Dealing withLinux Malware

Rootkits, Backdoors, and More...

Utrecht, 19 March 2016

Michael Boelenmichael.boelen@cisofy.com

Agenda

Today1. How do “they” get in2. Why?3. Malware types4. In-depth: rootkits5. Defenses

2

Interactive

● Ask● Share● Presentation

3

Michael Boelen

● Security Tools○ Rootkit Hunter (malware scan)

○ Lynis (security audit)

● 150+ blog posts

● Founder of CISOfy

4

How do “they” get in

Intrusions

● Simple passwords● Vulnerabilities● Weak configurations● Clicking on attachments● Open infected programs

6

Why?

Why?

● Spam● Botnet

8

9

Types

● Virus● Worm● Backdoor● Dropper● Rootkit

Types

11

Rootkits 101

Rootkits

● (become | stay) root● (software) kit

13

Rootkits

● Stealth● Persistence● Backdoor

14

How to be the best rootkit?

Hiding ★

In plain sight!

/etc/sysconfig/…/tmp/mysql.sock/bin/audiocnf

16

Hiding ★★

Slightly advanced

● Rename processes● Delete file from disk● Backdoor binaries

17

Hiding ★★★

Advanced

● Kernel modules● Change system calls● Hidden passwords

18

Demo

Demo

20

Demo

21

Rootkit Hunter

Detect theundetectable!

22

Challenges

● We can’t trust anything● Even ourselves● No guarantees

24

Continuous Game

25

Defense

Defenses

At least● Perform security scans● Protect your data● System hardening

27

Scanning » Scanners

● Viruses → ClamAV● Backdoors → LMD● Rootkits → Chkrootkit / rkhunter

28

Scanning » File Integrity

● Changes● Powerful detection● Noise

AIDE / Samhain

29

System Hardening » Lynis

● Linux / UNIX● Open source● Shell● Health scan

30

Conclusions

Conclusions

● Challenge: rootkits are hard to detect

● Prevent: system hardening

● Detect: recognize quickly, and act

32

You finished this presentation

Success!

More Linux security?

Presentationsmichaelboelen.com/presentations/

Follow● Blog Linux Audit (linux-audit.com)● Twitter @mboelen

34

35