Hunting Linux Malware for Fun and Flags

Back to the list of Speakers and Sessions
Fun introduction to Linux malware analysis and incident response. Trainees getroot access to compromised Linux servers where they need to understand whatthey are up against (and find the flags!).

Server-side Linux malware is a real threat now. Unfortunately, unlike for itsWindows counterpart, most system administrators are inadequately trained ordon't have enough time allocated to analyze and understandthe threats that their infrastructures are facing. This tutorial aims atcreating an environment where Linux professionals have the opportunity tostudy such threats safe and in a time-effective fashion.

In this introductory tutorial you will learn to fight real-world Linux malwarethat targets server environments. Attendees will have to find maliciousprocesses and concealed backdoors in a compromised Web server.

In order to make the tutorial accessible for a range of skill levels severalexamples of malware will be used with increasing layers of complexity — fromscripts to ELF binaries with varying degrees of obfuscation. Additionally, asis common in Capture-The-Flag information security competitions, flags will behidden throughout the environment for attendees to find.

Participants should bring:

Any OS with the following tools:

  • Web browser
  • OpenVPN client
  • SSH client
  • Wireshark
  • ipython (Optional)
  • IDA Pro (Optional, proprietary, demo works)
Participants must know or have:
  • Familiar with Linux command line environment
  • Basic understanding of Linux userland (processes, network)
  • Some programming experience (any language)

Marc-Etienne M.Léveillé Senior Malware Researcher, ESET

Marc-Etienne is a malware researcher at ESET since 2012. He specializes in malware attacking unusual platforms, whether it’s fruity hardware or software from south pole birds. Marc-Etienne focused his research on the reverse engineering of server-side malware to discover their inner working and operation strategy. His research led to the publication of the Operation Windigo white paper that won Virus Bulletin’s Péter Szőr Award for best research paper in 2014. He presented at multiple conferences including RSAC, FIRST, 44con, CARO and Linuxcon Europe. When he’s not one of the organizer, he loves participating in CTF competitions like a partying gentleman. Outside the cyberspace, Marc-Etienne plays the clarinet and read comics.

Marc-Etienne est chercheur en logiciels malveillants chez ESET depuis 2012. Il se spécialise dans les logiciels qui ciblent les plateformes inhabituelles, comme les ordinateurs avec des pommes ou des pingouins. Durant les dernières années, Marc-Etienne s'est concentré sur la rétro-ingénierie de logiciels malveillants s'attaquant aux serveurs, à la fois pour comprendre leurs fonctionnements et comment ils sont utilisés. Ses recherches ont mené à la publication du rapport Operation Windigo qui s'est mérité le prix Péter Szőr Award à Virus Bulletin pour meilleur rapport de recherche en 2014. Il a présenté à de multiples conférences incluant RSAC, FIRST, 44con, CARO Workshop et Linuxcon Europe. Quand il n'est pas dans le comité organisateur, il aime participer à des compétitions de sécurité (CTF) comme un gentilhomme en fête. En dehors du cyberespace, Marc-Etienne joue de la clarinette et lit des bandes dessineés.