Unix malware analysis after break-in

Aleksander Czarnowski AVET Information and Network Security

If you look at the CERT/CC annual report for the year 2001 you might be surprised. Of the six most common intruder activities five are network and email worms. The only type of activity left is remotely exploitable buffer overflow in older versions of BIND. If you look at the February 2002 issue of Virus Bulletin you will find an analysis of RST virus and backdoor (see VB, February 2002, p.7). Intruders are exploiting the possibilities of malware more than ever before.

This paper will inspect possible infection vectors on Unix systems and present problems with detection and analysis of malware found in the wild. The scenario used in the paper presumes that the system has been compromised before our analysis begins. I will describe features available on many Unix systems like Loadable Kernel Modules (LKM) and stealth techniques to hide intruder presence, ELF2 file format, common local and remote vulnerabilities used by malware like: worms or rootkits. Further I will describe different methods of detecting infection and problems regarding rootkit disinfections. This paper also discusses the use of polymorphism in exploit code to make detection of attacks at network level much more difficult. Last but not least I will inspect the security (and its pitfalls) of chroot environment from malware perspective.

Part of the material presented comes from real-life incidents that have happened during the last year.

VB Conferences

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘The presentations were fresh very professional and all equally interesting. Too bad I can't split myself up to listen to both streams at once.’

Poll

Who in your company is responsible for installing software patches?

Leave a comment

VB100 certification

The final VB100 of the year sees a double whammy of potential pitfalls for our comparative participants - the Vista operating system, which still seems shiny and new as well as a little scary (to both developers and users), as well as the x64 architecture, whose ostensible compatibility with standard 32-bit software belies oddities and intricacies that developers ignore at their peril. The announcement of the test brought a few surprises, as several regulars opted to skip this one, but the majority of veteran competitors took part as usual, along with several newer faces, many of whom look set to join the ranks of our regulars.
See full results.

Virus Bulletin currently has 148,287 registered users.

Fighting malware and spam