Unix malware analysis after break-in

Aleksander Czarnowski AVET Information and Network Security

If you look at the CERT/CC annual report for the year 2001 you might be surprised. Of the six most common intruder activities five are network and email worms. The only type of activity left is remotely exploitable buffer overflow in older versions of BIND. If you look at the February 2002 issue of Virus Bulletin you will find an analysis of RST virus and backdoor (see VB, February 2002, p.7). Intruders are exploiting the possibilities of malware more than ever before.

This paper will inspect possible infection vectors on Unix systems and present problems with detection and analysis of malware found in the wild. The scenario used in the paper presumes that the system has been compromised before our analysis begins. I will describe features available on many Unix systems like Loadable Kernel Modules (LKM) and stealth techniques to hide intruder presence, ELF2 file format, common local and remote vulnerabilities used by malware like: worms or rootkits. Further I will describe different methods of detecting infection and problems regarding rootkit disinfections. This paper also discusses the use of polymorphism in exploit code to make detection of attacks at network level much more difficult. Last but not least I will inspect the security (and its pitfalls) of chroot environment from malware perspective.

Part of the material presented comes from real-life incidents that have happened during the last year.



twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.