Hunting Linux Malware for Fun and Flags

Back to the list of Speakers and Sessions
Fun introduction to Linux malware analysis and incident response. Trainees getroot access to compromised Linux servers where they need to understand whatthey are up against (and find the flags!).

Server-side Linux malware is a real threat now. Unfortunately, unlike for itsWindows counterpart, most system administrators are inadequately trained ordon't have enough time allocated to analyze and understandthe threats that their infrastructures are facing. This tutorial aims atcreating an environment where Linux professionals have the opportunity tostudy such threats safe and in a time-effective fashion.

In this introductory tutorial you will learn to fight real-world Linux malwarethat targets server environments. Attendees will have to find maliciousprocesses and concealed backdoors in a compromised Web server.

In order to make the tutorial accessible for a range of skill levels severalexamples of malware will be used with increasing layers of complexity — fromscripts to ELF binaries with varying degrees of obfuscation. Additionally, asis common in Capture-The-Flag information security competitions, flags will behidden throughout the environment for attendees to find.

Participants should bring:

Any OS with the following tools:

  • Web browser
  • OpenVPN client
  • SSH client
  • Wireshark
  • ipython (Optional)
  • IDA Pro (Optional, proprietary, demo works)
Participants must know or have:
  • Familiar with Linux command line environment
  • Basic understanding of Linux userland (processes, network)
  • Some programming experience (any language)