understanding linux malware
play

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , - PowerPoint PPT Presentation

Feb 20, 2023 •108 likes •690 views

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide Balzarotti 1 1 EURECOM 2 Cisco Systems, Inc. IEEE Symposium on Security & Privacy, May 2018 Malware and operating systems Malware and operating

  1. Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide Balzarotti 1 1 EURECOM 2 Cisco Systems, Inc. IEEE Symposium on Security & Privacy, May 2018

  2. Malware and operating systems

  3. Malware and operating systems

  4. Linux malware on the rise Mirai

  5. Linux malware on the rise Mirai Erebus

  6. Linux malware on the rise OutlawCountry Mirai Erebus

  7. Linux malware on the rise OutlawCountry Mirai Erebus

  8. Objectives • Develop a dynamic analysis sandbox for Linux binaries (and IoT devices)

  9. Objectives • Develop a dynamic analysis sandbox for Linux binaries (and IoT devices) ◮ Previous studies only looked at the network behavior 1 2 1 Antonakakis et al. ”Understanding the mirai botnet,” USENIX Security Symposium 2017. 2 Yin Minn Pa et al. ”IoTPOT: analysing the rise of IoT compromises,” USENIX Workshop on Offensive Technologies 2015.

  10. Objectives • Develop a dynamic analysis sandbox for Linux binaries (and IoT devices) ◮ Previous studies only looked at the network behavior 1 2 • Identify challenges and limitations of porting traditional techniques to the new environment 1 Antonakakis et al. ”Understanding the mirai botnet,” USENIX Security Symposium 2017. 2 Yin Minn Pa et al. ”IoTPOT: analysing the rise of IoT compromises,” USENIX Workshop on Offensive Technologies 2015.

  11. Objectives • Develop a dynamic analysis sandbox for Linux binaries (and IoT devices) ◮ Previous studies only looked at the network behavior 1 2 • Identify challenges and limitations of porting traditional techniques to the new environment • Understand differences in the malware characteristics (packing, obfuscantion, VM detection, privilege excalation, persistence...) wrt Windows malware 1 Antonakakis et al. ”Understanding the mirai botnet,” USENIX Security Symposium 2017. 2 Yin Minn Pa et al. ”IoTPOT: analysing the rise of IoT compromises,” USENIX Workshop on Offensive Technologies 2015.

  12. Target devices

  13. Target devices

  14. Target devices Diversity

  15. Diversity CPU: Intel

  16. Diversity CPU: Intel, ARM, MIPS, Motorola, Sparc

  17. Diversity CPU: Intel, ARM, MIPS, Motorola, Sparc OS: Linux

  18. Diversity CPU: Intel, ARM, MIPS, Motorola, Sparc OS: Linux, BSD, Android

  19. Diversity CPU: Intel, ARM, MIPS, Motorola, Sparc OS: Linux, BSD, Android Libraries: glibc

  20. Diversity CPU: Intel, ARM, MIPS, Motorola, Sparc OS: Linux, BSD, Android Libraries: glibc, uclibc, libpcap, libopencl

  21. Diversity CPU: Intel, ARM, MIPS, Motorola, Sparc Statically-linked ELF unportable OS: Linux, BSD, Android Libraries: glibc, uclibc, libpcap, libopencl

  22. Diversity CPU: Intel, ARM, MIPS, Motorola, Sparc Statically-linked ELF unportable OS: Linux, BSD, Android Libraries: glibc, uclibc, libpcap, libopencl Unknown device

  23. Analysis infrastructure Data collection File & metadata analysis Static analysis Dynamic analysis Code Packer AVClass analysis analysis File recognition ELF Packing Sandbox Trace Emulation anomaly identification preparation analysis

  24. Analysis infrastructure Data collection File & metadata analysis Static analysis Dynamic analysis Code Packer AVClass analysis analysis File recognition ELF Packing Sandbox Trace Emulation anomaly identification preparation analysis

  25. Analysis infrastructure Data collection File & metadata analysis Static analysis Dynamic analysis Code Packer AVClass analysis analysis File recognition ELF Packing Sandbox Trace Emulation anomaly identification preparation analysis

  26. Data collection From November 2016 to November 2017 200 candidate samples per day Dataset of 10,548 Linux malware

  27. File & metadata analysis Data collection Dynamic analysis File & metadata analysis Static analysis Code Packer AVClass analysis analysis File recognition ELF Packing Sandbox Trace Emulation identification anomaly preparation analysis

  28. Dataset Architecture Samples Percentage X86-64 3018 28.61% MIPS I 2120 20.10% PowerPC 1569 14.87% Motorola 68000 1216 11.53% Sparc 1170 11.09% Intel 80386 720 6.83% ARM 32-bit 555 5.26% Hitachi SH 130 1.23% AArch64 (ARM 64-bit) 47 0.45% others 3 0.03% Distribution of the 10,548 downloaded samples across architectures

  29. Dataset Architecture Samples Percentage X86-64 3018 28.61% MIPS I 2120 20.10% PowerPC 1569 14.87% Motorola 68000 1216 11.53% Sparc 1170 11.09% Intel 80386 720 6.83% ARM 32-bit 555 5.26% Hitachi SH 130 1.23% AArch64 (ARM 64-bit) 47 0.45% others 3 0.03% Distribution of the 10,548 downloaded samples across architectures

  30. Dataset Architecture Samples Percentage X86-64 3018 28.61% MIPS I 2120 20.10% PowerPC 1569 14.87% Motorola 68000 1216 11.53% Sparc 1170 11.09% Intel 80386 720 6.83% ARM 32-bit 555 5.26% Hitachi SH 130 1.23% AArch64 (ARM 64-bit) 47 0.45% others 3 0.03% Distribution of the 10,548 downloaded samples across architectures

  31. ELF manipulation \ x07ELF ELF header Program header table .text .data Section header table

  32. ELF manipulation \ x07ELF ELF header • Anomalous ELF Program header table ◮ Sections table removed .text .data Section header table

  33. ELF manipulation \ x07ELF ELF header • Anomalous ELF Program header table ◮ Sections table removed • Invalid ELF .text ◮ Segments table points beyond file ◮ Overlapping header/segment ◮ Sections table points beyond file .data Section header table

  34. ELF manipulation \ x07ELF ELF header • Anomalous ELF Program header table ◮ Sections table removed • Invalid ELF .text ◮ Segments table points beyond file ◮ Overlapping header/segment ◮ Sections table points beyond file • Problems with common analysis tools ✘ readelf 2.26.1 ✘ GDB 7.11.1 .data ✘ pyelftools 0.24 ✔ IDA Pro 7 Section header table

  35. AVClass 3 Pymadro Miner Ebolachan Golad Lady Connectback Mirai Elfpatch Pomedaj Liora Ddostf Cinarek Ztorg Elknot Shishiga Aidra Chinaz Fysbis Ganiw Scanner Roopre Mrblack Equation Logcleaner Sniff Tsunami Sshbrute Probe Znaich Erebus Xingyi Xaynnalc Gafgyt Flood Coinminer Bassobo Killdisk Eicar Remaiten Bossabot Midav Getshell Drobur Webshell Dcom Cloudatlas Luabot Iroffer Mayday Grip Darkkomet Prochider Ircbot Xhide Portscan Xunpes Diesel Setag Raas Shelma Shellshock Nixgi Wuscan Cleanlog Sshdoor Psybnc Themoon Rekoobe Intfour Pulse Sickabs Hajime Hijacker Mumblehard Darlloz Sotdas Ladvix Pnscan Ropys Lightaidra Moose Vmsplice Ddoser Spyeye 3 Sebastin et al. ”Avclass: A tool for massive malware labeling,” International Symposium on Research in Attacks, Intrusions, and Defenses 2016.

  36. Static analysis Data collection Dynamic analysis File & metadata analysis Static analysis Code Packer AVClass analysis analysis File recognition ELF Packing Sandbox Trace Emulation identification anomaly preparation analysis

  37. Packing ooooo ooo ooooooooo . ooooooo ooooo ‘888 ’ ‘8 ’ ‘888 ‘ Y88 . ‘8888 d8 ’ 888 8 888 . d88 ’ Y888 . . 8 P 888 8 888ooo88P ’ ‘8888 ’ 888 8 888 .8 PY888 . ‘ 88 . . 8 ’ 888 d8 ’ ‘888 b ‘YbodP ’ o888o o888o o88888o The Ultimate Packer f o r eXecutables • Vanilla UPX and custom variants are the prevalent packers (almost 4% of the dataset)

  38. Packing oo ooo o oooooo . oooo ooooo ‘8 ‘8 ’ ‘888 ‘Y88 . ‘8888 d8 ’ 888 8 888 . d88 ’ Y8 8 . . 888 8 8 88P’ ‘8888 ’ 8 8 888 Y888 . 8 . 88 d8 ’ ‘88 ‘YbodP ’ 88o o888o o888 The Ultimate Packer f o r eXecutables • Vanilla UPX and custom variants are the prevalent packers (almost 4% of the dataset)

  39. Packing oo ooo o oo o . oooo ooo ‘8 ‘8 ’ ‘888 ‘Y8 ‘8888 d8 ’ 888 8 888 . d8 Y8 8 . . 8 8 88P’ ‘88 8 8 888 Y 8 . 8 d8 ’ ‘88 ‘Yb dP ’ 88o o888 888 The Ultimate Packer f o r eXecutables • Vanilla UPX and custom variants are the prevalent packers (almost 4% of the dataset)

  40. Packing oo o o o o . ooo oo ‘8 ‘8 ’ ‘88 ‘Y8 88 d8 8 8 8 . d8 8 8 . . 8 8 ‘88 8 8 88 Y 8 . 8 8 ’ ‘88 b dP ’ 88o 88 88 The Ultimate Packer f o r eXecutables • Vanilla UPX and custom variants are the prevalent packers (almost 4% of the dataset) ◮ modified magic bytes ◮ modified strings ◮ junk bytes

  41. Packing oo o o o o . ooo oo ‘8 ‘8 ’ ‘88 ‘Y8 88 d8 8 8 8 . d8 8 8 . . 8 8 ‘88 8 8 88 Y 8 . 8 8 ’ ‘88 b dP ’ 88o 88 88 The Ultimate Packer f o r eXecutables • Vanilla UPX and custom variants are the prevalent packers (almost 4% of the dataset) ◮ modified magic bytes ◮ modified strings ◮ junk bytes • At least one malware family is using a custom packer

  42. Dynamic analysis Data collection Dynamic analysis File & metadata analysis Static analysis Code Packer AVClass analysis analysis File recognition ELF Packing Sandbox Trace Emulation identification anomaly preparation analysis

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd

Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd

Linux malware presentation Linux malware presentation @r00tbsd Paul Rascagnres Malware.lu July 2013 @r00tbsd Paul Rascagnres from Malware.lu Linux malware presentation Plan - Presentation - Darkleech/Chapro - Cdorked - Wirenet

425 views • 31 slides
Linux Systems Compromised Understanding and dealing with break-ins Michael Boelen

Linux Systems Compromised Understanding and dealing with break-ins Michael Boelen

Linux Systems Compromised Understanding and dealing with break-ins Michael Boelen michael.boelen@cisofy.com Ede, 5 February 2016 Agenda Today 1. How do they get in 2. Rootkits 3. Malware handling 4. Defenses 2 Michael Boelen

607 views • 40 slides
Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com

Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com

Dealing with Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com Utrecht, 19 March 2016 Agenda Today 1. How do they get in 2. Why? 3. Malware types 4. In-depth: rootkits 5. Defenses 2

546 views • 35 slides
LXCBENCH Understanding the capabilities of Linux Containers in IVI applications through

LXCBENCH Understanding the capabilities of Linux Containers in IVI applications through

LXCBENCH Understanding the capabilities of Linux Containers in IVI applications through benchmarking Gianpaolo Macario Mentor Embedded Linux Services GENIVI EG-SI Architect Automotive Linux Summit Fall Edinburgh, UK October 2013

467 views • 31 slides
A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau (

A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau (

A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau ( @obilodeau ) $ apropos Embedded Linux Malware Moose DNA (description) Moose Herding (the Operation) Whats New? Take Aways $ whoami Malware

1.19k views • 97 slides
Leopard: Understanding the Threat of Blockchain Domain Name Based Malware Zhangrong Huang 1,2 ,

Leopard: Understanding the Threat of Blockchain Domain Name Based Malware Zhangrong Huang 1,2 ,

Leopard: Understanding the Threat of Blockchain Domain Name Based Malware Zhangrong Huang 1,2 , Ji Huang 1,2 , and Tianning Zang 2 1.School of Cyber Security, UCAS 2.Institute of Information Engineering, CAS Existing Techniques Used by Malware

638 views • 30 slides
Scope focused on Linux using Linux terminology the principles are general Assumption knowledge

Scope focused on Linux using Linux terminology the principles are general Assumption knowledge

% Networking % Ji Benc, Red Hat % Advanced Operating Systems, MFF UK Scope focused on Linux using Linux terminology the principles are general Assumption knowledge of OSI model understanding of packet structure basic understanding of

407 views • 11 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
HookFinder: Identifying and Understanding Malware Hooking Behaviors Heng Yin Zhenkai Liang Dawn

HookFinder: Identifying and Understanding Malware Hooking Behaviors Heng Yin Zhenkai Liang Dawn

HookFinder: Identifying and Understanding Malware Hooking Behaviors Heng Yin Zhenkai Liang Dawn Song Carnegie Mellon Univ Carnegie Mellon Univ UC Berkeley Coll Of William and Mary Carnegie Mellon Univ 1 What is a hook? Malware

373 views • 26 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr Sec Research Analyst @ Arbor ex-TippingPoint ASI Primarily reverse malware Interests / Research DDoS Botnet tracking Malware Clustering Bug

419 views • 29 slides
Detecting Deception in the Context of Web 2.0. Annarita Giani , EECS, University of California,

Detecting Deception in the Context of Web 2.0. Annarita Giani , EECS, University of California,

Detecting Deception in the Context of Web 2.0. Annarita Giani , EECS, University of California, Berkeley, CA Paul Thompson, CS Dept. Dartmouth College, Hanover, NH W2SP2007 Oakland, CA May 24, 2007 Outline 1.Motivation and Terminology

334 views • 30 slides
Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U.,

Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U.,

MIDeA: A Multi-Parallel Intrusion Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U., USA Sotiris Ioannidis, FORTH-ICS, Greece CCS 2011, 19 October 2011 Network Intrusion Detection Systems

548 views • 34 slides
GoldenEye: stream-based network packet inspection using GPUs Qian Gong, Wenji Wu, Phil DeMar The

GoldenEye: stream-based network packet inspection using GPUs Qian Gong, Wenji Wu, Phil DeMar The

FERMILAB-SLIDES-18-122-CD GoldenEye: stream-based network packet inspection using GPUs Qian Gong, Wenji Wu, Phil DeMar The 43nd IEEE Conference on Local Computer Networks October 4, 2018 This manuscript has been authored by Fermi Research

473 views • 24 slides
C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS Dimitrios A. Glynos

C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS Dimitrios A. Glynos

C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G ENERATION OF IDS Dimitrios A. Glynos dimitris at census-labs.com Census, Inc. Athens IT Security Conference (AthCon 2010) C ONTEXT -K EYED P AYLOAD E NCODING : F IGHTING THE N EXT G

315 views • 30 slides
CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers a. nappa , z. xu, m.z. rafique, j.caballero, g.gu imdea software institute success lab, texas a&m univeristy Cybercriminals use geographically distributed servers to

652 views • 24 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser

Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser

Monitoring Command-and-Control Channels with ccSpy Final Presentation Oliver Gasser Interdisciplinary Project Advisor: Lothar Braun Chair for Network Architectures and Services Faculty of Computer Science Technische Universit at M

1.02k views • 56 slides

More recommend