Linux Malware Incident Response: A Practitioner’s Guide to Forensic Collection and Examination of Volatile Data An Excerpt from Malware Forensics Field Guide for Linux Systems Cameron H. Malin Eoghan Casey James M. Aquilina Table of Contents Cover image Title page Dedication Copyright Introduction How To Use This Book Investigative Approach Forensic Analysis In Malware Investigations Applying Forensics To Malware From Malware Analysis To Malware Forensics Chapter 1. Linux Malware Incident Response Introduction Volatile Data Collection Methodology Nonvolatile Data Collection From A Live Linux System Conclusion Appendix 1 Incident Response Tool Suites Remote Collection Tools Volatile Data Collection And Analysis Tools Collecting Subject System Details Identifying Users Logged Into The System Network Connections And Activity Process Analysis Loaded Modules Opened Files Command History Appendix 2 Live Response: Field Notes Appendix 3 Live Response: Field Interview Questions Appendix 4 Pitfalls To Avoid Selected Readings Dedication The material in this book is excerpted from Malware Forensics Field Guide for Linux Systems For more First Look titles and Syngress offers go to store.elsevier.com/SyngressFirstLook Copyright Syngress is an imprint of Elsevier The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, UK 225 Wyman Street, Waltham, MA 02451, USA First published 2013 Copyright © 2013 Elsevier Inc. All rights reserved No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangement with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library Library of Congress Cataloging-in-Publication Data A catalog record for this book is available from the Library of Congress ISBN: 978-0-12409507-6 For information on all Syngress publications visit our website at store.elsevier.com This book has been manufactured using Print On Demand technology. Each copy is produced to order and is limited to black ink. The online version of this book will show color figures where appropriate. Introduction Since the publication of Malware Forensics: Investigating and Analyzing 1 Malicious Code in 2008, the number and complexity of programs developed for malicious and illegal purposes have grown substantially. The most current Symantec Internet Security Threat Report announced that over 403 million new 2 threats emerged in 2011. Other antivirus vendors, including F-Secure, document a recent increase in malware attacks against mobile devices (particularly the Android platform) and Mac OS X, and in attacks conducted by more 3 sophisticated and organized hacktivists and state-sponsored actors. In the past, malicious code has been categorized neatly (e.g., viruses, worms, or Trojan Horses) based upon functionality and attack vector. Today, malware is often modular and multifaceted, more of a “blended-threat” with diverse functionality and means of propagation. Much of this malware has been developed to support increasingly organized, professional computer criminals. Indeed, criminals are making extensive use of malware to control computers and 4 steal personal, confidential, or otherwise proprietary information for profit. In 5 Operation Trident Breach, hundreds of individuals were arrested for their involvement in digital theft using malware such as Zeus. A thriving gray market ensures that today’s malware is professionally developed to avoid detection by current AntiVirus programs, thereby remaining valuable and available to any cyber-savvy criminal group. Of growing concern is the development of malware to disrupt power plants and other critical infrastructure through computers, referred to by some as cyberwarfare. The StuxNet and Duqu malware that has emerged in the past few 6 years powerfully demonstrates the potential for such attacks. This sophisticated malware enabled the attackers to alter the operation of industrial systems, like those in a nuclear reactor, by accessing programmable logic controllers connected to the target computers. Such attacks could shut down a power plant or other components of a society’s critical infrastructure, potentially causing significant harm to people in a targeted region. Foreign governments are funding teams of highly skilled hackers to develop 7 customized malware to support industrial and military espionage. The intrusion into Google’s systems demonstrates the advanced and persistent capabilities of 8 such attackers. These types of well-organized attacks are designed to maintain long-term access to an organization’s network, a form of Internet-enabled espionage known as the “Advanced Persistent Threat” (APT). The increasing use of malware to commit espionage, crimes, and launch cyber attacks is compelling more digital investigators to make use of malware analysis techniques and tools that were previously the domain of antivirus vendors and security researchers. In addition, antisecurity groups such as AntiSec, Anonymous, and LulzSec are gaining unauthorized access to computer systems using a wide variety of 9 techniques and malicious tools. Whether to support mobile, cloud, or IT infrastructure needs, more and more mainstream companies are moving these days toward implementations of Linux 10 and other opensource platforms within their environments. However, while malware developers often target Windows platforms due to market share and operating system prevalence, Linux systems are not immune to the malware scourge. Because Linux has maintained many of the same features and components over the years, some rootkits that have been in existence since 2004 are still being used today. For instance, the Adore rootkit, trojanized system binaries, and SSH servers are still being used on compromised Linux systems, including variants that are not detected by Linux security tools and antivirus software. Furthermore, there have been many new malware permutations— backdoors, Trojan Horses, worms, rootkits, and blended-threats—that have targeted Linux. Over the last five years, computer intruders have demonstrated increased efforts and ingenuity in Linux malware attacks. Linux botnets have surfaced 11 with infection vectors geared toward Web servers and attack functionality 12 focused on brute-force access to systems with weak SSH credentials. Success of popular Windows-based malware has inspired malware attackers to develop cross-platform variants in an effort to maximize infection potential, as demonstrated by the Java-based Trojan.Jnanabot that attacked Linux and 13 14 Macintosh systems in 2011 and the cross-platform Wirenet Trojan in 2012. Perhaps of greatest concern are the coordinated, targeted attacks against Linux systems. For several years, organized groups of attackers have been infiltrating Linux systems, apparently for the sole purpose of stealing information. Some of these attackers use advanced malware designed to undermine common security measures such as user authentication, firewalls, intrusion detection systems, and network vulnerability scanners. For instance, rather than opening their own listening port, which could trigger security alerts, many of these Linux rootkits inject/hijack existing running services. In addition, these rootkits check incoming connections for special “backdoor” characteristics to determine whether a remote connection actually belongs to the intruder and make it more difficult to detect the presence of a backdoor using network vulnerability scanners. These malicious applications also have the capability to communicate with command and control (C2) servers and exfiltrate data from compromise Linux systems, including devices running Android. For example, the Phalanx2 rootkit made its public appearance in 2008 when it 15 was discovered by the U.S. Computer Emergency Readiness Team (CERT). This permutation of Phalanx leveraged previously compromised Linux systems that were accessed using stolen SSH keys and further compromised with kernel exploits to gain root access. With root privileges, the attackers installed Phalanx2 and used utilities such as sshgrab.py to capture SSH keys and user passwords on the infected systems and exfiltrate the stolen credentials (often along with other information) in an effort to perpetuate the attack cycle. In 2011, Phalanx made headlines again after being used by attackers to compromise major opensource 16 project repositories. These trends in malware incidents targeting Linux systems, combined with the ability of modern Linux malware to avoid common security measures, make malware incident response and forensics a critical component of any risk management strategy in any organization that utilizes Linux systems. This Practitioner’s Guide was developed to provide practitioners with the core knowledge, skills, and tools needed to combat this growing onslaught against Linux computer systems. How to Use This book This book is intended to be used as a tactical reference while in the field. This Practitioner’s Guide is designed to help digital investigators identify malware on a Linux computer system, collect volatile (and relevant nonvolatile) system data to further investigation, and determine the impact malware makes on a subject system, all in a reliable, repeatable, defensible, and thoroughly documented manner.