AUTOMATING LINUX MALWARE ANALYSIS USING LIMON SANDBOX presented at BlackHatEU 2015

by Monnappa K A,

Summary : A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform the target for malware attacks, so it becomes important to analyze the Linux malware. Today, there is a need to analyze Linux malwares in an automated way to understand its capabilities.
Limon is a sandbox developed as a research project written in python, which automatically collects, analyzes, and reports on the run time indicators of Linux malware. It allows one to inspect the malware before execution, during execution, and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using open source tools. Limon apart from displaying the characteristics of the ELF binary, analyzes the malware in a controlled environment, monitors its activities and its child processes to determine the nature and purpose of the malware. It determines the malware's process activity, interaction with the file system, network, memory, and also stores the analyzed artifacts for later analysis, which helps in post mortem analysis. Since Limon relies on open source tools, it's easy for any security analyst to setup a personal sandbox to perform Linux malware analysis. The presentation will touch on the implementation details of the sandbox and will present a video demo showing the analysis of a real world Linux malware samples using Limon.