant even predict when they will lose it, so is it any surprise that the US is building a wall, and clamping down on illegals? Peoples education and upbringing can create cognitive dissonance which usually generates a lot of anger. Some Middle Eastern countries are not up to speed with the way the Western society works, as we see in German with young girls being groped in swimming pools as one example.

          Resource Burn, its a valid technique when hacking, and lets face it, I know of no pen tester or AV coder who knows all the code in the software they rely on, hell none of you even know the code in your firmware.

          Is it any wonder, millions of systems around the world are already pwned?

          The important question everyone should be asking is, is it right that the Govt spies on you, using a variety of centralised databases and other methods from the day you are born though?

          They are killing off the intelligent one's who can spot these things, which makes them no better than the terrorists, pedo's, rapists, drug dealers, killers or any other human action which has been made a crime because no one has a say over the laws you are born unto!

    2. Jim Cosser

      Re: Cybercriminals and open source exploit code

      Find a vulnerability on the machine that will allow remote code execution (Scanning with Nessus/OpenVAS whatever floats your boat) and set meterpreter as the payload within Metasploit...Done

      Escalate privs if required, dump hashes, have fun.

  4. John Smith 19 Gold badge

    Youtube vid from about 2013? "Living off the land" Derbycom

    IE not writing to disk.

    Looks like someone's not checking what's running on their critical servers very often.

    1. Anonymous Coward
      Anonymous Coward

      Re: Youtube vid from about 2013? "Living off the land" Derbycom

      "Looks like someone's not checking what's running on their critical servers very often."

      Or maybe they are checking and don't know how to distinguish between legit code and malware.

      Or maybe the malware has hidden itself, given sufficiently privileged access.

      Quite a few possibilities.

      What's obviously not possible is people (including those at AV companies) looking at running critical parts of the business on an OS that has a bit more solidity than a sieve. Not possible this year anyway. And given the DerbyCon reference was 2013, and Stuxnet was 2010, [and ...], maybe some people don't *want* to think about it. Ever.

      Have a lot of fun.

  5. Anonymous Coward
    Anonymous Coward

    Since companies often don't have internal firewalls

    Infecting one PC with memory resident malware would allow it to infect other PCs using any random remote exploit combined with an escalation of privileges once aboard the new target.

    Then even rebooting won't fix anything, you'll be reinfected by one of the other infected PCs. Even after a patch Tuesday update everything will eventually be reinfected, since not every PC will be rebooted at the same time. Even if the hole being used is patched, or an AV software vendor developed detection for it, the malware could download updates to continue operation (masquerading as what looks like normal web queries to mask the activity)

    It written well enough and properly maintained, it could essentially be immortal. What are you going to do, get everyone in the company to shut down every PC all at once? Yeah right!

    1. P. Lee

      Re: Since companies often don't have internal firewalls

      Private VLANs FTW!

      Do your clients ever need to talk to each other?

  6. Robert D Bank


    haven't heard of any cases of z/OS being hacked this way, probably because it's not really possible without access run authorised programs.

  7. Nolveys

    Windows Slop Bucket

    There are so many goofy services running by default under Windows that it makes it quite difficult to spot things that shouldn't be there. I ran into a machine the other week that was running out of memory because WinHttpAutoProxySvc has a memory leak. That's a service that runs by default and that automatically searches for proxies to connect to. Why in the name of dog would such a thing be running by default?

    That's just considering the stuff that comes with the OS. Once other software gets installed you can be guaranteed to find WhoKnowsWhatThisCouldPossiblyDo.exe running through svchost.exe. You search the tubes for it find "That was installed by Adobe, nobody knows what it does."

    I'm seeing the same thing creeping into Linux systems too. It wasn't that long ago that "ps aux" on a server would give a fairly short list of processes, each of which were well known.

  8. David Lawrence

    Cynic? Moi?

    I can't help noticing that most scary stories (TM) like this one follow the same template....

    Web and Network Security Expert (insert name here) warns of very scary exploit (insert exploit name here) that might make you sufficiently scared that you might want to consider.....

    a) Purchasing Web and Network Security Expert (insert name here)'s latest exploit defence software (insert product name here)

    b) Procuring the services of Web and Network Security Expert (insert name here) to give your setup an overhaul/assessment.

    c) Attending Web and Network Security Expert (insert name here)'s next seminar where you can hear more scary stories(TM) and get the low down on how great their software/services/seminars really are.

    Or better still, all three!!

  9. Aodhhan

    Don't you hate it


    It's ridiculously selfish, not to mention stealing... when you don't provide direct references to the original blog/article etc. you are paraphrasing or copying. Especially, when you provide only 20% of the original article, which can be found at Kaspersky's Securelist blog here:

    ..effing thieves.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021