Upload
doantruc
View
233
Download
4
Embed Size (px)
Citation preview
Dealing withLinux Malware
Rootkits, Backdoors, and More...
Utrecht, 19 March 2016
Michael [email protected]
Agenda
Today1. How do “they” get in2. Why?3. Malware types4. In-depth: rootkits5. Defenses
2
Interactive
● Ask● Share● Presentation
3
Michael Boelen
● Security Tools○ Rootkit Hunter (malware scan)
○ Lynis (security audit)
● 150+ blog posts
● Founder of CISOfy
4
How do “they” get in
Intrusions
● Simple passwords● Vulnerabilities● Weak configurations● Clicking on attachments● Open infected programs
6
Why?
Why?
● Spam● Botnet
8
9
Types
● Virus● Worm● Backdoor● Dropper● Rootkit
Types
11
Rootkits 101
Rootkits
● (become | stay) root● (software) kit
13
Rootkits
● Stealth● Persistence● Backdoor
14
How to be the best rootkit?
Hiding ★
In plain sight!
/etc/sysconfig/…/tmp/mysql.sock/bin/audiocnf
16
Hiding ★★
Slightly advanced
● Rename processes● Delete file from disk● Backdoor binaries
17
Hiding ★★★
Advanced
● Kernel modules● Change system calls● Hidden passwords
18
Demo
Demo
20
Demo
21
Rootkit Hunter
Detect theundetectable!
22
Challenges
● We can’t trust anything● Even ourselves● No guarantees
24
Continuous Game
25
Defense
Defenses
At least● Perform security scans● Protect your data● System hardening
27
Scanning » Scanners
● Viruses → ClamAV● Backdoors → LMD● Rootkits → Chkrootkit / rkhunter
28
Scanning » File Integrity
● Changes● Powerful detection● Noise
AIDE / Samhain
29
System Hardening » Lynis
● Linux / UNIX● Open source● Shell● Health scan
30
Conclusions
Conclusions
● Challenge: rootkits are hard to detect
● Prevent: system hardening
● Detect: recognize quickly, and act
32
You finished this presentation
Success!
More Linux security?
Presentationsmichaelboelen.com/presentations/
Follow● Blog Linux Audit (linux-audit.com)● Twitter @mboelen
34
35