Sandfly 2.2 – Enhanced Web Shell Detection, Anti-Forensics and More

Sandfly 2.2 has now been released. This update adds new capabilities around web shell detection, anti-forensics detection, plus much more. A small sample of some of the new Linux threats we detect with our agentless security platform are below.

Process in Standard HTML Directory

Linux Malware in HTML Directory

We will flag processes that appear to be running from any kind of HTML directory. Linux malware often injects itself into vulnerable web servers and then runs an uploaded binary usually under the exploited HTML areas. It is suspicious to see processes running from HTML directories and we will flag any we see.

Web Server or PHP Running a Shell

Linux Apache Webshell

We have new checks to see if the Apache, nginx, PHP and similar web services/users are running what appears to be a system shell. Web servers or PHP running a shell directly is often malicious (or possibly a very bad configuration). We’ll tell you if we see it happening. We can flag many PHP backdoors that use these tactics. In a review of nearly 100+ PHP backdoors, we are able to spot virtually all of them with shell activity. This is on top of the previous Sandfly checks that would spot secondary intruder activity once they gained access.

Improved Kernel Thread Masquerading Detection

Linux Kernel Thread Masquerading Detection

We’ve added new ways to detect process masquerading that is trying to look like a Linux kernel thread. This tactic is used by some rootkits, hacking tools and malware. We now cover even more variants of this tactic to the point where most of these tools won’t work without detection on any system Sandfly is monitoring.

Improved Anti-Forensics Detection

Linux Anti-Forensics System-Wide

We have expanded our ability to detect anti-forensic tactics in system-wide login and boot scripts. If we see these tactics being deployed globally in system scripts, we’ll generate an alert to what is going on.

Hostile Login and Initialization Scripts Checks

Linux Malware Persistence in System-Wide Init Script

We have enhanced our ability to detect hostile commands inside system-wide login and initialization scripts that can be used by malware to maintain persistence on the affected host.

Expanded Python Bind Shell Backdoor Detection

Python Backdoor Webshell Apache

We have expanded the ability to detect many types of Python standard and reverse bind shell backdoors.

Binary Links from /tmp and /dev Directories

Malicious File Link to Linux System Binary

We’ll flag any system binaries that are linked from /tmp or /dev directories. This is a tactic used to masquerade system binaries under another name when running. If we see any system binaries linked out of these directories, we’ll let you know what they are so you can investigate.

Incident Response Checks

We are also building out our Incident Response (IR) checks to help teams tasked with this mission to work faster and more accurately. We already have a good stable of checks to help find things like newly created files, custom user search, log file tampering, etc. And of course you can even write your own checks with Sandfly 2.x custom sandfly feature. However, we are constantly building out new forensic engines to expand this capability with the following plus more.

Process and Binary Creation Time Identical

Linux Malware Process and Binary Creation Time Identical

It’s common for malware to copy itself onto a host and then immediately launch. This check will flag any binary that has a creation time that is the same (or close) to when the process started. This is a great way to quickly find suspicious binaries operating on Linux systems that have suddenly appeared out of nowhere.

Hidden Named Pipes and Character Devices

We also put in checks to flag any hidden named pipes or character devices present on a Linux host. Hidden named pipes and hidden character devices are not commonly used. Of the times we’ve run across these tactics, they have been part of rootkits or backdoors. These new checks will scan the entire filesystem for these kinds of entries. This is a great application for IR teams that want to dig into a host they think is compromised to pull out deeply hidden problems.

Processes Started with nohup Command

The nohup command has legitimate uses, but today it’s often used by malware to remain running after the terminal disconnects. Incident responders can now scan for any process started with nohup to investigate whether it is legitimate or not.

Bug Fixes and False Alarms

We have made bug and false alarm fixes internally. We don’t like false alarms and work very hard to make sure they don’t happen. If you previously had whitelisted a Sandfly check due to false alarms, you should reactivate it as it likely has been fixed in this update.

Improved Sandfly 2.2 Format

We have done some tweaks to improve and simplify the custom Sandfly JSON format. We have eliminated redundant keywords and removed other keywords that are not needed any more. If you have custom Sandfly JSON checks, they will be converted to the new 2.2 format automatically.

How to Upgrade Sandfly

Sandfly is easy to upgrade. Please follow the instructions here:

Upgrading Sandfly

Nearly 550 Sandfly Checks and Growing

Sandfly 2.2 has now brought the number of compromise and incident response checks we do on Linux up to nearly 550. We can spot a tremendous amount of Linux malware, rootkits and intruder activity without loading any agents on your endpoints. Thank you for using our product.