Table Of ContentLinux Malware Incident Response: A
Practitioner’s Guide to Forensic
Collection and Examination of
Volatile Data
An Excerpt from Malware Forensics
Field Guide for Linux Systems
Cameron H. Malin
Eoghan Casey
James M. Aquilina
Table of Contents
Cover image
Title page
Dedication
Copyright
Introduction
How To Use This Book
Investigative Approach
Forensic Analysis In Malware Investigations
Applying Forensics To Malware
From Malware Analysis To Malware Forensics
Chapter 1. Linux Malware Incident Response
Introduction
Volatile Data Collection Methodology
Nonvolatile Data Collection From A Live Linux System
Conclusion
Appendix 1
Incident Response Tool Suites
Remote Collection Tools
Volatile Data Collection And Analysis Tools
Collecting Subject System Details
Identifying Users Logged Into The System
Network Connections And Activity
Process Analysis
Loaded Modules
Opened Files
Command History
Appendix 2
Live Response: Field Notes
Appendix 3
Live Response: Field Interview Questions
Appendix 4
Pitfalls To Avoid
Selected Readings
Dedication
The material in this book is excerpted
from Malware Forensics Field Guide for
Linux Systems
For more First Look titles and Syngress
offers go to
store.elsevier.com/SyngressFirstLook
Copyright
Syngress is an imprint of Elsevier
The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, UK
225 Wyman Street, Waltham, MA 02451, USA
First published 2013
Copyright © 2013 Elsevier Inc. All rights reserved No part of this publication
may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or any information storage and
retrieval system, without permission in writing from the publisher. Details on
how to seek permission, further information about the Publisher’s permissions
policies and our arrangement with organizations such as the Copyright Clearance
Center and the Copyright Licensing Agency, can be found at our website:
www.elsevier.com/permissions
This book and the individual contributions contained in it are protected under
copyright by the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing.
As new research and experience broaden our understanding,
changes in research methods, professional practices, or medical
treatment may become necessary.
Practitioners and researchers must always rely on their own
experience and knowledge in evaluating and using any information,
methods, compounds, or experiments described herein. In using
such information or methods they should be mindful of their own
safety and the safety of others, including parties for whom they have
a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors,
contributors, or editors, assume any liability for any injury and/or
damage to persons or property as a matter of products liability,
negligence or otherwise, or from any use or operation of any
methods, products, instructions, or ideas contained in the material
herein.
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library Library of
Congress Cataloging-in-Publication Data
A catalog record for this book is available from the Library of Congress ISBN:
978-0-12409507-6
For information on all Syngress publications visit our website at
store.elsevier.com
This book has been manufactured using Print On Demand technology. Each
copy is produced to order and is limited to black ink. The online version of this
book will show color figures where appropriate.
Introduction
Since the publication of Malware Forensics: Investigating and Analyzing
1
Malicious Code in 2008, the number and complexity of programs developed for
malicious and illegal purposes have grown substantially. The most current
Symantec Internet Security Threat Report announced that over 403 million new
2
threats emerged in 2011. Other antivirus vendors, including F-Secure, document
a recent increase in malware attacks against mobile devices (particularly the
Android platform) and Mac OS X, and in attacks conducted by more
3
sophisticated and organized hacktivists and state-sponsored actors.
In the past, malicious code has been categorized neatly (e.g., viruses, worms,
or Trojan Horses) based upon functionality and attack vector. Today, malware is
often modular and multifaceted, more of a “blended-threat” with diverse
functionality and means of propagation. Much of this malware has been
developed to support increasingly organized, professional computer criminals.
Indeed, criminals are making extensive use of malware to control computers and
4
steal personal, confidential, or otherwise proprietary information for profit. In
5
Operation Trident Breach, hundreds of individuals were arrested for their
involvement in digital theft using malware such as Zeus. A thriving gray market
ensures that today’s malware is professionally developed to avoid detection by
current AntiVirus programs, thereby remaining valuable and available to any
cyber-savvy criminal group.
Of growing concern is the development of malware to disrupt power plants
and other critical infrastructure through computers, referred to by some as
cyberwarfare. The StuxNet and Duqu malware that has emerged in the past few
6
years powerfully demonstrates the potential for such attacks. This sophisticated
malware enabled the attackers to alter the operation of industrial systems, like
those in a nuclear reactor, by accessing programmable logic controllers
connected to the target computers. Such attacks could shut down a power plant
or other components of a society’s critical infrastructure, potentially causing
significant harm to people in a targeted region.
Foreign governments are funding teams of highly skilled hackers to develop
7
customized malware to support industrial and military espionage. The intrusion
into Google’s systems demonstrates the advanced and persistent capabilities of
8
such attackers. These types of well-organized attacks are designed to maintain
long-term access to an organization’s network, a form of Internet-enabled
espionage known as the “Advanced Persistent Threat” (APT). The increasing
use of malware to commit espionage, crimes, and launch cyber attacks is
compelling more digital investigators to make use of malware analysis
techniques and tools that were previously the domain of antivirus vendors and
security researchers.
In addition, antisecurity groups such as AntiSec, Anonymous, and LulzSec are
gaining unauthorized access to computer systems using a wide variety of
9
techniques and malicious tools.
Whether to support mobile, cloud, or IT infrastructure needs, more and more
mainstream companies are moving these days toward implementations of Linux
10
and other opensource platforms within their environments. However, while
malware developers often target Windows platforms due to market share and
operating system prevalence, Linux systems are not immune to the malware
scourge. Because Linux has maintained many of the same features and
components over the years, some rootkits that have been in existence since 2004
are still being used today. For instance, the Adore rootkit, trojanized system
binaries, and SSH servers are still being used on compromised Linux systems,
including variants that are not detected by Linux security tools and antivirus
software. Furthermore, there have been many new malware permutations—
backdoors, Trojan Horses, worms, rootkits, and blended-threats—that have
targeted Linux.
Over the last five years, computer intruders have demonstrated increased
efforts and ingenuity in Linux malware attacks. Linux botnets have surfaced
11
with infection vectors geared toward Web servers and attack functionality
12
focused on brute-force access to systems with weak SSH credentials. Success
of popular Windows-based malware has inspired malware attackers to develop
cross-platform variants in an effort to maximize infection potential, as
demonstrated by the Java-based Trojan.Jnanabot that attacked Linux and
13 14
Macintosh systems in 2011 and the cross-platform Wirenet Trojan in 2012.
Perhaps of greatest concern are the coordinated, targeted attacks against Linux
systems. For several years, organized groups of attackers have been infiltrating
Linux systems, apparently for the sole purpose of stealing information. Some of
these attackers use advanced malware designed to undermine common security
measures such as user authentication, firewalls, intrusion detection systems, and
network vulnerability scanners. For instance, rather than opening their own
listening port, which could trigger security alerts, many of these Linux rootkits
inject/hijack existing running services. In addition, these rootkits check
incoming connections for special “backdoor” characteristics to determine
whether a remote connection actually belongs to the intruder and make it more
difficult to detect the presence of a backdoor using network vulnerability
scanners. These malicious applications also have the capability to communicate
with command and control (C2) servers and exfiltrate data from compromise
Linux systems, including devices running Android.
For example, the Phalanx2 rootkit made its public appearance in 2008 when it
15
was discovered by the U.S. Computer Emergency Readiness Team (CERT).
This permutation of Phalanx leveraged previously compromised Linux systems
that were accessed using stolen SSH keys and further compromised with kernel
exploits to gain root access. With root privileges, the attackers installed Phalanx2
and used utilities such as sshgrab.py to capture SSH keys and user passwords on
the infected systems and exfiltrate the stolen credentials (often along with other
information) in an effort to perpetuate the attack cycle. In 2011, Phalanx made
headlines again after being used by attackers to compromise major opensource
16
project repositories.
These trends in malware incidents targeting Linux systems, combined with the
ability of modern Linux malware to avoid common security measures, make
malware incident response and forensics a critical component of any risk
management strategy in any organization that utilizes Linux systems.
This Practitioner’s Guide was developed to provide practitioners with the core
knowledge, skills, and tools needed to combat this growing onslaught against
Linux computer systems.
How to Use This book
This book is intended to be used as a tactical reference while in the field.
This Practitioner’s Guide is designed to help digital investigators identify
malware on a Linux computer system, collect volatile (and relevant
nonvolatile) system data to further investigation, and determine the impact
malware makes on a subject system, all in a reliable, repeatable, defensible,
and thoroughly documented manner.
