ELF Binary Infection Attacks For Persistence and Heuristic Detection.
10-14, 09:30–10:20 (US/Eastern), Room 402

ELF binary infection has been around for roughly 25 years, but is still an underutilized style of persistence. Instead most persistence mechanism particularly on Linux are focused on modifications of plain-text configurations where either a malicious user account is added to the system or execution of malicious binary or script takes place. The problem with such mechanism is that they are antiquated and are well known. In the event suspicions of system compromise takes place, most system administrators and IR personnel will check these configurations for malicious modifications. ELF binary infection methods offer a more covert form of carrying out malicious activity because the code can reside in legitimate programs and execute in their context. The lack of knowledge and analysis skills surrounding ELF binaries also serves as a barrier for detection. Both current automated tools and personnel are far behind in the arena of detection and analysis in comparison to their counterparts on the Windows platform. Using applications such as d0zer, we will explore utilizing old and novel techniques to infect targets in order to demonstrate infection capability for offensive purposes. For defense/detection I will demonstrate how basic and powerful heuristics can be utilized to help bridge the gap that exists between current Linux antivirus technology and ELF binary infection algorithms.

Just a nerd employed as penetration tester and offensive security researcher. Currently involved in two communities (tmp.0ut and VX-Underground) that produced printed and electronic magazines around malware development.