linux malware
play

Linux Malware Rootkits, Backdoors, and More... Michael Boelen - PowerPoint PPT Presentation

Dealing with Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com Utrecht, 19 March 2016 Agenda Today 1. How do they get in 2. Why? 3. Malware types 4. In-depth: rootkits 5. Defenses 2


  1. Dealing with Linux Malware Rootkits, Backdoors, and More... Michael Boelen michael.boelen@cisofy.com Utrecht, 19 March 2016

  2. Agenda Today 1. How do “they” get in 2. Why? 3. Malware types 4. In-depth: rootkits 5. Defenses 2

  3. Interactive ● Ask ● Share ● Presentation 3

  4. Michael Boelen ● Security Tools ○ Rootkit Hunter (malware scan) ○ Lynis (security audit) ● 150+ blog posts ● Founder of CISOfy 4

  5. How do “they” get in

  6. Intrusions ● Simple passwords ● Vulnerabilities ● Weak configurations ● Clicking on attachments ● Open infected programs 6

  7. Why?

  8. Why? ● Spam ● Botnet 8

  9. 9

  10. Types

  11. Types ● Virus ● Worm ● Backdoor ● Dropper ● Rootkit 11

  12. Rootkits 101

  13. Rootkits ● (become | stay) root ● (software) kit 13

  14. Rootkits ● Stealth ● Persistence ● Backdoor 14

  15. How to be the best rootkit?

  16. Hiding ★ In plain sight! /etc/sysconfig/… /tmp/mysql.sock /bin/audiocnf 16

  17. Hiding ★★ Slightly advanced ● Rename processes ● Delete file from disk ● Backdoor binaries 17

  18. Hiding ★★★ Advanced ● Kernel modules ● Change system calls ● Hidden passwords 18

  19. Demo

  20. Demo 20

  21. Demo 21

  22. Rootkit Hunter Detect the undetectable! 22

  23. Challenges ● We can’t trust anything ● Even ourselves ● No guarantees 24

  24. Continuous Game 25

  25. Defense

  26. Defenses At least ● Perform security scans ● Protect your data ● System hardening 27

  27. Scanning » Scanners ● Viruses → ClamAV ● Backdoors → LMD ● Rootkits → Chkrootkit / rkhunter 28

  28. Scanning » File Integrity ● Changes ● Powerful detection ● Noise AIDE / Samhain 29

  29. System Hardening » Lynis ● Linux / UNIX ● Open source ● Shell ● Health scan 30

  30. Conclusions

  31. Conclusions ● Challenge: rootkits are hard to detect ● Prevent: system hardening ● Detect: recognize quickly, and act 32

  32. Success! You finished this presentation

  33. More Linux security? Presentations michaelboelen.com/presentations/ Follow ● Blog Linux Audit (linux-audit.com) ● Twitter @mboelen 34

  34. 35

Recommend


More recommend