Linux Malware Analy...
Clear all

Linux Malware Analysis  

New Member


Recently I have encountered a Linux system which has been infected by Malware. I have handled numerous Malware investigation cases with regards to Windows operating system.

This malware incident is my first case and I am not sure how to proceed with this.

Can you please guide me how can i start with this analysis.

I have processed the Image with X-Ways. But i am stuck on how can I proceed ahead.

Posted : 19/03/2020 1:54 pm
Senior Member

Have you tried

1. Generating a hash list for a “clean” install of the Linux OS to use to compare to the “infected” system’s file hash values?

2. Booting a virtualized version of the infected machine to capture any “phoning home” activity? Kali Linux offers a VM download which includes WireShark. Boot the Kali VM first, attach Kali to a newly created virtual network, and then connect the infected machine’s VM to the same network.

3. Building a timeline of known activity to attempt to isolate how and when the Malware was placed on the machine?

4. Analyzing which software sources the infected machine is configured to work with. Did the infected machine only use standard built in software sources as well as Symaptic package manager or did the infected machine add a “non-standard” software source (which could be the vector the malware was installed).

5. Analyzing the internet browsers used on the infected machine to see if a vulnerable browser was used; also analyze any browser plugins using GHIDRA or IDA Pro (reverse code engineering).

You might want to try Autopsy/the Sleuth Kit for analysis in addition to XWays as the Sleuthkit is free to use and very good at generating a universal timeline for all files on the infected system.

Unlike Windows machines with mulitple Registry hives tracking individual file metadata and other user activity, Linux has no equivalent “hives”. The very first time a Linux System is created, a finite number of files will be defined by the system (iNode or Index Node). Linux then keeps track of file changes such as created and modified for each individual file - the point being Linux has different Modified/Accessed/Created/(Plus one more whose name escapes me) metadata values than a Windows System.

I would actually start with creating a super timeline of all files on the infected system using Sleuthkit and export the super timeline to Excel for manual analysis; focus in on the specific date and time that you believe the Malware came into existence on the machine and then move up the super timeline to see what files were subsequently modified by the malware.

Posted : 19/03/2020 2:30 pm
Community Legend

Can you please guide me how can i start with this analysis.

What are you trying to do? (No, 'perform an analysis' is not a correct answer.) What specific questions do you need to find answers to?

The first questions I would suggest you answer is 'how do you know you have a malware infection? Is it a certain bill, or is it tentative? How likely is it that it is a false alarm?' (Of course, if this is some kind of class assignment, that would answer all those questions very simply and directly.)

I have processed the Image with X-Ways.

Why did you do that? Does it help you answer those questions?

Posted : 19/03/2020 4:29 pm
Senior Member

Why did you do that?

It is the good question. !

Posted : 20/03/2020 6:59 am
Active Member

How do you know the system is compromised with malware? You must have been provided some information to work from. I'd acquire the memory check for anomalies, look for suspicious modules, hidden modules, dump them and analyse, any suspicious hooking, are there other rootkits active etc. Then you have the obvious, check running processes and if you find something that jumps out, work backwards and dig deeper into associated artefacts. There's a lot that can be done with memory and i'd be looking there first.

Posted : 20/03/2020 7:47 am
New Member

try cuckoo-sandbox for malware analysis, a hell of a tool.
it can run windows or Linux hosts/guests, log (almost) everything that happens on the virtual machines, and a lot more. The snapshots are great for reverting everything fast and apply new rules for testing the infected machines.

Posted : 07/04/2020 2:05 am