Hunting Linux Malware for Fun and Flags

Back to the list of Speakers and Sessions

Fun introduction to Linux malware analysis and incident response. Trainees get root access to compromised Linux servers where they need to understand what they are up against (and find the flags!).

Server-side Linux malware is a real threat now. Unfortunately, unlike for its Windows counterpart, most system administrators are inadequately trained or don't have enough time allocated to analyze and understand the threats that their infrastructures are facing. This tutorial aims at creating an environment where Linux professionals have the opportunity to study such threats safe and in a time-effective fashion.

In this introductory tutorial you will learn to fight real-world Linux malware that targets server environments. Attendees will have to find malicious processes and concealed backdoors in a compromised Web server.

In order to make the tutorial accessible for a range of skill levels several examples of malware will be used with increasing layers of complexity — from scripts to ELF binaries with varying degrees of obfuscation. Additionally, as is common in Capture-The-Flag information security competitions, flags will be hidden throughout the environment for attendees to find.

Participants should bring:

Any OS with the following tools:

  • Web browser
  • OpenVPN client
  • SSH client
  • Wireshark
  • ipython (Optional)
  • IDA Pro (Optional, proprietary, demo works)
Participants must know or have:
  • Familiar with Linux command line environment
  • Basic understanding of Linux userland (processes, network)
  • Some programming experience (any language)

Marc-Etienne M.Léveillé Malware Researcher, ESET

Marc-Etienne is a malware researcher at ESET since 2012. He specializes in malware attacking unusual platforms, whether it’s fruity hardware or software from south pole birds. Marc-Etienne focused his research on the reverse engineering of server-side malware to discover their inner working and operation strategy. His research led to the publication of the Operation Windigo white paper that won Virus Bulletin’s Péter Szőr Award for best research paper in 2014. While still keeping eyes open on crimeware, he now focuses on the analysis of targeted attacks.

Outside his day job, Marc-Etienne enjoys designing challenges for the NorthSec CTF competition. He is also a co-organiser of the MontréHack monthly event. He presented at multiple conferences including CSAW:Threads, CARO Workshop and Linuxcon Europe. When he’s not one of the organizer, he loves participating in CTF competitions like a partying gentleman. Outside the cyberspace, Marc-Etienne plays the clarinet and read comics. He tweets sporadically at @marc_etienne_.