Linux SystemsCompromised

Understanding and dealing with break-ins

Ede, 5 February 2016

Michael Boelenmichael.boelen@cisofy.com

Agenda

Today1. How do “they” get in2. Rootkits3. Malware handling4. Defenses

2

Michael Boelen

● Security Tools○ Rootkit Hunter (malware scan)

○ Lynis (security audit)

● 150+ blog posts

● Founder of CISOfy

3

How do “they” get in

Intrusions

● Passwords● Vulnerabilities● Weak configurations

5

Why?

6

Keeping Control

● Rootkits● Backdoors

7

Rootkits 101

Rootkits

● (become | stay) root● (software) kit

9

Rootkits

● Stealth● Persistence● Backdoors

10

How to be the best rootkit?

Hiding ★

In plain sight!

/etc/sysconfig/…/tmp/mysql.sock/bin/audiocnf

12

Hiding ★★

Slightly advanced

● Rename processes● Delete file from disk● Backdoor binaries

13

Hiding ★★★

Advanced

● Kernel modules● Change system calls● Hidden passwords

14

Demo

Demo

16

Demo

17

Continuous Game

18

Detection

Challenges

● We can’t trust anything● Even ourselves● No guarantees

21

Rootkit Hunter

Detect theundetectable!

22

Dealing with malware

● Owner?● Risk?● What if we pull the plug?

Activate your plan!

24

VLANBogus DNSLooks Real™

Quarantine

25

Consider Research

Memory dump(Volatility)

Static analysis

26

Restore

Does it include malware?

27

Defense

Best protection

At least● Perform security scans● Collect data● System Hardening

29

Frameworks / Patches

● SELinux● AppArmor● Grsecurity

30

Compilers

● Remove● Limit usage

31

Harden Applications

● Use chroot● Limit permissions● Change defaults

32

Kernel Hardening

● sysctl -a● Don’t allow ptrace

33

Automation

Tip: Lynis

● Linux / UNIX● Open source● GPLv3

35

Conclusions

Conclusions

● Good rootkits are hard to detect

● Use cost-effective methods● Detect● Restore● Learn

● Apply hardening

37

You finished this presentation

Success!

More Linux security?

Presentationsmichaelboelen.com/presentations/

Follow● Blog Linux Audit (linux-audit.com)● Twitter @mboelen

39

40