Techly NewsGet the app

Get the latest tech news

Hiding in plain sight: Modifying process names in Unix-like systems


Exploring ways malware on Linux and other UNIX-like systems can disguise their process names.

With a few minor tweaks from the original method possibly first found in use by the Morris worm, threat actors employee the post compromise technique today as a means to remain undetected. With passing PR_SET_MM_MAP and a prctl_map structure which is populated with the existing memory map of the running process with one change: a new address for arg_start and arg_end which can be malloc'd on the heap, or just straight page(s) from mmap. As far as i'm aware ( please let me know if this is not the case), it is not possible to change comm in the BSDs or Solaris without loading a custom kernel module - and if we are going to do that, well we may as well just write a rootkit to hide the process in the first place.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Plain Sight

Plain Sight

Photo of Unix

Unix

Photo of like systems

like systems

Related news:

News photo

The uncertain possible futures of Unix graphical desktops

News photo

SSH has become our universal (Unix) external access protocol

News photo

YouTube Is a $455 Billion Media Giant Hiding in Plain Sight

« Electric Giraffe (2016)
OpenAI could be on the brink of bankruptcy in under 12 months, with projections of $5 billion in losses »