Modern Linux Malware Exposed -...
Transcript of Modern Linux Malware Exposed -...
![Page 1: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/1.jpg)
Emanuele Cozzi @invano
Mariano Graziano @emd3l
Modern Linux Malware Exposed
RECON
MONTREAL
2018
![Page 2: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/2.jpg)
About usEmanuele Cozzi
@invano
PhD student at s3@Eurecom
Mariano Graziano@emd3l
Security Researcher at Cisco Talos
![Page 3: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/3.jpg)
Malware we fight - myth
Windows
![Page 4: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/4.jpg)
Malware we fight - reality
WindowsLinuxmacOS
Android...
![Page 5: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/5.jpg)
file submissions - last 7 days
![Page 6: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/6.jpg)
file submissions - last 7 days
![Page 7: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/7.jpg)
WINDOWSmalware
malware
analyze
Report
defend
![Page 8: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/8.jpg)
WINDOWSmalware ● We know their techniques
● We have tools● We have sandboxes● We built expertise● ... ● We are not done yet
malware
analyze
Report
defend
![Page 9: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/9.jpg)
LINUXmalware ● We know their techniques?
● We have tools?● We have sandboxes?● We built expertise?● ... ● We are not done yet
malware
analyze
Report
defend
![Page 10: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/10.jpg)
when i get aLinux Malware
![Page 11: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/11.jpg)
Analysis processdisplayELF info
checkstrings
reconnaissance
dynamicanalysis
reverseengineering
writereport
![Page 12: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/12.jpg)
Analysis processdisplayELF info
checkstrings
reconnaissance
dynamicanalysis
reverseengineering
writereport
![Page 13: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/13.jpg)
● server, desktop, router, printer, camera
Key problem: Diversity
![Page 14: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/14.jpg)
● server, desktop, router, printer, camera
● intel, amd, arm, mips, powerpc, motorola, sparc
Key problem: Diversity
![Page 15: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/15.jpg)
● server, desktop, router, printer, camera
● intel, amd, arm, mips, powerpc, motorola, sparc
● linux, freebsd, android, solaris, aix
Key problem: Diversity
![Page 16: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/16.jpg)
WINDOWS
STATS
TECHNIQUES
SANDBOXES
LINUX
![Page 17: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/17.jpg)
Current situation
![Page 18: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/18.jpg)
Current situationWindowsAndroidLinuxmacOS
![Page 19: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/19.jpg)
VT Submissions
PE FILES
ELF FILES
![Page 20: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/20.jpg)
VT Submissions
PE FILES
ELF FILES
TOTAL FILES
NEW FILES
![Page 21: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/21.jpg)
VT Submissions
PE FILES
ELF FILES
5X
![Page 22: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/22.jpg)
VT Submissions
PE FILES
ELF FILES
5X
15X
![Page 23: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/23.jpg)
ELF OVER THE YEARS
2018
2017
2016
![Page 24: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/24.jpg)
ELF OVER THE YEARS
2018
2017
2016
9X
![Page 25: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/25.jpg)
DATASET
● Collected ELF samples for one year
● 200 candidate samples per day
● Final dataset: 10k ELF binaries
![Page 26: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/26.jpg)
WINDOWS
STATS
TECHNIQUES
SANDBOXES
LINUX
![Page 27: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/27.jpg)
UPX
ELFuck (sd)
DecryFile (@thegrugq)
BurnEye (scut)
Shiva (Mehta, Clowes)
Midgetpack (@aris_ada)
Maya (@ryan_elfmaster)
UPX
Y0da cryptor
FSG
NSPack
ASPack
Xtreme
TheMida
Armadillo
VMProtect
PECompact
PEtite
mPack
Obsidium
BackPack
UPolyX
ACProtect
Packing
WINDOWS LINUX
![Page 28: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/28.jpg)
NAME Samples PercentageVANILLA UPXCUSTOM UPX VARIANT:
- DIFFERENT MAGIC- DIFF UPX STRINGS- JUNK BYTES- ALL OF THEM
1891881295512616
1.79%1.78%
ELF Packers
![Page 29: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/29.jpg)
adore-ng
mood-nt
enyelkm
override
reptile
suterusu
Vogl’s ROP rootkit
Rustock.C
Zeroaccess
Uroburos
FU
FUto
Sinowal
TLD3/4
Gapz
Carberp
Rootkits
WINDOWS LINUX
![Page 30: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/30.jpg)
LD_PRELOAD
ptrace
process_vm_writev
CreateRemoteThread:
● LoadLibrary/WriteProcessMemory
Hijacking:
● Thread/COM
Process Hollowing
APC
SetWindowsHookEx
Atoms
Registry keys
Injection techniques
WINDOWS LINUX
![Page 31: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/31.jpg)
/proc/pid/status
ptrace
ENV (“_”)
IsDebuggerPresent/IsDebugged
NtGlobalFlags
Debug registers
TLS callbacks
Heap
Trap flag
NtQueryInformationProcess
SEH/VEH
...
Anti-debugging
WINDOWS LINUX
![Page 32: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/32.jpg)
cron
.bashrc
init.d
rc.d
systemd
X desktop autostart
Windows registry:
Run/RunOnce
Winlogon
AppInit_DLLs
…
Browser Helper Objects
DLL Search Order Hijacking
...
Persistence
WINDOWS LINUX
![Page 33: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/33.jpg)
TECHNIQUE USER ROOT/etc/rc.d/rc.local/etc/rc.conf/etc/init.d/etc/rcX.d/etc/rc.localsystemd service~/.bashrc~/.bashrc_profileX desktop autostart/etc/cron.hourly/etc/crontab/etc/cron.dailycrontab utility
139312362102121128817070266
------19183---6
ELF Persistence
![Page 34: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/34.jpg)
TECHNIQUE USER ROOT/etc/rc.d/rc.local/etc/rc.conf/etc/init.d/etc/rcX.d/etc/rc.localsystemd service~/.bashrc~/.bashrc_profileX desktop autostart/etc/cron.hourly/etc/crontab/etc/cron.dailycrontab utility
139312362102121128817070266
------19183---6
ELF Persistence 21.10%
![Page 35: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/35.jpg)
WINDOWS
STATS
TECHNIQUES
SANDBOXES
LINUX
![Page 36: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/36.jpg)
Joebox (NEW!)
Limon
Cuckoo
hybrid-analysis (online)
detux (online)
Tencent Habo
Malwr
Anubis
Cuckoo
ThreatExpert
Malbox
TotalHash
Joebox
ThreatGrid
Vicheck
DeepViz
anlyz.io
hybrid-analysis
VMRay
SecondWrite
ThreatTrack
Sandboxes
WINDOWS LINUX
![Page 37: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/37.jpg)
Architecture Samples Percentagex86_64MIPS
PowerPCMotorola
SparcIntel 80386ARM 32-bitHitachi SHAArch64Others
30182120156912161170720555130473
28.61%20.10%14.87%11.53%11.09%6.83%5.26%1.23%0.45%0.03%
Architectures
![Page 38: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/38.jpg)
Architecture Samples Percentagex86_64MIPS
PowerPCMotorola
SparcIntel 80386ARM 32-bitHitachi SHAArch64Others
30182120156912161170720555130473
28.61%20.10%14.87%11.53%11.09%6.83%5.26%1.23%0.45%0.03%
Architectures
35.44%
![Page 39: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/39.jpg)
Architecture Samples Percentagex86_64MIPS
PowerPCMotorola
SparcIntel 80386ARM 32-bitHitachi SHAArch64Others
30182120156912161170720555130473
28.61%20.10%14.87%11.53%11.09%6.83%5.26%1.23%0.45%0.03%
Architectures
35.44%
63.58%
![Page 40: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/40.jpg)
Architecture Samples Percentagex86_64MIPS
PowerPCMotorola
SparcIntel 80386ARM 32-bitHitachi SHAArch64Others
30182120156912161170720555130473
28.61%20.10%14.87%11.53%11.09%6.83%5.26%1.23%0.45%0.03%
Architectures
35.44%
63.58%
70.41%
![Page 41: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/41.jpg)
EVASION Samples Percentage
Process enumerationANTI-DEBUGGING
SANDBOX DETECTIONANTI-EXECUTIONSTALLING CODE
259631930
3.32%0.81%0.24%0.04%
0%
Evasive samples
![Page 42: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/42.jpg)
PATH # SAMPLES
/sys/class/dmi/id/product_name/sys/class/dmi/id/sys_vendor
/proc/cpuinfo/proc/sysinfo/proc/scsi/scsi
/proc/vz/ & /proc/bc/proc/xen/capabilities
/proc/<pid>/mountinfo
1818111111
Sandbox detection
![Page 43: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/43.jpg)
PATH # SAMPLES
/sys/class/dmi/id/product_name/sys/class/dmi/id/sys_vendor
/proc/cpuinfo/proc/sysinfo/proc/scsi/scsi
/proc/vz/ & /proc/bc/proc/xen/capabilities
/proc/<pid>/mountinfo
1818111111
VMWare/VBOX
QEMU
KVM
OPENVZ
CHROOT JAIL
Sandbox detection
![Page 44: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/44.jpg)
Static AnalysisELF header inspection
Unpacking
Code analysis
![Page 45: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/45.jpg)
ELF header00000000 7f 45 4c 46 02 01 01 00 |.ELF....|
00000008 00 00 00 00 00 00 00 00 |........|
00000010 02 00 3e 00 01 00 00 00 |..>.....|
00000018 c5 48 40 00 00 00 00 00 |.H@.....|
00000020 40 00 00 00 00 00 00 00 |@.......|
00000028 48 c7 01 00 00 00 00 00 |H.......|
00000030 00 00 00 00 40 00 38 00 |[email protected].|
00000038 09 00 40 00 1b 00 1a 00 |..@.....|
e_ident e_type e_machine e_version e_entry e_phoff e_shoff e_flags e_ehsize e_phentsize e_phnum e_shentsize e_shnum e_shstrndx
/bin/ls
![Page 46: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/46.jpg)
Untrustable sections 00000000 7f 45 4c 46 02 01 01 00 |.ELF....|
00000008 00 00 00 00 00 00 00 00 |........|
00000010 02 00 3e 00 01 00 00 00 |..>.....|
00000018 c5 48 40 00 00 00 00 00 |.H@.....|
00000020 40 00 00 00 00 00 00 00 |@.......|
00000028 00 00 00 00 00 00 00 00 |........|
00000030 00 00 00 00 40 00 38 00 |[email protected].|
00000038 09 00 44 44 ff ff 00 00 |..DD....|
● Sections are useful for linking, relocation and debugging
● Not needed at run-time
/bin/ls
![Page 47: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/47.jpg)
Untrustable sections 00000000 7f 45 4c 46 02 01 01 00 |.ELF....|
00000008 00 00 00 00 00 00 00 00 |........|
00000010 02 00 3e 00 01 00 00 00 |..>.....|
00000018 c5 48 40 00 00 00 00 00 |.H@.....|
00000020 40 00 00 00 00 00 00 00 |@.......|
00000028 00 00 00 00 00 00 00 00 |........|
00000030 00 00 00 00 40 00 38 00 |[email protected].|
00000038 09 00 44 44 ff ff 00 00 |..DD....|
e_shoff == 0 || e_shentsize == 0 || e_shnum == 0 || e_shstrndx == 0 || ALL INVALID
● Sections are useful for linking, relocation and debugging
● Not needed at run-time
/bin/ls
![Page 48: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/48.jpg)
Untrustable sections 00000000 7f 45 4c 46 02 01 01 00 |.ELF....|
00000008 00 00 00 00 00 00 00 00 |........|
00000010 02 00 3e 00 01 00 00 00 |..>.....|
00000018 c5 48 40 00 00 00 00 00 |.H@.....|
00000020 40 00 00 00 00 00 00 00 |@.......|
00000028 00 00 00 00 00 00 00 00 |........|
00000030 00 00 00 00 40 00 38 00 |[email protected].|
00000038 09 00 44 44 ff ff 00 00 |..DD....|
e_shoff == 0 || e_shentsize == 0 || e_shnum == 0 || e_shstrndx == 0 || ALL INVALID
● Sections are useful for linking, relocation and debugging
● Not needed at run-time
/bin/ls
Do not rely on the section header table
![Page 49: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/49.jpg)
example - GDB00000000 7f 45 4c 46 02 01 01 00 |.ELF....|
00000008 00 00 00 00 00 00 00 00 |........|
00000010 02 00 3e 00 01 00 00 00 |..>.....|
00000018 c5 48 40 00 00 00 00 00 |.H@.....|
00000020 40 00 00 00 00 00 00 00 |@.......|
00000028 48 c7 01 00 00 00 00 00 |H.......|
00000030 00 00 00 00 40 00 38 00 |[email protected].|
00000038 09 00 50 00 1b 00 1a 00 |..P.....|
/bin/ls e_shentsize != 0x40
![Page 50: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/50.jpg)
example - GDB00000000 7f 45 4c 46 02 01 01 00 |.ELF....|
00000008 00 00 00 00 00 00 00 00 |........|
00000010 02 00 3e 00 01 00 00 00 |..>.....|
00000018 c5 48 40 00 00 00 00 00 |.H@.....|
00000020 40 00 00 00 00 00 00 00 |@.......|
00000028 48 c7 01 00 00 00 00 00 |H.......|
00000030 00 00 00 00 40 00 38 00 |[email protected].|
00000038 09 00 50 00 1b 00 1a 00 |..P.....|
/bin/ls e_shentsize != 0x40
$ gdb ./ls"/home/aaa/ls": not in executable format: File format not recognized(gdb) rStarting program: No executable file specified.(gdb) q
![Page 51: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/51.jpg)
Malware - Mumblehard00000000 7f 45 4c 46 01 01 01 09 |.ELF....|
00000008 00 00 00 00 00 00 00 00 |........|
00000010 02 00 03 00 01 00 00 00 |........|
00000018 4c 80 04 08 2c 00 00 00 |L..,....|
00000020 00 00 00 00 00 00 00 00 |........|
00000028 34 00 20 00 01 00 00 00 |4. .....|
00000030 00 00 00 00 |....|
/bin/mumblehard* e_ident[OS_ABI] is FreeBSD e_phoff overlaps ELF Hdr e_shoff = 0 e_shentsize = 0 e_shnum = 0 e_shstrndx = 0
SHA256: 2db2064458255a9e882392e3878fb19a6b0f3d779779cce77ae84835172d923
![Page 52: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/52.jpg)
Malware - Mumblehard00000000 7f 45 4c 46 01 01 01 09 |.ELF....|
00000008 00 00 00 00 00 00 00 00 |........|
00000010 02 00 03 00 01 00 00 00 |........|
00000018 4c 80 04 08 2c 00 00 00 |L..,....|
00000020 00 00 00 00 00 00 00 00 |........|
00000028 34 00 20 00 01 00 00 00 |4. .....|
00000030 00 00 00 00 |....|
/bin/mumblehard*
SHA256: 2db2064458255a9e882392e3878fb19a6b0f3d779779cce77ae84835172d923
e_ident[OS_ABI] is FreeBSD e_phoff overlaps ELF Hdr e_shoff = 0 e_shentsize = 0 e_shnum = 0 e_shstrndx = 0
beginning of struct elf32_phdr
![Page 53: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/53.jpg)
e_ident[os/abi]static int load_elf_binary(struct linux_binprm *bprm){
...
/* Get the exec-header */loc->elf_ex = *((struct elfhdr *)bprm->buf);
retval = -ENOEXEC;/* First of all, some simple consistency checks */if (memcmp(loc->elf_ex.e_ident, ELFMAG, SELFMAG) != 0)
goto out;
if (loc->elf_ex.e_type != ET_EXEC && loc->elf_ex.e_type != ET_DYN)goto out;
if (!elf_check_arch(&loc->elf_ex))goto out;
if (elf_check_fdpic(&loc->elf_ex))goto out;
linux/v4.17/source/fs/binfmt_elf.c
os/abi not enforced by the Linux kernel
checks on: magic, type, arch
![Page 54: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/54.jpg)
Executable unpacking● Mostly underground and private packers on linux● UPX is the top choice
○ binary mods to break “upx -d”○ still easy to unpack manually
UPX!
ABC!
“$Id: UPX 3.91 Copyright ©”
“Azt@....%f6-_11ld$ggwp”
80 f9 09 75 0b cd 80 73
80 f9 09 75 0b cd 80 73aa aa aa aa aa aa aa aa
![Page 55: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/55.jpg)
UPX stub behaviorDecompress rest of decompressor
Decompress ELF_Ehdr
Decompress ELF_Phdr
Map and decompress PT_LOAD segments
Map and decompress PT_INTERP
Setup stack and ELF_auxv
Transfer control to program
![Page 56: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/56.jpg)
UPX stub behaviorDecompress rest of decompressor
Decompress ELF_Ehdr
Decompress ELF_Phdr
Map and decompress PT_LOAD segments
Map and decompress PT_INTERP
Setup stack and ELF_auxv
Transfer control to program
User-land execve()
![Page 57: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/57.jpg)
UnPXer● Based on Unicorn Engine● Supports x86, x64, arm, arm-eabi, arm64, mips● Tiny kernel to run upx stub
○ read, write, open, close, mmap, mprotect, munmap, brk, readlink, exit
![Page 58: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/58.jpg)
UnPXer● Based on Unicorn Engine● Supports x86, x64, arm, arm-eabi, arm64, mips● Tiny kernel to run upx stub
○ read, write, open, close, mmap, mprotect, munmap, brk, readlink, exit
load program
setup stack (auxv)
emulation
reconstruct unpacked elf
![Page 59: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/59.jpg)
Function recognition● crucial for human reverse engineering● signature matching approach is not scalable
![Page 60: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/60.jpg)
Function recognition● crucial for human reverse engineering● signature matching approach is not scalable
IDA Pro recursive CF discovery
![Page 61: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/61.jpg)
Function recognition● crucial for human reverse engineering● signature matching approach is not scalable
IDA ProNucleus (@vu5ec) CFG recovery
recursive CF discovery
![Page 62: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/62.jpg)
Function recognition● crucial for human reverse engineering● signature matching approach is not scalable
IDA ProNucleus (@vu5ec)eh_frame (@ryan_elfmaster)
CFG recovery
.eh_frame parsing
recursive CF discovery
![Page 63: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/63.jpg)
Dynamic AnalysisSandboxpreparation
Tracing
Behaviorextraction
![Page 64: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/64.jpg)
Sandboxing linux malwareHOST
GUEST
malware
kernel
user
![Page 65: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/65.jpg)
● Qemu to support different architectures as much as possible
Sandboxing linux malwareHOST
GUEST
malware
kernel
user
![Page 66: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/66.jpg)
● Qemu to support different architectures as much as possible
● Full OS/environment
Sandboxing linux malwareHOST
GUEST
malware
kernel
user
![Page 67: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/67.jpg)
● Qemu to support different architectures as much as possible
● Full OS/environment● Syscalls and user functions
tracing● behavioral report back to host
Sandboxing linux malwareHOST
GUEST
malware
kernel
user
![Page 68: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/68.jpg)
Linux tracing systemsstrace
ptrace()||SIGTRAP||/proc/PID/cmdline||/proc/PID/status||...
![Page 69: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/69.jpg)
Linux tracing systems
kernel tracepoints
kprobes
uprobes
usdt/dtrace
lttng-ust
backend
strace
ptrace()||SIGTRAP||/proc/PID/cmdline||/proc/PID/status||...
![Page 70: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/70.jpg)
Linux tracing systems
kernel tracepoints
kprobes
uprobes
usdt/dtrace
lttng-ust
ftrace
perf
systemtap
lttng
sysdig
backend frontend
strace
ptrace()||SIGTRAP||/proc/PID/cmdline||/proc/PID/status||...
![Page 71: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/71.jpg)
Linux tracing systems
kernel tracepoints
kprobes
uprobes
usdt/dtrace
lttng-ust
ftrace
perf
systemtap
lttng
sysdig
backend frontend
strace
ptrace()||SIGTRAP||/proc/PID/cmdline||/proc/PID/status||...
● Dynamic probes● multi-arch (...)● flexible● custom output
format
why
![Page 72: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/72.jpg)
Kprobes -- Uprobes1. copy probed instruction2. replace first byte with int33. on hit, execute pre_handler4. single-step probed instruction5. execute post_handler
1. copy probed instruction2. replace first byte with int33. on hit, execute handler4. single-step probed instruction
![Page 73: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/73.jpg)
Kprobes -- Uprobes
1. compiler emits NOP instruction on address to probe
2. add NT_STAPSDT descriptor to ELF for each address to probe
1. copy probed instruction2. replace first byte with int33. on hit, execute pre_handler4. single-step probed instruction5. execute post_handler
1. copy probed instruction2. replace first byte with int33. on hit, execute handler4. single-step probed instruction
probe creation
![Page 74: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/74.jpg)
probe syscall.* {printf(“%s(%s)”,
syscall_name,syscall_argstr)
}
probe syscall.*.return {printf(“%s=%s”,
syscall_name,syscall_retstr)
}
probe kprobe.function(“commit_creds”) {parg = pointer_arg(1)euid = @cast(parg, "cred",
"kernel<linux/sched.h>")->euid->valprintf(“euid=%d”, euid)
}
probe glibc.memcmp = process("/opt/glibc/lib/libc-2.27.so").mark("memcmp") ?{ name = $$name argstr = printf("%s, %s, %d", user_string_quoted($arg1), user_string_quoted($arg2), $arg3)}
SystemTaptrace.stp
![Page 75: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/75.jpg)
probe syscall.* {printf(“%s(%s)”,
syscall_name,syscall_argstr)
}
probe syscall.*.return {printf(“%s=%s”,
syscall_name,syscall_retstr)
}
probe kprobe.function(“commit_creds”) {parg = pointer_arg(1)euid = @cast(parg, "cred",
"kernel<linux/sched.h>")->euid->valprintf(“euid=%d”, euid)
}
probe glibc.memcmp = process("/opt/glibc/lib/libc-2.27.so").mark("memcmp") ?{ name = $$name argstr = printf("%s, %s, %d", user_string_quoted($arg1), user_string_quoted($arg2), $arg3)}
SystemTaptrace.stp
#include <sysdep.h>#include <stap-probe.h>
.textENTRY (memcmp) LIBC_PROBE(memcmp, 3,
LP_SIZE@%RDI_LP,LP_SIZE@%RSI_LP,LP_SIZE@%RDX_LP)
test %rdx, %rdx jz L(finz) ...
libc/x86_64/memcmp.S
![Page 76: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/76.jpg)
works out-of-the-box on i386/x86_64systemtap patches needed for other archs (syscall ABI support, arm, mips o32,...)
probe syscall.* {printf(“%s(%s)”,
syscall_name,syscall_argstr)
}
probe syscall.*.return {printf(“%s=%s”,
syscall_name,syscall_retstr)
}
probe kprobe.function(“commit_creds”) {parg = pointer_arg(1)euid = @cast(parg, "cred",
"kernel<linux/sched.h>")->euid->valprintf(“euid=%d”, euid)
}
probe glibc.memcmp = process("/opt/glibc/lib/libc-2.27.so").mark("memcmp") ?{ name = $$name argstr = printf("%s, %s, %d", user_string_quoted($arg1), user_string_quoted($arg2), $arg3)}
SystemTaptrace.stp
#include <sysdep.h>#include <stap-probe.h>
.textENTRY (memcmp) LIBC_PROBE(memcmp, 3,
LP_SIZE@%RDI_LP,LP_SIZE@%RSI_LP,LP_SIZE@%RDX_LP)
test %rdx, %rdx jz L(finz) ...
libc/x86_64/memcmp.S
![Page 77: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/77.jpg)
Malware - Amnesia...6b2885a4f8c9d84@0xb7747c31[911-1001] brk(0x0) = 1463050246b2885a4f8c9d84@0xb7747c31[911-1001] brk(0x8ba8000) = 1464401926b2885a4f8c9d84@0xb7747c31[911-1001] open("/sys/class/dmi/id/product_name", O_RDONLY) = 36b2885a4f8c9d84@0xb7747c31[911-1001] fstat(3, 0xbfafa800) = 06b2885a4f8c9d84@0xb7747c31[911-1001] read(3, 0x8b87168, 4096) = 346b2885a4f8c9d84@0xb75fbb7e[911-1001] strstr("Standard PC (i440FX + PIIX, 1996)\n", "VirtualBox") = 06b2885a4f8c9d84@0xb75fbb7e[911-1001] strstr("Standard PC (i440FX + PIIX, 1996)\n", "VMware") = 06b2885a4f8c9d84@0xb7747c31[911-1001] read(3, 0x8b87168, 4096) = 06b2885a4f8c9d84@0xb7747c31[911-1001] close(3) = 06b2885a4f8c9d84@0xb7747c31[911-1001] open("/sys/class/dmi/id/sys_vendor", O_RDONLY) = 36b2885a4f8c9d84@0xb7747c31[911-1001] fstat(3, 0xbfafa800) = 06b2885a4f8c9d84@0xb7747c31[911-1001] read(3, 0x8b87168, 4096) = 56b2885a4f8c9d84@0xb75fbb7e[911-1001] strstr("QEMU\nard PC (i440FX + PIIX, 1996)\n", "QEMU") = 0x8b871686b2885a4f8c9d84@0xb7747c31[911-1001] fstat(1, 0xbfafa800) = 06b2885a4f8c9d84@0xb7747c31[911-1001] write(1, "https://lmgtfy.com/?q=how+to+suck+your+own+di"..., 48) = 486b2885a4f8c9d84@0xb7747c31[911-1001] lstat("/tmp", 0xbfafa8d0) = 0...
/bin/amnesia*
SHA256: 6b2885a4f8c9d84e5dc49830abf7b1edbf1b458d8b9d2bafb680370106f93bc3
execution trace with kprobes and uprobes
![Page 78: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/78.jpg)
Execution privilege
Hybrid-analysis detux
Linux Malware
root user
12
user execution
-eperm or -eacces ?
check uid or gid?
root execution
n
stopn
Y
Y
![Page 79: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/79.jpg)
Execution privilege
Hybrid-analysis detux
Linux Malware
root user
12
user execution
-eperm or -eacces ?
check uid or gid?
root execution
n
stopn
Y
Y
1. user executionif -eperm or -eacces goto2if check uid or gid goto2else finish
2. root execution
more resources but may show off new behaviors
![Page 80: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/80.jpg)
automated analysis with PADAWAN
ab c
ef
d
![Page 81: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/81.jpg)
Padawan
ab c
d
ef
Framework for parallel data processing and data visualization
RE few samples is affordable - thousands would be a nightmare
![Page 82: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/82.jpg)
Padawan
ab c
d
ef
Framework for parallel data processing and data visualization
RE few samples is affordable - thousands would be a nightmare
● padawan core handle data and dispatch analysis jobs● analysis jobs executed on worker machines● jobs instantiated from analysis modules
![Page 83: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/83.jpg)
Analysis pipelinefor automated large-scale analysis
![Page 84: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/84.jpg)
Padawan as a service-WIP-
![Page 85: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/85.jpg)
VPNFilter first stage
SHA256: 0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92https://blog.talosintelligence.com/2018/05/VPNFilter.html
Persistence
![Page 86: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/86.jpg)
VPNFilter first stage
SHA256: 0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92https://blog.talosintelligence.com/2018/05/VPNFilter.html
IMAGE DOWNLOAD ATTEMPTS
![Page 87: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/87.jpg)
VPNFilter second stage
SHA256: d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70https://blog.talosintelligence.com/2018/05/VPNFilter.html
mkdir("/var/run/d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70em", 0770) = 0mkdir("/var/run/d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70ew", 0770) = 0
open("/proc/mtd", O_RDONLY) = -2 (ENOENT)
connect(3, {AF_INET, 127.0.0.1, 9050}, 16) = -111 (ECONNREFUSED)
![Page 88: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/88.jpg)
HAND OF THIEF
SHA256: bd92ce74844b1ddfdd1b61eac86abe7140d38eedf9c1b06fb7fbf446f6830391https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/
![Page 89: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/89.jpg)
HAND OF THIEF
ARTIFACTS and executed
binaries
SHA256: bd92ce74844b1ddfdd1b61eac86abe7140d38eedf9c1b06fb7fbf446f6830391https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/
![Page 90: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/90.jpg)
HAND OF THIEFANTI-DEBUG?INJECTION?
INJECTION
USER BEHAVIOR
ROOT BEHAVIOR
SHA256: bd92ce74844b1ddfdd1b61eac86abe7140d38eedf9c1b06fb7fbf446f6830391https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/
![Page 91: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/91.jpg)
HAND OF THIEF
ANTI-VM
ANTI CHROOT JAIL
ANTI-VMWARE and ANTI-VBOXSHA256: bd92ce74844b1ddfdd1b61eac86abe7140d38eedf9c1b06fb7fbf446f6830391
https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/
![Page 92: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/92.jpg)
Conclusions- Shed light on modern Linux malware- Design a pipeline to cope with ELF binaries- Release the dataset:
https://padawan.s3.eurecom.fr/static/data/dataset_sha256.txt- Open the pipeline to the public:
https://padawan.s3.eurecom.fr
![Page 93: Modern Linux Malware Exposed - s3.eurecom.frs3.eurecom.fr/~invano/slides/recon18_linux_malware.pdf · Emanuele Cozzi @invano Mariano Graziano @emd3l Modern Linux Malware Exposed RECON](https://reader030.fdocuments.in/reader030/viewer/2022021804/5ba476a309d3f2205e8d4fb4/html5/thumbnails/93.jpg)
thanks!questions?Emanuele Cozzi @invanoMariano Graziano @emd3l