Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Dealing with Linux Malware

1,497 views

Published on

We often hear that viruses do not affect Linux systems. If it was only true... To understand why there is malware in the first place, we look at the reasons for evildoers to create harmful software. When that is clear, we move on by defining several types of malware, to finally focus on a very particular one, the rootkit. A quick course into the cleverness of rootkits follows, with the related challenges it offers for detection. We close the session by giving tips on detection and prevention.

Published in: Technology
  • Be the first to comment

Dealing with Linux Malware

  1. 1. Dealing with Linux Malware Rootkits, Backdoors, and More... Utrecht, 19 March 2016 Michael Boelen michael.boelen@cisofy.com
  2. 2. Agenda Today 1. How do “they” get in 2. Why? 3. Malware types 4. In-depth: rootkits 5. Defenses 2
  3. 3. Interactive ● Ask ● Share ● Presentation 3
  4. 4. Michael Boelen ● Security Tools ○ Rootkit Hunter (malware scan) ○ Lynis (security audit) ● 150+ blog posts ● Founder of CISOfy 4
  5. 5. How do “they” get in
  6. 6. Intrusions ● Simple passwords ● Vulnerabilities ● Weak configurations ● Clicking on attachments ● Open infected programs 6
  7. 7. Why?
  8. 8. Why? ● Spam ● Botnet 8
  9. 9. 9
  10. 10. Types
  11. 11. ● Virus ● Worm ● Backdoor ● Dropper ● Rootkit Types 11
  12. 12. Rootkits 101
  13. 13. Rootkits ● (become | stay) root ● (software) kit 13
  14. 14. Rootkits ● Stealth ● Persistence ● Backdoor 14
  15. 15. How to be the best rootkit?
  16. 16. Hiding ★ In plain sight! /etc/sysconfig/… /tmp/mysql.sock /bin/audiocnf 16
  17. 17. Hiding ★★ Slightly advanced ● Rename processes ● Delete file from disk ● Backdoor binaries 17
  18. 18. Hiding ★★★ Advanced ● Kernel modules ● Change system calls ● Hidden passwords 18
  19. 19. Demo
  20. 20. Demo 20
  21. 21. Demo 21
  22. 22. Rootkit Hunter Detect the undetectable! 22
  23. 23. Challenges ● We can’t trust anything ● Even ourselves ● No guarantees 24
  24. 24. Continuous Game 25
  25. 25. Defense
  26. 26. Defenses At least ● Perform security scans ● Protect your data ● System hardening 27
  27. 27. Scanning » Scanners ● Viruses → ClamAV ● Backdoors → LMD ● Rootkits → Chkrootkit / rkhunter 28
  28. 28. Scanning » File Integrity ● Changes ● Powerful detection ● Noise AIDE / Samhain 29
  29. 29. System Hardening » Lynis ● Linux / UNIX ● Open source ● Shell ● Health scan 30
  30. 30. Conclusions
  31. 31. Conclusions ● Challenge: rootkits are hard to detect ● Prevent: system hardening ● Detect: recognize quickly, and act 32
  32. 32. You finished this presentation Success!
  33. 33. More Linux security? Presentations michaelboelen.com/presentations/ Follow ● Blog Linux Audit (linux-audit.com) ● Twitter @mboelen 34
  34. 34. 35

×