Thursday, May 22, 2014

Video tutorial to extract, kill, debug & traffic capture ELF .so shared library malware that's using LD_PRELOAD

I post this Video tutorial as a continuation to analysis of recent ELF malware infection that intercepts Linux/FreeBSD system using LD_PRELOAD method (via ld.so API) that I wrote in here -->>[MMD Blog]

There are many requests coming and asking me the method to dissect and stopping the infected processes, how to debug, how to extracting the binary from the infected PHP scripts and also how to make a traffic capture of it for analysis purpose. As a UNIX engineer and 100% on the spirit of open source, I think it is important to share this information to fellow engineers/server administrator to be more aware of the threat, and to know how to dissect this or the similar threats that may occur in the future.
Really hope this writing can be used as reference that helps people that really needs it.

Answering the questions asked, I made a a demonstration video with audio explanation (please bear to my English), it's about only 5 minutes in length to show you steps I made to extract the ELF .so malware binaries using the PHP template extraction script that I posted in the previous post of the related threat, to use the automation script to test running the malware in background for tests, to explain a how to stop/killing the running malware process using lsof, grep, kill and unset command respectively, and in the end is to demonstrate a how to debug and capturing the traffic in real time using tcpdump in PCAP file for analysis.

All of the operations demonstrated can be done in FreeBSD or Linux shell in your flavors, and I don't include any reverse engineering information inside of this tutorial. To be noted: Except for the how to in stopping this .SO malware process, for your own security purpose all of the operation mentioned should be performed in the test bed, and please do not connect into global internet for running the traffic capture to avoid leak of your traffic/credential to the bad actors, which is still UP and running (the threat is still "in the wild" right now).

The environment that I used in this video is NOT containing any real alive services or accounts, it was made for the sharing purpose only. All of this information and materials posted here are owned by myself, shared & contributed via MalwareMustDie, NPO to you all. I really don't appreciate and disallow copies of the post without asking permission from myself or MalwareMustDie, NPO beforehand.

DUE TO THE RECENT PROGRESS OF NEW USER USING MAYHEM WE DO NOT SHARE THIS VIDEO OPENLY ANYMORE, PLEASE CONTACT @MALWAREMUSTDIE (TWITTER) FOR ACCESS,

Below is the demonstration video in youtube. Here is the source URL -->[youtube]

If you have any thoughts, ideas, questions & suggestions about this tutorial, please feel free to write the comment below this post.

Be safe and enjoy the tutorial! #MalwareMustDie