dealing with linux malware - cisofy · dealing with linux malware rootkits, backdoors, and more......
TRANSCRIPT
![Page 1: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/1.jpg)
Dealing withLinux Malware
Rootkits, Backdoors, and More...
Utrecht, 19 March 2016
Michael [email protected]
![Page 2: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/2.jpg)
Agenda
Today1. How do “they” get in2. Why?3. Malware types4. In-depth: rootkits5. Defenses
2
![Page 3: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/3.jpg)
Interactive
● Ask● Share● Presentation
3
![Page 4: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/4.jpg)
Michael Boelen
● Security Tools○ Rootkit Hunter (malware scan)
○ Lynis (security audit)
● 150+ blog posts
● Founder of CISOfy
4
![Page 5: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/5.jpg)
How do “they” get in
![Page 6: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/6.jpg)
Intrusions
● Simple passwords● Vulnerabilities● Weak configurations● Clicking on attachments● Open infected programs
6
![Page 7: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/7.jpg)
Why?
![Page 8: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/8.jpg)
Why?
● Spam● Botnet
8
![Page 9: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/9.jpg)
9
![Page 10: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/10.jpg)
Types
![Page 11: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/11.jpg)
● Virus● Worm● Backdoor● Dropper● Rootkit
Types
11
![Page 12: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/12.jpg)
Rootkits 101
![Page 13: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/13.jpg)
Rootkits
● (become | stay) root● (software) kit
13
![Page 14: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/14.jpg)
Rootkits
● Stealth● Persistence● Backdoor
14
![Page 15: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/15.jpg)
How to be the best rootkit?
![Page 16: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/16.jpg)
Hiding ★
In plain sight!
/etc/sysconfig/…/tmp/mysql.sock/bin/audiocnf
16
![Page 17: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/17.jpg)
Hiding ★★
Slightly advanced
● Rename processes● Delete file from disk● Backdoor binaries
17
![Page 18: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/18.jpg)
Hiding ★★★
Advanced
● Kernel modules● Change system calls● Hidden passwords
18
![Page 19: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/19.jpg)
Demo
![Page 20: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/20.jpg)
Demo
20
![Page 21: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/21.jpg)
Demo
21
![Page 22: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/22.jpg)
Rootkit Hunter
Detect theundetectable!
22
![Page 23: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/23.jpg)
![Page 24: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/24.jpg)
Challenges
● We can’t trust anything● Even ourselves● No guarantees
24
![Page 25: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/25.jpg)
Continuous Game
25
![Page 26: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/26.jpg)
Defense
![Page 27: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/27.jpg)
Defenses
At least● Perform security scans● Protect your data● System hardening
27
![Page 28: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/28.jpg)
Scanning » Scanners
● Viruses → ClamAV● Backdoors → LMD● Rootkits → Chkrootkit / rkhunter
28
![Page 29: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/29.jpg)
Scanning » File Integrity
● Changes● Powerful detection● Noise
AIDE / Samhain
29
![Page 30: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/30.jpg)
System Hardening » Lynis
● Linux / UNIX● Open source● Shell● Health scan
30
![Page 31: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/31.jpg)
Conclusions
![Page 32: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/32.jpg)
Conclusions
● Challenge: rootkits are hard to detect
● Prevent: system hardening
● Detect: recognize quickly, and act
32
![Page 33: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/33.jpg)
You finished this presentation
Success!
![Page 34: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/34.jpg)
More Linux security?
Presentationsmichaelboelen.com/presentations/
Follow● Blog Linux Audit (linux-audit.com)● Twitter @mboelen
34
![Page 35: Dealing with Linux Malware - CISOfy · Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com](https://reader031.vdocuments.site/reader031/viewer/2022022616/5ba476a309d3f2205e8d4fb3/html5/thumbnails/35.jpg)
35