You can find #Linux malware masquerading as a kernel thread using this command:
cat /proc/<PID>/maps
I'm going to show you how in this thread.
#DFIR #sandflysecurity
cat /proc/<PID>/maps
I'm going to show you how in this thread.
#DFIR #sandflysecurity
Malware will name itself with [brackets] to impersonate a Linux kernel thread. Bracketed names mean no cmd line argument. Kernel threads almost always are in brackets.
Use ps with tree view to find our candidates for investigation:
ps auxwf | grep "\["
#DFIR #sandflysecurity
Use ps with tree view to find our candidates for investigation:
ps auxwf | grep "\["
#DFIR #sandflysecurity
Any #Linux process that looks like a [kernel thread] should have an empty maps file. If you look at the maps file for a process and it has data in it, it's not a kernel thread:
cat /proc/<PID>/maps
Our suspect below has entries under maps. Bad news.
#DFIR #sandflysecurity
cat /proc/<PID>/maps
Our suspect below has entries under maps. Bad news.
#DFIR #sandflysecurity
You can quickly crawl over all [PIDs] to see if their maps have data with this command:
ps auxww | grep \\[ | awk '{print $2}' | xargs -I % sh -c 'echo PID: %; cat /proc/%/maps' 2> /dev/null
Any #Linux process showing data here should be investigated.
#DFIR #sandflysecurity
ps auxww | grep \\[ | awk '{print $2}' | xargs -I % sh -c 'echo PID: %; cat /proc/%/maps' 2> /dev/null
Any #Linux process showing data here should be investigated.
#DFIR #sandflysecurity
This simple command just shows any [PID] that is not a child off kthreadd. It's simple, but it works and gets you onto the problem fast.
ps auxwf | grep \\[ | grep -v "\_" | grep -v kthreadd
#DFIR #sandflysecurity
ps auxwf | grep \\[ | grep -v "\_" | grep -v kthreadd
#DFIR #sandflysecurity
There may be some small exceptions to the above, but generally speaking you'll find most Linux malware masquerading with brackets doing this. #DFIR #sandflysecurity
sandflysecurity.com
sandflysecurity.com
