The document describes research analyzing a dataset of malicious Linux binaries. It finds that Linux malware is a real threat, capable of infecting multiple systems and making high use of networks. A variety of evasion techniques are employed. Case studies examine malware that installs SSH backdoors and the Erebus ransomware. The conclusion reiterates that Linux malware poses a threat and calls for questions and feedback on the research.

1. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Malicious Linux Binaries: A Landscape
Lucas Galante, Marcus Botacin, Andr´e Gr´egio, Paulo L´ıcio de
Geus
SBSEG 2018
Malicious Linux Binaries: A Landscape

2. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Agenda
1 Motivation
Motivation
2 Dataset Description
Dataset Description
3 Methodology
Methodology
4 Analysis
Static Analysis
Dynamic Analysis
5 Case Studies
Case Studies
6 Conclusion
Conclusion
Malicious Linux Binaries: A Landscape

3. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Motivation
Agenda
1 Motivation
Motivation
2 Dataset Description
Dataset Description
3 Methodology
Methodology
4 Analysis
Static Analysis
Dynamic Analysis
5 Case Studies
Case Studies
6 Conclusion
Conclusion
Malicious Linux Binaries: A Landscape

4. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Motivation
Are there Linux malware?
Figure: Erebus ransomware attacks South Korean internet provider.
Malicious Linux Binaries: A Landscape

5. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dataset Description
Agenda
1 Motivation
Motivation
2 Dataset Description
Dataset Description
3 Methodology
Methodology
4 Analysis
Static Analysis
Dynamic Analysis
5 Case Studies
Case Studies
6 Conclusion
Conclusion
Malicious Linux Binaries: A Landscape

6. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dataset Description
Binaries Architectures
0%
10%
20%
30%
40%
50%
60%
ARM
Intel80386
MIPS
Motorolam68k
PowerPC
RenesasSH
SPARC
x86−64
PercentageofSamples
Architectures
Percentage of sampled Linux malware separated by architecture
Figure: ELF binary samples distributed by architectures.
Malicious Linux Binaries: A Landscape

7. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Methodology
Agenda
1 Motivation
Motivation
2 Dataset Description
Dataset Description
3 Methodology
Methodology
4 Analysis
Static Analysis
Dynamic Analysis
5 Case Studies
Case Studies
6 Conclusion
Conclusion
Malicious Linux Binaries: A Landscape

8. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Methodology
Analysis Techniques
Table: Adopted strategy to handle evasive samples.
Technique Tool Evasion Countermeasure
Static analysis
objdump
obfuscation Dynamic analysisfile
strings
Dynamic analysis
ltrace Static compilation ptrace step-by-step
ptrace ptrace check binary patching
strace Long sleep LD PRELOAD
LD PRELOAD Injection blocking Kernel hooks
Malicious Linux Binaries: A Landscape

9. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Static Analysis
Agenda
1 Motivation
Motivation
2 Dataset Description
Dataset Description
3 Methodology
Methodology
4 Analysis
Static Analysis
Dynamic Analysis
5 Case Studies
Case Studies
6 Conclusion
Conclusion
Malicious Linux Binaries: A Landscape

10. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Static Analysis
Malware Behavior Taxonomy
Table: Identified invoked system calls.
Network Evasion Environment Removal Timing Memory Modularity
socket fork gettimeofday unlink time mmap execve
connect kill access rmdir wait munmap fork
poll ptrace uname kill nanosleep mprotect clone
select ioctl exit
getsockname getppid
Malicious Linux Binaries: A Landscape

11. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Static Analysis
Objdump
0%
10%
20%
30%
40%
50%
60%
70%
80%
Intel
80386
ARM x86−64 MIPS SPARC
PercentageofSamples
Architectures
Percentage of Linux malware who evade Objdump analysis
Figure: Percentage of malware that failed to dissasembly.
Malicious Linux Binaries: A Landscape

12. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Static Analysis
Static Functions
0%
10%
20%
30%
40%
50%
ARM Intel
80386
MIPS SPARC x86−64
PercentageofSamples
Architectures
Types of functions found in malware from different Linux architectures.
Network
Evasion
Environment
Removal
Timing
Figure: Malware behavior prevalence by malware architectures.
Malicious Linux Binaries: A Landscape

13. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Static Analysis
Network Strings
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Mail Url IP
PercentageofSamples
Network Strings
Percentage of samples with network strings and percentage of unique strings
Samples
Unique strings
Figure: Network-Related Strings. Rate of samples with network related
strings.
Malicious Linux Binaries: A Landscape

14. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Static Analysis
Packer
2%
4%
6%
MIPS
Intel80386
ARM
x86−64
PercentageofSamples
Architectures
Percentage of Linux malware that utilize UPX packer
Figure: Rate of UPX-packed samples. Few samples are packed.
Malicious Linux Binaries: A Landscape

15. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Static Analysis
AV Labels
0%
5%
10%
15%
20%
25%
30%
Spoofer
DoS
Trojan
Flooder
Worm
HackTool
Rootkit
Backdoor
Virus
Exploit
PercentageofSamples
Malware category
Malware category as defined by Kaspersky
Figure: AV labels according Kaspersky AV. We observe a prevalence of
exploits
Malicious Linux Binaries: A Landscape

16. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Static Analysis
Clusters
0%
1%
10%
100%
0 10 20 30 40 50 60 70 80 90 100
PercentofClusters(logarithmscale)
Cluster Size
Percentage of clusters with varying amount of samples per cluster
Figure: Samples variants clustering. Smaller clusters are prevalent.
Malicious Linux Binaries: A Landscape

17. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dynamic Analysis
Agenda
1 Motivation
Motivation
2 Dataset Description
Dataset Description
3 Methodology
Methodology
4 Analysis
Static Analysis
Dynamic Analysis
5 Case Studies
Case Studies
6 Conclusion
Conclusion
Malicious Linux Binaries: A Landscape

18. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dynamic Analysis
Timeout Signals
0%
2%
4%
6%
8%
10%
12%
14%
16%
18%
SIGKILL SIGTERM SIGSEGV
PercentageofSamples
Signals
Signals sent during execution of Linux malware
Internal
External
Figure: Observed Signals during execution.
Malicious Linux Binaries: A Landscape

19. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dynamic Analysis
Behavior
0%
20%
40%
60%
80%
100%
Network
Evasion
Environment
Removal
Timing
Memory
Modularity
PercentageofSamples
Behavior
Percentage of samples with considered behavior
Intel x86−64
Intel 80386
Figure: Malware behavior prevalence.
Malicious Linux Binaries: A Landscape

20. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dynamic Analysis
Acessed Files
0%
10%
20%
30%
40%
50%
/home /var passwd
and shadow
resolv.conf /proc
PercentageofSamples
Percentage of Linux malware who atempt to access
secure files or directories
Figure: Accessed files and directories.
Malicious Linux Binaries: A Landscape

21. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dynamic Analysis
I/O Operations
0%
10%
20%
30%
40%
50%
60%
Write
to stdout
Write
to file
Read
from stdin
Read
from file
PercentageofSamples
I/O operation
Percentage of I/O operations by Linux malware
Figure: I/O operations. Most samples do not present direct user
interaction.
Malicious Linux Binaries: A Landscape

22. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dynamic Analysis
Evasion
0%
10%
20%
30%
40%
50%
Ptrace PRELOAD
Evasion
Sleep Ltrace
Evasion
Fork
PercentageofSamples
Technique
Evasion techniques
Figure: Evasion Techniques. Samples present diversified evasion methods.
Malicious Linux Binaries: A Landscape

23. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dynamic Analysis
Network
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
80386 x86−64
Percentage
Architectures
Identified network usage
Samples
Unique IP with scanners
Unique IP without scanners
Figure: Identified network usage. Scanners dominate unique IP rate.
Malicious Linux Binaries: A Landscape

24. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Dynamic Analysis
Domains
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
.nl .ca .tr .de .cn .jp .br .com .net
PercentageofUrl
Domains
TLD distribution
Figure: TLD distribution. Global domains are prevalent. Local domains
are present due to scanners enumeration.
Malicious Linux Binaries: A Landscape

25. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Case Studies
Agenda
1 Motivation
Motivation
2 Dataset Description
Dataset Description
3 Methodology
Methodology
4 Analysis
Static Analysis
Dynamic Analysis
5 Case Studies
Case Studies
6 Conclusion
Conclusion
Malicious Linux Binaries: A Landscape

26. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Case Studies
SSH Backdoor
Figure: Execution flow of backdoor malware with SSH injection.
Malicious Linux Binaries: A Landscape

27. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Case Studies
SSH Backdoor
Listing 1: Backdoor sample in action. It drops attacker key into the
system, thus granting remote access.
1 malloc (381) = 0x2083c60
2 s t r l e n (”PPK016QPB003 bbbba 020mYB‘022Z@021
fbbbbgbrba ” . . . )
3 s t r c a t (”” , ” ssh−rsa AAAAB3NzaC1yc2EAAAADAQAB ” . . . )
Malicious Linux Binaries: A Landscape

28. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Case Studies
Erebus
Figure: Execution flow of Erebus ransomware.
Malicious Linux Binaries: A Landscape

29. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Case Studies
Erebus
Listing 2: Erebus Execution. It connects to runtime-generated IP
addresses and to TOR-based hidden services and onion domains.
1 strncmp(””−−−−−BEGIN PUBLIC KEY−−−−−nMII ” . . . , ”
n u l l ” , 4)
2 strncmp (”3 ,” tg ”:”216.126.224.128/24” ,” bu ” . . . , ”
n u l l ” , 4)
3 strncmp (””7 f v 4 v g 4 n 2 6 c x l e e l . h i d d e n s e r v i c e . ” . . . , ”
n u l l ” , 4)
4 strncmp (”” qzjordhlw5mqhcn7 . onion . to ” ,” qzj ” . . . , ”
true ” , 4)
Malicious Linux Binaries: A Landscape

30. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Conclusion
Agenda
1 Motivation
Motivation
2 Dataset Description
Dataset Description
3 Methodology
Methodology
4 Analysis
Static Analysis
Dynamic Analysis
5 Case Studies
Case Studies
6 Conclusion
Conclusion
Malicious Linux Binaries: A Landscape

31. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Conclusion
Conclusion
The threat of Linux malware is real.
Ability to infect multiple systems.
High use of network.
Diverse evasion techniques.
Malicious Linux Binaries: A Landscape

32. Motivation Dataset Description Methodology Analysis Case Studies Conclusion
Conclusion
Questions, Critics and Sugestions.
Contact
galante@lasca.ic.unicamp.br
Complete version
https://github.com/marcusbotacin/Linux.Malware
Malicious Linux Binaries: A Landscape