Embed Size (px)
Citation preview
HaboMalHunter
An Automated Malware Analysis Tool for Linux ELF Files
{Jingyu YANG, Zhao LIU }@Tencent
Agenda
3/26/17
• Introduction
• Background
• Architecture
• Implementation
• Demonstration
• Conclusion
Introduction
3/26/17
•• https://habo.qq.com/en
• Username: BlackHatAsia17
• Password: Habo@BlackHat17
• expired on May, 2017
• The Project
• https://github.com/Tencent/HaboMalHunter
3/26/17
Background
3/26/17
• Dose Linux virus exist?
• Difference between Windows Malware
• quantity
• categories
• Impact
• Related Works
Quantity
3/26/17
Categories
• Windows
• Downloader
• RAT
• Backdoor
• Keylogger
• PUA
• Ransomware3/26/17
3/26/17
3/26/17
Architecture
3/26/17
VM Scheduler
Analyze Controller
• Static Analyzer• ELF Loader• Dynamic Analyzer
Log Processer
Implementation
3/26/17
• Static Analysis• ELF formats• Interesting strings
• ELF Loader• Dynamic Analysis
• Process• I/O• Network• System Calls• Memory Forensics
Demonstration
3/26/17
• Linux.Gafgyt
• 2adf8194c30f3638152f1635096cfdc8
• Linux. Gates
• f0eacba95df5e796114a930b97b33053
YARA Rules
3/26/17
Linux.Gafgyt
3/26/17
Linux. Gates
3/26/17
Conclusion
3/26/17
• Linux Malware
• Benefits of HaboMalHunter
• Automated
• Malware Report
• YARA Rules
• Malware Research
• https://github.com/Tencent/HaboMalHunter
References
3/26/17
1. White Paper: https://github.com/Tencent/HaboMalHunter/blob/master/WhitePaper.md
2. YARA: The pattern matching swiss knife for malware researchers, http://virustotal.github.io/yara/
3. Monnappa, Automating Linux Malware Analysis Using Limon Sandbox. Black Hat 2015.
4. Guarnieri, C., Tanasi, A., Bremer, J., & Schloesser, M. (2012). The cuckoo sandbox.
