Unix malware analysis after break-in presented at Virus Bulletin 2002

by Aleksander Czarnowski (Avet information and network security),

Tags: Security

URL : http://www.virusbtn.com/conference/vb2002/abstracts/unix_malware.xml

Summary : If you look at the CERT/CC annual report for the year 2001 you might be surprised. Of the six most common intruder activities five are network and email worms. The only type of activity left is remotely exploitable buffer overflow in older versions of BIND. If you look at the February 2002 issue of Virus Bulletin you will find an analysis of RST virus and backdoor (see VB, February 2002, p.7). Intruders are exploiting the possibilities of malware more than ever before.

This paper will inspect possible infection vectors on Unix systems and present problems with detection and analysis of malware found in the wild. The scenario used in the paper presumes that the system has been compromised before our analysis begins. I will describe features available on many Unix systems like Loadable Kernel Modules (LKM) and stealth techniques to hide intruder presence, ELF2 file format, common local and remote vulnerabilities used by malware like: worms or rootkits. Further I will describe different methods of detecting infection and problems regarding rootkit disinfections. This paper also discusses the use of polymorphism in exploit code to make detection of attacks at network level much more difficult. Last but not least I will inspect the security (and its pitfalls) of chroot environment from malware perspective.

Part of the material presented comes from real-life incidents that have happened during the last year.