I’m new here so if I haven’t categorized my question properly I apologize. Thanks 0x00Sec for providing a forum to discuss and learning together.
I have a problem about malware that has bothered me for a long time.
I work as a security, and sometimes dealing with malicious is part of my job. Once a host was infected malware by unauthorized hadoop yarn api. This malware was run by a ordinary user hadoop, and this hadoop user did not have much privilege to modify settings or files on the system.
Under normal circumstances, I will use cp /proc/pid/exe /tmp/malware to restore the executable program of the malicious process. Even if the file has been deleted or the memfd_create call that fileless malicious program is used, it can be successfully restored the executable program by the cp command, unless it is a system kernel thread. But when I used the cp command to recover a malware process, the command return
cp: cannot stat ‘/proc/pid/exe’: No such file or directory.
This is very strange, it is worth mentioning that I am a root user and use busybox cp
What magic does this malware may use:
I very curious about the magic used by this malicious program. It can hide its executable program well, even if it is a ordinary user hadoop. I currently know that there are the following methods to achieve similar hiding:
- fuse: Ordinary users can mount fuse file system and run their own executable program, and then umount fuse, as far as I know, the executable program of the process cannot be restored by using the cp command at this time
- nfs: similar to method 1
But these two methods of hiding one’s own executable program that I know above are not the method used by the hadoop malicious program I encountered that time. so here to consult, does any 0x00’ers know what strange magic the malicious program may use?
Looking forward to hearing any relevant points!