Sandfly 1.6.0 – 200 Sandflies!
January 10, 2019
Sandfly 1.6.0 is now available. We now have 200 sandfly checks covering a wide range of Linux rootkit, malware and intrusion detection. Our agentless approach is fast and extensive in investigating threats against Linux. Here is what we’ve added to this release.
Linux Process Masquerading Detection
This sandfly will flag any process that is identical to another running process but has a different name. Put simply, an attacker may start a legitimate system process but use it for malicious reasons. For instance attackers may make a copy of the local SSH server daemon but use it as a backdoor onto the system by running it on a new port and new name. Other types of malicious activity also use this tactic.
Sandfly constantly hunts for these types of Linux threats and gives you an alert if it finds masquerading processes with different names. This activity is not normal on Linux and is almost always malicious. Full process forensics are supplied along with a clear explanation of what is going on as well.
Strace Debugger Running
The tool Strace is valuable for program debugging, but in the hands of a hacker it can be used to dump sensitive information from system daemons and further compromise a network. Because strace is installed by default on most Linux distributions, it poses a unique threat especially for advanced attackers looking to leverage native tools to gain further access.
Sandfly will look for the strace process that has been running on a remote system for what we’d consider an unusual length of time. This indicates that the tool is not simply being used for debugging, but rather is attached to a system process and doing longer term data theft.
Strace Process Masquerading
Sandfly looks for high risk processes masquerading under a different name already such as tcpdump, netcat, and various system shells. We have now expanded this to also look for strace. When Sandfly sees strace running, but is not calling itself strace on the system, we will give you an alert with full process forensics.
Strace SSH Keylogger Detection
Strace can be used as a built-in SSH keylogger. Attackers can use strace to steal credentials by attaching to the local SSH binary to grab data when local users call it. Or, strace can be used by attaching to the SSH server and grabbing passwords when people connect to the system itself.
Sandfly will look for signs that strace is attached to critical SSH programs and generate an alert.
Just like all Sandfly alerts, you will get full process details including what the command line looks like so you can quickly see if it looks suspicious. The below command is an example of strace being used as a SSH keylogger on a host:
Linux Process Masquerading with Mixed Case
This sandfly looks for a classic Unix attack where a malicious process is named almost the same as a legitimate process except for swapping out the case of a letter. As Linux is case sensitive, you can have cron and Cron and both can co-exist. However the legitimately named cron is a lot different than the one with the uppercase Cron and this is easy to miss under casual review. Sandfly won’t miss it. Below is an example of a netcat listener hiding as a cron look alike.
File Binary Link in /tmp and /dev Directories
Sandfly pays a lot of attention to world writable directories because they are magnet for trouble. Many pieces of Linux malware and automated attack scripts leverage /tmp and /dev/shm because they are almost always available and writeable by anyone on a Linux host. Other attacks make frequent use of /dev after obtaining root access to hide malicious activity.
Some attacks use a link to legitimate system binaries before running them so they appear to be a different name in the process list. For instance the SSH masquerading shown earlier has a variant that uses a link to /usr/sbin/sshd to make it appear as something else. Other attacks using netcat, tcpdump and similar tools happen as well. If we see any file under /tmp or /dev that is linked to a legitimate system binary we will flag it for investigation. These links can be used for backdoors and other malicious activity and we’ll spot them for you automatically.
Process Running From Hidden /run Directory
We have been looking for processes running from hidden directories for a while now, and have expanded it to search for this activity happening from the system /run directory. Legitimate activity happens in this directory, but processes running from hidden directories would be very unusual. Below shows a malicious process and again you get full file and forensic information about what is going on.
Suspicious Named Pipe in /run Directory
We now look for suspicious named pipes under the system /run directory as we do in other areas of the file system. This kind of activity can indicate a backdoor is in use or has been used on the target host.
Suspicious File Checks Under /run Directory
We have expanded our checks for suspicious files under /run directories on Linux. This includes checks for hidden binaries, masquerading files, SUID binaries, and encrypted binaries that are under this directory for any reason.
A whitelisting bug was fixed. We have also changed e-mail alerting so you can add an unauthenticated server for those customers using internal mail relays that do not require username and passwords.
If the above wasn’t enough, we have expanded rootkit signatures for certain types of Russian and Chinese malware, expanded malicious cron entry detection, and made other changes to increase our detection reliability and coverage.
Upgrading Sandfly is easy. Please follow the instructions outlined here:Upgrading Sandfly
Thanks for using Sandfly.