The document describes research analyzing a dataset of malicious Linux binaries. It finds that Linux malware is a real threat, capable of infecting multiple systems and making high use of networks. A variety of evasion techniques are employed. Case studies examine malware that installs SSH backdoors and the Erebus ransomware. The conclusion reiterates that Linux malware poses a threat and calls for questions and feedback on the research.
1. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Malicious Linux Binaries: A Landscape
Lucas Galante, Marcus Botacin, Andr´e Gr´egio, Paulo L´ıcio de
Geus
SBSEG 2018
Malicious Linux Binaries: A Landscape
2. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Agenda
1 Motivation
Motivation
2 Dataset Description
Dataset Description
3 Methodology
Methodology
4 Analysis
Static Analysis
Dynamic Analysis
5 Case Studies
Case Studies
6 Conclusion
Conclusion
Malicious Linux Binaries: A Landscape
3. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Motivation
Agenda
1 Motivation
Motivation
2 Dataset Description
Dataset Description
3 Methodology
Methodology
4 Analysis
Static Analysis
Dynamic Analysis
5 Case Studies
Case Studies
6 Conclusion
Conclusion
Malicious Linux Binaries: A Landscape
4. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Motivation
Are there Linux malware?
Figure: Erebus ransomware attacks South Korean internet provider.
Malicious Linux Binaries: A Landscape
5. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dataset Description
Agenda
1 Motivation
Motivation
2 Dataset Description
Dataset Description
3 Methodology
Methodology
4 Analysis
Static Analysis
Dynamic Analysis
5 Case Studies
Case Studies
6 Conclusion
Conclusion
Malicious Linux Binaries: A Landscape
6. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dataset Description
Binaries Architectures
0%
10%
20%
30%
40%
50%
60%
ARM
Intel80386
MIPS
Motorolam68k
PowerPC
RenesasSH
SPARC
x86−64
PercentageofSamples
Architectures
Percentage of sampled Linux malware separated by architecture
Figure: ELF binary samples distributed by architectures.
Malicious Linux Binaries: A Landscape
7. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Methodology
Agenda
1 Motivation
Motivation
2 Dataset Description
Dataset Description
3 Methodology
Methodology
4 Analysis
Static Analysis
Dynamic Analysis
5 Case Studies
Case Studies
6 Conclusion
Conclusion
Malicious Linux Binaries: A Landscape
11. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Static Analysis
Objdump
0%
10%
20%
30%
40%
50%
60%
70%
80%
Intel
80386
ARM x86−64 MIPS SPARC
PercentageofSamples
Architectures
Percentage of Linux malware who evade Objdump analysis
Figure: Percentage of malware that failed to dissasembly.
Malicious Linux Binaries: A Landscape
12. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Static Analysis
Static Functions
0%
10%
20%
30%
40%
50%
ARM Intel
80386
MIPS SPARC x86−64
PercentageofSamples
Architectures
Types of functions found in malware from different Linux architectures.
Network
Evasion
Environment
Removal
Timing
Figure: Malware behavior prevalence by malware architectures.
Malicious Linux Binaries: A Landscape
13. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Static Analysis
Network Strings
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Mail Url IP
PercentageofSamples
Network Strings
Percentage of samples with network strings and percentage of unique strings
Samples
Unique strings
Figure: Network-Related Strings. Rate of samples with network related
strings.
Malicious Linux Binaries: A Landscape
14. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Static Analysis
Packer
2%
4%
6%
MIPS
Intel80386
ARM
x86−64
PercentageofSamples
Architectures
Percentage of Linux malware that utilize UPX packer
Figure: Rate of UPX-packed samples. Few samples are packed.
Malicious Linux Binaries: A Landscape
15. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Static Analysis
AV Labels
0%
5%
10%
15%
20%
25%
30%
Spoofer
DoS
Trojan
Flooder
Worm
HackTool
Rootkit
Backdoor
Virus
Exploit
PercentageofSamples
Malware category
Malware category as defined by Kaspersky
Figure: AV labels according Kaspersky AV. We observe a prevalence of
exploits
Malicious Linux Binaries: A Landscape
16. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Static Analysis
Clusters
0%
1%
10%
100%
0 10 20 30 40 50 60 70 80 90 100
PercentofClusters(logarithmscale)
Cluster Size
Percentage of clusters with varying amount of samples per cluster
Figure: Samples variants clustering. Smaller clusters are prevalent.
Malicious Linux Binaries: A Landscape
17. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dynamic Analysis
Agenda
1 Motivation
Motivation
2 Dataset Description
Dataset Description
3 Methodology
Methodology
4 Analysis
Static Analysis
Dynamic Analysis
5 Case Studies
Case Studies
6 Conclusion
Conclusion
Malicious Linux Binaries: A Landscape
18. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dynamic Analysis
Timeout Signals
0%
2%
4%
6%
8%
10%
12%
14%
16%
18%
SIGKILL SIGTERM SIGSEGV
PercentageofSamples
Signals
Signals sent during execution of Linux malware
Internal
External
Figure: Observed Signals during execution.
Malicious Linux Binaries: A Landscape
19. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dynamic Analysis
Behavior
0%
20%
40%
60%
80%
100%
Network
Evasion
Environment
Removal
Timing
Memory
Modularity
PercentageofSamples
Behavior
Percentage of samples with considered behavior
Intel x86−64
Intel 80386
Figure: Malware behavior prevalence.
Malicious Linux Binaries: A Landscape
20. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dynamic Analysis
Acessed Files
0%
10%
20%
30%
40%
50%
/home /var passwd
and shadow
resolv.conf /proc
PercentageofSamples
Percentage of Linux malware who atempt to access
secure files or directories
Figure: Accessed files and directories.
Malicious Linux Binaries: A Landscape
21. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dynamic Analysis
I/O Operations
0%
10%
20%
30%
40%
50%
60%
Write
to stdout
Write
to file
Read
from stdin
Read
from file
PercentageofSamples
I/O operation
Percentage of I/O operations by Linux malware
Figure: I/O operations. Most samples do not present direct user
interaction.
Malicious Linux Binaries: A Landscape
23. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dynamic Analysis
Network
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
80386 x86−64
Percentage
Architectures
Identified network usage
Samples
Unique IP with scanners
Unique IP without scanners
Figure: Identified network usage. Scanners dominate unique IP rate.
Malicious Linux Binaries: A Landscape
24. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dynamic Analysis
Domains
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
.nl .ca .tr .de .cn .jp .br .com .net
PercentageofUrl
Domains
TLD distribution
Figure: TLD distribution. Global domains are prevalent. Local domains
are present due to scanners enumeration.
Malicious Linux Binaries: A Landscape
25. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Case Studies
Agenda
1 Motivation
Motivation
2 Dataset Description
Dataset Description
3 Methodology
Methodology
4 Analysis
Static Analysis
Dynamic Analysis
5 Case Studies
Case Studies
6 Conclusion
Conclusion
Malicious Linux Binaries: A Landscape
26. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Case Studies
SSH Backdoor
Figure: Execution flow of backdoor malware with SSH injection.
Malicious Linux Binaries: A Landscape
27. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Case Studies
SSH Backdoor
Listing 1: Backdoor sample in action. It drops attacker key into the
system, thus granting remote access.
1 malloc (381) = 0x2083c60
2 s t r l e n (”PPK016QPB003 bbbba 020mYB‘022Z@021
fbbbbgbrba ” . . . )
3 s t r c a t (”” , ” ssh−rsa AAAAB3NzaC1yc2EAAAADAQAB ” . . . )
Malicious Linux Binaries: A Landscape
28. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Case Studies
Erebus
Figure: Execution flow of Erebus ransomware.
Malicious Linux Binaries: A Landscape
29. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Case Studies
Erebus
Listing 2: Erebus Execution. It connects to runtime-generated IP
addresses and to TOR-based hidden services and onion domains.
1 strncmp(””−−−−−BEGIN PUBLIC KEY−−−−−nMII ” . . . , ”
n u l l ” , 4)
2 strncmp (”3 ,” tg ”:”216.126.224.128/24” ,” bu ” . . . , ”
n u l l ” , 4)
3 strncmp (””7 f v 4 v g 4 n 2 6 c x l e e l . h i d d e n s e r v i c e . ” . . . , ”
n u l l ” , 4)
4 strncmp (”” qzjordhlw5mqhcn7 . onion . to ” ,” qzj ” . . . , ”
true ” , 4)
Malicious Linux Binaries: A Landscape
30. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Conclusion
Agenda
1 Motivation
Motivation
2 Dataset Description
Dataset Description
3 Methodology
Methodology
4 Analysis
Static Analysis
Dynamic Analysis
5 Case Studies
Case Studies
6 Conclusion
Conclusion
Malicious Linux Binaries: A Landscape
31. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Conclusion
Conclusion
The threat of Linux malware is real.
Ability to infect multiple systems.
High use of network.
Diverse evasion techniques.
Malicious Linux Binaries: A Landscape
32. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Conclusion
Questions, Critics and Sugestions.
Contact
galante@lasca.ic.unicamp.br
Complete version
https://github.com/marcusbotacin/Linux.Malware
Malicious Linux Binaries: A Landscape