Understanding Linux Malware Emanuele Cozzi1, Mariano Graziano2, Yanick Fratantonio1, Davide Balzarotti1 1EURECOM 2Cisco Systems, Inc. IEEE Symposium on Security & Privacy, May 2018 Malware and operating systems Malware and operating systems OutlawCountry Erebus Linux malware on the rise Mirai OutlawCountry Linux malware on the rise Mirai Erebus Linux malware on the rise OutlawCountry Mirai Erebus Linux malware on the rise OutlawCountry Mirai Erebus 12 I Previous studies only looked at the network behavior • Identify challenges and limitations of porting traditional techniques to the new environment • Understand differences in the malware characteristics (packing, obfuscantion, VM detection, privilege excalation, persistence...) wrt Windows malware Objectives • Develop a dynamic analysis sandbox for Linux binaries (and IoT devices) • Identify challenges and limitations of porting traditional techniques to the new environment • Understand differences in the malware characteristics (packing, obfuscantion, VM detection, privilege excalation, persistence...) wrt Windows malware Objectives • Develop a dynamic analysis sandbox for Linux binaries (and IoT devices) 12 I Previous studies only looked at the network behavior 1Antonakakis et al. "Understanding the mirai botnet," USENIX Security Symposium 2017. 2Yin Minn Pa et al. "IoTPOT: analysing the rise of IoT compromises," USENIX Workshop on Offensive Technologies 2015. • Understand differences in the malware characteristics (packing, obfuscantion, VM detection, privilege excalation, persistence...) wrt Windows malware Objectives • Develop a dynamic analysis sandbox for Linux binaries (and IoT devices) 12 I Previous studies only looked at the network behavior • Identify challenges and limitations of porting traditional techniques to the new environment 1Antonakakis et al. "Understanding the mirai botnet," USENIX Security Symposium 2017. 2Yin Minn Pa et al. "IoTPOT: analysing the rise of IoT compromises," USENIX Workshop on Offensive Technologies 2015. Objectives • Develop a dynamic analysis sandbox for Linux binaries (and IoT devices) 12 I Previous studies only looked at the network behavior • Identify challenges and limitations of porting traditional techniques to the new environment • Understand differences in the malware characteristics (packing, obfuscantion, VM detection, privilege excalation, persistence...) wrt Windows malware 1Antonakakis et al. "Understanding the mirai botnet," USENIX Security Symposium 2017. 2Yin Minn Pa et al. "IoTPOT: analysing the rise of IoT compromises," USENIX Workshop on Offensive Technologies 2015. Diversity Target devices Diversity Target devices Target devices Diversity , ARM, MIPS, Motorola, Sparc Statically-linked ELF unportable OS: Linux, BSD, Android Libraries: glibc, uclibc, libpcap, libopencl Unknown device Diversity CPU: Intel Statically-linked ELF unportable OS: Linux, BSD, Android Libraries: glibc, uclibc, libpcap, libopencl Unknown device Diversity CPU: Intel, ARM, MIPS, Motorola, Sparc Statically-linked ELF unportable , BSD, Android Libraries: glibc, uclibc, libpcap, libopencl Unknown device Diversity CPU: Intel, ARM, MIPS, Motorola, Sparc OS: Linux Statically-linked ELF unportable Libraries: glibc, uclibc, libpcap, libopencl Unknown device Diversity CPU: Intel, ARM, MIPS, Motorola, Sparc OS: Linux, BSD, Android Statically-linked ELF unportable , uclibc, libpcap, libopencl Unknown device Diversity CPU: Intel, ARM, MIPS, Motorola, Sparc OS: Linux, BSD, Android Libraries: glibc Statically-linked ELF unportable Unknown device Diversity CPU: Intel, ARM, MIPS, Motorola, Sparc OS: Linux, BSD, Android Libraries: glibc, uclibc, libpcap, libopencl Unknown device Diversity CPU: Intel, ARM, MIPS, Motorola, Sparc Statically-linked ELF unportable OS: Linux, BSD, Android Libraries: glibc, uclibc, libpcap, libopencl Diversity CPU: Intel, ARM, MIPS, Motorola, Sparc Statically-linked ELF unportable OS: Linux, BSD, Android Libraries: glibc, uclibc, libpcap, libopencl Unknown device Data collection File & metadata analysis AVClass File recognition ELF anomaly Analysis infrastructure Data collection File & metadata analysis Static analysis Dynamic analysis Code Packer AVClass analysis analysis File recognition ELF Packing Sandbox Trace Emulation anomaly identification preparation analysis Data collection File & metadata analysis AVClass File recognition ELF anomaly Analysis infrastructure Data collection File & metadata analysis Static analysis Dynamic analysis Code Packer AVClass analysis analysis File recognition ELF Packing Sandbox Trace Emulation anomaly identification preparation analysis Data collection File & metadata analysis AVClass File recognition ELF anomaly Analysis infrastructure Data collection File & metadata analysis Static analysis Dynamic analysis Code Packer AVClass analysis analysis File recognition ELF Packing Sandbox Trace Emulation anomaly identification preparation analysis Data collection From November 2016 to November 2017 200 candidate samples per day Dataset of 10,548 Linux malware File & metadata analysis Data collection File & metadata analysis Static analysis Dynamic analysis Code Packer AVClass analysis analysis File recognition ELF Packing Sandbox Trace Emulation anomaly identification preparation analysis Dataset Architecture Samples Percentage X86-64 3018 28.61% MIPS I 2120 20.10% PowerPC 1569 14.87% Motorola 68000 1216 11.53% Sparc 1170 11.09% Intel 80386 720 6.83% ARM 32-bit 555 5.26% Hitachi SH 130 1.23% AArch64 (ARM 64-bit) 47 0.45% others 3 0.03% Distribution of the 10,548 downloaded samples across architectures Dataset Architecture Samples Percentage X86-64 3018 28.61% MIPS I 2120 20.10% PowerPC 1569 14.87% Motorola 68000 1216 11.53% Sparc 1170 11.09% Intel 80386 720 6.83% ARM 32-bit 555 5.26% Hitachi SH 130 1.23% AArch64 (ARM 64-bit) 47 0.45% others 3 0.03% Distribution of the 10,548 downloaded samples across architectures Dataset Architecture Samples Percentage X86-64 3018 28.61% MIPS I 2120 20.10% PowerPC 1569 14.87% Motorola 68000 1216 11.53% Sparc 1170 11.09% Intel 80386 720 6.83% ARM 32-bit 555 5.26% Hitachi SH 130 1.23% AArch64 (ARM 64-bit) 47 0.45% others 3 0.03% Distribution of the 10,548 downloaded samples across architectures • Anomalous ELF I Sections table removed • Invalid ELF I Segments table points beyond file I Overlapping header/segment I Sections table points beyond file • Problems with common analysis tools 8 readelf 2.26.1 8 GDB 7.11.1 8 pyelftools 0.24 4 IDA Pro 7 ELF manipulation nx07ELF ELF header Program header table .text .data Section header table • Invalid ELF I Segments table points beyond file I Overlapping header/segment I Sections table points beyond file • Problems with common analysis tools 8 readelf 2.26.1 8 GDB 7.11.1 8 pyelftools 0.24 4 IDA Pro 7 ELF manipulation nx07ELF ELF header • Anomalous ELF Program header table I Sections table removed .text .data Section header table • Problems with common analysis tools 8 readelf 2.26.1 8 GDB 7.11.1 8 pyelftools 0.24 4 IDA Pro 7 ELF manipulation nx07ELF ELF header • Anomalous ELF Program header table I Sections table removed • Invalid ELF .text I Segments table points beyond file I Overlapping header/segment I Sections table points beyond file .data Section header table ELF manipulation nx07ELF ELF header • Anomalous ELF Program header table I Sections table removed • Invalid ELF .text I Segments table points beyond file I Overlapping header/segment I Sections table points beyond file • Problems with common analysis tools 8 readelf 2.26.1 8 GDB 7.11.1 .data 8 pyelftools 0.24 4 IDA Pro 7 Section header table AVClass3 Pymadro Miner Ebolachan Golad Lady Connectback Mirai Elfpatch Pomedaj Liora Ddostf Cinarek Ztorg Elknot Shishiga Aidra Chinaz Fysbis Ganiw Scanner Roopre Mrblack Equation Logcleaner Sniff Tsunami Sshbrute Probe Znaich Erebus Xingyi Xaynnalc Gafgyt Flood Coinminer Bassobo Killdisk Eicar Remaiten Bossabot Midav Getshell Drobur Webshell Dcom Cloudatlas Luabot Iroffer Mayday Grip Darkkomet Prochider Ircbot Xhide Portscan Xunpes Diesel Setag Raas Shelma Shellshock Nixgi Wuscan Cleanlog Sshdoor Psybnc Themoon Rekoobe Intfour Pulse Sickabs Hajime Hijacker Mumblehard Darlloz Sotdas Ladvix Pnscan Ropys Lightaidra Moose Vmsplice Ddoser Spyeye 3Sebastin et al. "Avclass: A tool for massive malware labeling," International Symposium on Research in Attacks, Intrusions, and Defenses 2016. Static analysis Data collection File & metadata analysis Static analysis Dynamic analysis Code Packer AVClass analysis analysis File recognition ELF Packing Sandbox Trace Emulation anomaly identification preparation analysis oo oooo ooo oooooooo. o. ooooooo ooooo ooooo `8 `8'`8'`888`8'`88 `888 `Y88.`Y8 `8888 88 d8'd8 8888 8 8888 .d88'.d8. d8 Y88.. 8 8 . 8888 8 8 888P'88P ' `88`8888' 8 8 888 88 YY888 . 8 . 88 8 d8 8 ' `88 `YbodP'`YbdP'bdP' 88o o888o888o 88 o888 888 88 The Ultimate Packer for eXecutables I modified magic bytes I modified strings I junk bytes • At least one malware family is using a custom packer Packing ooooo ooo ooooooooo. ooooooo ooooo `888' `8' `888 `Y88. `8888 d8' 888 8 888 .d88' Y888..8P 888 8 888ooo88P' `8888' 888 8 888 .8PY888. `88. .8' 888 d8' `888b `YbodP' o888o o888o o88888o The Ultimate Packer for eXecutables • Vanilla UPX and custom variants are the prevalent packers (almost 4% of the dataset) ooooooo ooooooo ooo ooooooooo. oo o. ooooooo ooooooo ooooo ooooo `8`888' `8'`888`8'`88`8' `888 `Y88.`Y8 `8888 88 d8'd8 8888 8 8888 .d88'.d8. d8 Y88..Y888..8P 8 8 . 8888 8 8888ooo88P' 888P ' `88`8888' 8888 8 888 88 .8PY888. Y `88.8 . .8' 888 8 d8'd8 8 ' `888b`88