understanding linux malware
TRANSCRIPT
![Page 1: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/1.jpg)
Understanding Linux Malware
Emanuele Cozzi1, Mariano Graziano2, Yanick Fratantonio1,Davide Balzarotti1
1EURECOM
2Cisco Systems, Inc.
IEEE Symposium on Security & Privacy, May 2018
![Page 2: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/2.jpg)
Malware and operating systems
![Page 3: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/3.jpg)
Malware and operating systems
![Page 4: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/4.jpg)
Linux malware on the rise
Mirai
Erebus
OutlawCountry
![Page 5: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/5.jpg)
Linux malware on the rise
Mirai
Erebus
OutlawCountry
![Page 6: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/6.jpg)
Linux malware on the rise
Mirai
Erebus
OutlawCountry
![Page 7: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/7.jpg)
Linux malware on the rise
Mirai
Erebus
OutlawCountry
![Page 8: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/8.jpg)
Objectives
• Develop a dynamic analysis sandbox for Linux binaries (and IoT devices)
I Previous studies only looked at the network behavior 1 2
• Identify challenges and limitations of porting traditional techniques to the newenvironment
• Understand differences in the malware characteristics (packing, obfuscantion, VMdetection, privilege excalation, persistence...) wrt Windows malware
![Page 9: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/9.jpg)
Objectives
• Develop a dynamic analysis sandbox for Linux binaries (and IoT devices)I Previous studies only looked at the network behavior 1 2
• Identify challenges and limitations of porting traditional techniques to the newenvironment
• Understand differences in the malware characteristics (packing, obfuscantion, VMdetection, privilege excalation, persistence...) wrt Windows malware
1Antonakakis et al. ”Understanding the mirai botnet,” USENIX Security Symposium 2017.2Yin Minn Pa et al. ”IoTPOT: analysing the rise of IoT compromises,” USENIX Workshop on Offensive
Technologies 2015.
![Page 10: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/10.jpg)
Objectives
• Develop a dynamic analysis sandbox for Linux binaries (and IoT devices)I Previous studies only looked at the network behavior 1 2
• Identify challenges and limitations of porting traditional techniques to the newenvironment
• Understand differences in the malware characteristics (packing, obfuscantion, VMdetection, privilege excalation, persistence...) wrt Windows malware
1Antonakakis et al. ”Understanding the mirai botnet,” USENIX Security Symposium 2017.2Yin Minn Pa et al. ”IoTPOT: analysing the rise of IoT compromises,” USENIX Workshop on Offensive
Technologies 2015.
![Page 11: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/11.jpg)
Objectives
• Develop a dynamic analysis sandbox for Linux binaries (and IoT devices)I Previous studies only looked at the network behavior 1 2
• Identify challenges and limitations of porting traditional techniques to the newenvironment
• Understand differences in the malware characteristics (packing, obfuscantion, VMdetection, privilege excalation, persistence...) wrt Windows malware
1Antonakakis et al. ”Understanding the mirai botnet,” USENIX Security Symposium 2017.2Yin Minn Pa et al. ”IoTPOT: analysing the rise of IoT compromises,” USENIX Workshop on Offensive
Technologies 2015.
![Page 12: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/12.jpg)
Target devices
Diversity
![Page 13: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/13.jpg)
Target devices
Diversity
![Page 14: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/14.jpg)
Target devices
Diversity
![Page 15: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/15.jpg)
Diversity
CPU: Intel
, ARM, MIPS, Motorola, Sparc
OS: Linux, BSD, Android
Libraries: glibc, uclibc, libpcap, libopencl
Statically-linked ELF unportable
Unknown device
![Page 16: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/16.jpg)
Diversity
CPU: Intel, ARM, MIPS, Motorola, Sparc
OS: Linux, BSD, Android
Libraries: glibc, uclibc, libpcap, libopencl
Statically-linked ELF unportable
Unknown device
![Page 17: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/17.jpg)
Diversity
CPU: Intel, ARM, MIPS, Motorola, Sparc
OS: Linux
, BSD, Android
Libraries: glibc, uclibc, libpcap, libopencl
Statically-linked ELF unportable
Unknown device
![Page 18: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/18.jpg)
Diversity
CPU: Intel, ARM, MIPS, Motorola, Sparc
OS: Linux, BSD, Android
Libraries: glibc, uclibc, libpcap, libopencl
Statically-linked ELF unportable
Unknown device
![Page 19: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/19.jpg)
Diversity
CPU: Intel, ARM, MIPS, Motorola, Sparc
OS: Linux, BSD, Android
Libraries: glibc
, uclibc, libpcap, libopencl
Statically-linked ELF unportable
Unknown device
![Page 20: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/20.jpg)
Diversity
CPU: Intel, ARM, MIPS, Motorola, Sparc
OS: Linux, BSD, Android
Libraries: glibc, uclibc, libpcap, libopencl
Statically-linked ELF unportable
Unknown device
![Page 21: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/21.jpg)
Diversity
CPU: Intel, ARM, MIPS, Motorola, Sparc
OS: Linux, BSD, Android
Libraries: glibc, uclibc, libpcap, libopencl
Statically-linked ELF unportable
Unknown device
![Page 22: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/22.jpg)
Diversity
CPU: Intel, ARM, MIPS, Motorola, Sparc
OS: Linux, BSD, Android
Libraries: glibc, uclibc, libpcap, libopencl
Statically-linked ELF unportable
Unknown device
![Page 23: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/23.jpg)
Analysis infrastructure
Data collection
File & metadata analysis
File
recognition
AVClass
ELF
anomaly
Data collection
File & metadata analysis
File
recognition
AVClass
ELF
anomaly
Static analysis
Code
analysis
Packing
identification
Dynamic analysis
Packer
analysis
EmulationTrace
analysis
Sandbox
preparation
![Page 24: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/24.jpg)
Analysis infrastructure
Data collection
File & metadata analysis
File
recognition
AVClass
ELF
anomaly
Data collection
File & metadata analysis
File
recognition
AVClass
ELF
anomaly
Static analysis
Code
analysis
Packing
identification
Dynamic analysis
Packer
analysis
EmulationTrace
analysis
Sandbox
preparation
![Page 25: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/25.jpg)
Analysis infrastructure
Data collection
File & metadata analysis
File
recognition
AVClass
ELF
anomaly
Data collection
File & metadata analysis
File
recognition
AVClass
ELF
anomaly
Static analysis
Code
analysis
Packing
identification
Dynamic analysis
Packer
analysis
EmulationTrace
analysis
Sandbox
preparation
![Page 26: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/26.jpg)
Data collection
From November 2016 to November 2017
200 candidate samples per day
Dataset of 10,548 Linux malware
![Page 27: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/27.jpg)
File & metadata analysis
Data collection
File & metadata analysis
File
recognition
AVClass
ELF
anomaly
Static analysis
Code
analysis
Packing
identification
Dynamic analysis
Packer
analysis
EmulationTrace
analysis
Sandbox
preparation
![Page 28: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/28.jpg)
Dataset
Architecture Samples Percentage
X86-64 3018 28.61%MIPS I 2120 20.10%PowerPC 1569 14.87%Motorola 68000 1216 11.53%Sparc 1170 11.09%Intel 80386 720 6.83%ARM 32-bit 555 5.26%Hitachi SH 130 1.23%AArch64 (ARM 64-bit) 47 0.45%others 3 0.03%
Distribution of the 10,548 downloaded samples across architectures
![Page 29: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/29.jpg)
Dataset
Architecture Samples Percentage
X86-64 3018 28.61%MIPS I 2120 20.10%PowerPC 1569 14.87%Motorola 68000 1216 11.53%Sparc 1170 11.09%Intel 80386 720 6.83%ARM 32-bit 555 5.26%Hitachi SH 130 1.23%AArch64 (ARM 64-bit) 47 0.45%others 3 0.03%
Distribution of the 10,548 downloaded samples across architectures
![Page 30: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/30.jpg)
Dataset
Architecture Samples Percentage
X86-64 3018 28.61%MIPS I 2120 20.10%PowerPC 1569 14.87%Motorola 68000 1216 11.53%Sparc 1170 11.09%Intel 80386 720 6.83%ARM 32-bit 555 5.26%Hitachi SH 130 1.23%AArch64 (ARM 64-bit) 47 0.45%others 3 0.03%
Distribution of the 10,548 downloaded samples across architectures
![Page 31: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/31.jpg)
ELF manipulation
\x07ELF
ELF header
Program header table
.text
.data
Section header table
• Anomalous ELFI Sections table removed
• Invalid ELFI Segments table points beyond fileI Overlapping header/segmentI Sections table points beyond file
• Problems with common analysis tools
8 readelf 2.26.18 GDB 7.11.18 pyelftools 0.244 IDA Pro 7
![Page 32: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/32.jpg)
ELF manipulation
\x07ELF
ELF header
Program header table
.text
.data
Section header table
• Anomalous ELFI Sections table removed
• Invalid ELFI Segments table points beyond fileI Overlapping header/segmentI Sections table points beyond file
• Problems with common analysis tools
8 readelf 2.26.18 GDB 7.11.18 pyelftools 0.244 IDA Pro 7
![Page 33: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/33.jpg)
ELF manipulation
\x07ELF
ELF header
Program header table
.text
.data
Section header table
• Anomalous ELFI Sections table removed
• Invalid ELFI Segments table points beyond fileI Overlapping header/segmentI Sections table points beyond file
• Problems with common analysis tools
8 readelf 2.26.18 GDB 7.11.18 pyelftools 0.244 IDA Pro 7
![Page 34: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/34.jpg)
ELF manipulation
\x07ELF
ELF header
Program header table
.text
.data
Section header table
• Anomalous ELFI Sections table removed
• Invalid ELFI Segments table points beyond fileI Overlapping header/segmentI Sections table points beyond file
• Problems with common analysis tools
8 readelf 2.26.18 GDB 7.11.18 pyelftools 0.244 IDA Pro 7
![Page 35: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/35.jpg)
AVClass3
Pymadro Miner Ebolachan Golad Lady Connectback MiraiElfpatch Pomedaj Liora Ddostf Cinarek Ztorg ElknotShishiga Aidra Chinaz Fysbis Ganiw Scanner RoopreMrblack Equation Logcleaner Sniff Tsunami Sshbrute ProbeZnaich Erebus Xingyi Xaynnalc Gafgyt Flood CoinminerBassobo Killdisk Eicar Remaiten Bossabot Midav GetshellDrobur Webshell Dcom Cloudatlas Luabot Iroffer MaydayGrip Darkkomet Prochider Ircbot Xhide Portscan XunpesDiesel Setag Raas Shelma Shellshock Nixgi WuscanCleanlog Sshdoor Psybnc Themoon Rekoobe Intfour PulseSickabs Hajime Hijacker Mumblehard Darlloz Sotdas LadvixPnscan Ropys Lightaidra Moose Vmsplice Ddoser Spyeye
3Sebastin et al. ”Avclass: A tool for massive malware labeling,” International Symposium on Research inAttacks, Intrusions, and Defenses 2016.
![Page 36: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/36.jpg)
Static analysis
Data collection
File & metadata analysis
File
recognition
AVClass
ELF
anomaly
Static analysis
Code
analysis
Packing
identification
Dynamic analysis
Packer
analysis
EmulationTrace
analysis
Sandbox
preparation
![Page 37: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/37.jpg)
Packing
ooooo ooo ooooooooo . ooooooo ooooo‘888 ’ ‘ 8 ’ ‘888 ‘ Y88 . ‘8888 d8 ’888 8 888 . d88 ’ Y888 . . 8 P888 8 888 ooo88P ’ ‘8888 ’888 8 888 . 8 PY888 .‘ 8 8 . . 8 ’ 888 d8 ’ ‘888 b
‘ YbodP ’ o888o o888o o88888o
The U l t i m a t e Packer f o r e X e c u t a b l e s
oo ooo o oooooo . oooo ooooo‘8 ‘ 8 ’ ‘888 ‘ Y88 . ‘8888 d8 ’888 8 888 . d88 ’ Y8 8 . .888 8 8 88P ’ ‘8888 ’
8 8 888 Y888 .8 . 88 d8 ’ ‘88‘ YbodP ’ 88o o888o o888
The U l t i m a t e Packer f o r e X e c u t a b l e s
oo ooo o oo o . oooo ooo‘8 ‘ 8 ’ ‘888 ‘Y8 ‘8888 d8 ’888 8 888 . d8 Y8 8 . .
8 8 88P ’ ‘888 8 888 Y8 . 8 d8 ’ ‘88‘Yb dP ’ 88o o888 888
The U l t i m a t e Packer f o r e X e c u t a b l e s
oo o o o o . ooo oo‘8 ‘ 8 ’ ‘88 ‘Y8 88 d88 8 8 . d8 8 8 . .
8 8 ‘888 8 88 Y8 . 8 8 ’ ‘88
b dP ’ 88o 88 88
The U l t i m a t e Packer f o r e X e c u t a b l e s
• Vanilla UPX and custom variants are the prevalent packers (almost 4% of thedataset)
I modified magic bytesI modified stringsI junk bytes
• At least one malware family is using a custom packer
![Page 38: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/38.jpg)
Packing
ooooo ooo ooooooooo . ooooooo ooooo‘888 ’ ‘ 8 ’ ‘888 ‘ Y88 . ‘8888 d8 ’888 8 888 . d88 ’ Y888 . . 8 P888 8 888 ooo88P ’ ‘8888 ’888 8 888 . 8 PY888 .‘ 8 8 . . 8 ’ 888 d8 ’ ‘888 b
‘ YbodP ’ o888o o888o o88888o
The U l t i m a t e Packer f o r e X e c u t a b l e s
oo ooo o oooooo . oooo ooooo‘8 ‘ 8 ’ ‘888 ‘ Y88 . ‘8888 d8 ’888 8 888 . d88 ’ Y8 8 . .888 8 8 88P ’ ‘8888 ’
8 8 888 Y888 .8 . 88 d8 ’ ‘88‘ YbodP ’ 88o o888o o888
The U l t i m a t e Packer f o r e X e c u t a b l e s
oo ooo o oo o . oooo ooo‘8 ‘ 8 ’ ‘888 ‘Y8 ‘8888 d8 ’888 8 888 . d8 Y8 8 . .
8 8 88P ’ ‘888 8 888 Y8 . 8 d8 ’ ‘88‘Yb dP ’ 88o o888 888
The U l t i m a t e Packer f o r e X e c u t a b l e s
oo o o o o . ooo oo‘8 ‘ 8 ’ ‘88 ‘Y8 88 d88 8 8 . d8 8 8 . .
8 8 ‘888 8 88 Y8 . 8 8 ’ ‘88
b dP ’ 88o 88 88
The U l t i m a t e Packer f o r e X e c u t a b l e s
• Vanilla UPX and custom variants are the prevalent packers (almost 4% of thedataset)
I modified magic bytesI modified stringsI junk bytes
• At least one malware family is using a custom packer
![Page 39: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/39.jpg)
Packing
ooooo ooo ooooooooo . ooooooo ooooo‘888 ’ ‘ 8 ’ ‘888 ‘ Y88 . ‘8888 d8 ’888 8 888 . d88 ’ Y888 . . 8 P888 8 888 ooo88P ’ ‘8888 ’888 8 888 . 8 PY888 .‘ 8 8 . . 8 ’ 888 d8 ’ ‘888 b
‘ YbodP ’ o888o o888o o88888o
The U l t i m a t e Packer f o r e X e c u t a b l e s
oo ooo o oooooo . oooo ooooo‘8 ‘ 8 ’ ‘888 ‘ Y88 . ‘8888 d8 ’888 8 888 . d88 ’ Y8 8 . .888 8 8 88P ’ ‘8888 ’
8 8 888 Y888 .8 . 88 d8 ’ ‘88‘ YbodP ’ 88o o888o o888
The U l t i m a t e Packer f o r e X e c u t a b l e s
oo ooo o oo o . oooo ooo‘8 ‘ 8 ’ ‘888 ‘Y8 ‘8888 d8 ’888 8 888 . d8 Y8 8 . .
8 8 88P ’ ‘888 8 888 Y8 . 8 d8 ’ ‘88‘Yb dP ’ 88o o888 888
The U l t i m a t e Packer f o r e X e c u t a b l e s
oo o o o o . ooo oo‘8 ‘ 8 ’ ‘88 ‘Y8 88 d88 8 8 . d8 8 8 . .
8 8 ‘888 8 88 Y8 . 8 8 ’ ‘88
b dP ’ 88o 88 88
The U l t i m a t e Packer f o r e X e c u t a b l e s
• Vanilla UPX and custom variants are the prevalent packers (almost 4% of thedataset)
I modified magic bytesI modified stringsI junk bytes
• At least one malware family is using a custom packer
![Page 40: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/40.jpg)
Packing
ooooo ooo ooooooooo . ooooooo ooooo‘888 ’ ‘ 8 ’ ‘888 ‘ Y88 . ‘8888 d8 ’888 8 888 . d88 ’ Y888 . . 8 P888 8 888 ooo88P ’ ‘8888 ’888 8 888 . 8 PY888 .‘ 8 8 . . 8 ’ 888 d8 ’ ‘888 b
‘ YbodP ’ o888o o888o o88888o
The U l t i m a t e Packer f o r e X e c u t a b l e s
oo ooo o oooooo . oooo ooooo‘8 ‘ 8 ’ ‘888 ‘ Y88 . ‘8888 d8 ’888 8 888 . d88 ’ Y8 8 . .888 8 8 88P ’ ‘8888 ’
8 8 888 Y888 .8 . 88 d8 ’ ‘88‘ YbodP ’ 88o o888o o888
The U l t i m a t e Packer f o r e X e c u t a b l e s
oo ooo o oo o . oooo ooo‘8 ‘ 8 ’ ‘888 ‘Y8 ‘8888 d8 ’888 8 888 . d8 Y8 8 . .
8 8 88P ’ ‘888 8 888 Y8 . 8 d8 ’ ‘88‘Yb dP ’ 88o o888 888
The U l t i m a t e Packer f o r e X e c u t a b l e s
oo o o o o . ooo oo‘8 ‘ 8 ’ ‘88 ‘Y8 88 d88 8 8 . d8 8 8 . .
8 8 ‘888 8 88 Y8 . 8 8 ’ ‘88
b dP ’ 88o 88 88
The U l t i m a t e Packer f o r e X e c u t a b l e s
• Vanilla UPX and custom variants are the prevalent packers (almost 4% of thedataset)
I modified magic bytesI modified stringsI junk bytes
• At least one malware family is using a custom packer
![Page 41: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/41.jpg)
Packing
ooooo ooo ooooooooo . ooooooo ooooo‘888 ’ ‘ 8 ’ ‘888 ‘ Y88 . ‘8888 d8 ’888 8 888 . d88 ’ Y888 . . 8 P888 8 888 ooo88P ’ ‘8888 ’888 8 888 . 8 PY888 .‘ 8 8 . . 8 ’ 888 d8 ’ ‘888 b
‘ YbodP ’ o888o o888o o88888o
The U l t i m a t e Packer f o r e X e c u t a b l e s
oo ooo o oooooo . oooo ooooo‘8 ‘ 8 ’ ‘888 ‘ Y88 . ‘8888 d8 ’888 8 888 . d88 ’ Y8 8 . .888 8 8 88P ’ ‘8888 ’
8 8 888 Y888 .8 . 88 d8 ’ ‘88‘ YbodP ’ 88o o888o o888
The U l t i m a t e Packer f o r e X e c u t a b l e s
oo ooo o oo o . oooo ooo‘8 ‘ 8 ’ ‘888 ‘Y8 ‘8888 d8 ’888 8 888 . d8 Y8 8 . .
8 8 88P ’ ‘888 8 888 Y8 . 8 d8 ’ ‘88‘Yb dP ’ 88o o888 888
The U l t i m a t e Packer f o r e X e c u t a b l e s
oo o o o o . ooo oo‘8 ‘ 8 ’ ‘88 ‘Y8 88 d88 8 8 . d8 8 8 . .
8 8 ‘888 8 88 Y8 . 8 8 ’ ‘88
b dP ’ 88o 88 88
The U l t i m a t e Packer f o r e X e c u t a b l e s
• Vanilla UPX and custom variants are the prevalent packers (almost 4% of thedataset)
I modified magic bytesI modified stringsI junk bytes
• At least one malware family is using a custom packer
![Page 42: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/42.jpg)
Dynamic analysis
Data collection
File & metadata analysis
File
recognition
AVClass
ELF
anomaly
Static analysis
Code
analysis
Packing
identification
Dynamic analysis
Packer
analysis
EmulationTrace
analysis
Sandbox
preparation
![Page 43: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/43.jpg)
Behaviors
Persistence
Required privileges
Process interaction
Process injection
Privileges escalationShell commands
Information gathering
Anti-debugging
Anti-execution
Sandbox detection
Deception
Processes enumeration
![Page 44: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/44.jpg)
Deception
$ psPID CMD1234 d41d8cd98f00b204e9800998ecf8427e
$ psPID CMD
1234 sh
$ psPID CMD1234 cron
$ psPID CMD
1234 telnetd
$ psPID CMD
1234 sshd
$ psPID CMD
1234 my-tool
$ psPID CMD
1234 a5ux38y
$ psPID CMD1234
• Malicious processes assume new names to trick process listing tools
• 52% of the samples renamed the process
![Page 45: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/45.jpg)
Deception
$ psPID CMD1234 d41d8cd98f00b204e9800998ecf8427e
$ psPID CMD
1234 sh
$ psPID CMD1234 cron
$ psPID CMD
1234 telnetd
$ psPID CMD
1234 sshd$ psPID CMD
1234 my-tool
$ psPID CMD
1234 a5ux38y
$ psPID CMD1234
• Malicious processes assume new names to trick process listing tools
• 52% of the samples renamed the process
![Page 46: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/46.jpg)
Deception
$ psPID CMD1234 d41d8cd98f00b204e9800998ecf8427e
$ psPID CMD
1234 sh
$ psPID CMD1234 cron
$ psPID CMD
1234 telnetd
$ psPID CMD
1234 sshd$ psPID CMD
1234 my-tool
$ psPID CMD
1234 a5ux38y
$ psPID CMD1234
• Malicious processes assume new names to trick process listing tools
• 52% of the samples renamed the process
![Page 47: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/47.jpg)
Deception
$ psPID CMD1234 d41d8cd98f00b204e9800998ecf8427e
$ psPID CMD
1234 sh
$ psPID CMD1234 cron
$ psPID CMD
1234 telnetd
$ psPID CMD
1234 sshd$ psPID CMD
1234 my-tool
$ psPID CMD
1234 a5ux38y
$ psPID CMD1234
• Malicious processes assume new names to trick process listing tools
• 52% of the samples renamed the process
![Page 48: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/48.jpg)
Evasion
/proc || /sys
• Detect VMware, VirtualBox, QEMU, KVM but also OpenVZ, XEN or chroot jails
• Malware may also check their file name before real execution
i f ( ! sandbox ) {// do e v i l
}e l s e {
p r i n t (” h t t p s : / / l m g t f y . com/q=how+to+@@@@@@@@@@@@@@@@@@@”)rm − r f /
}
![Page 49: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/49.jpg)
Evasion
/proc || /sys
• Detect VMware, VirtualBox, QEMU, KVM but also OpenVZ, XEN or chroot jails• Malware may also check their file name before real execution
i f ( ! sandbox ) {// do e v i l
}e l s e {
p r i n t (” h t t p s : / / l m g t f y . com/q=how+to+@@@@@@@@@@@@@@@@@@@”)rm − r f /
}
![Page 50: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/50.jpg)
Evasion
/proc || /sys
• Detect VMware, VirtualBox, QEMU, KVM but also OpenVZ, XEN or chroot jails• Malware may also check their file name before real execution
i f ( ! sandbox ) {// do e v i l
}e l s e {
p r i n t (” h t t p s : / / l m g t f y . com/q=how+to+@@@@@@@@@@@@@@@@@@@”)rm − r f /
}
![Page 51: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/51.jpg)
• OS/ABI field in ELF header is notused
• Malware executed by root or user
• Processes enumeration
• Unstripped symbols (?)
![Page 52: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/52.jpg)
• OS/ABI field in ELF header is notused
• Malware executed by root or user
• Processes enumeration
• Unstripped symbols (?)
![Page 53: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/53.jpg)
• OS/ABI field in ELF header is notused
• Malware executed by root or user
• Processes enumeration
• Unstripped symbols (?)
![Page 54: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/54.jpg)
• OS/ABI field in ELF header is notused
• Malware executed by root or user
• Processes enumeration
• Unstripped symbols (?)
![Page 55: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/55.jpg)
• OS/ABI field in ELF header is notused
• Malware executed by root or user
• Processes enumeration
• Unstripped symbols (?)
![Page 56: Understanding Linux Malware](https://reader034.vdocuments.site/reader034/viewer/2022051114/62771d9eef43a84958246c8a/html5/thumbnails/56.jpg)
Conclusions
• Linux malware still in its infancy
• Already a broad range of behaviors and tricks
• ELF binaries could run anywhere from a thermostat to a large server
• New research needed to overcome the lack of information about the executionenvironment