Sandfly 2.3.3 – More Linux Sniffer and Immutable File Detection
November 21, 2010
Sandfly 2.3.3 has been released. We’ve put in more methods to help spot packet sniffers and suspicious immutable files common with malware. Plus, this version has a bug fix for a problem where hosts were not being cleared from the task queue under some circumstances.
Tuned Linux Network Packet Sniffer Detection
Some customers have asked us to provide a pre-tuned version of a sandfly to detect network sniffers on Linux. We now have one called sandfly_process_running_sniffer_operating_tuned. This version has several legitimate Linux binaries such as dhclient and systemd services marked to ignore already. This will avoid any false alarms on most basic Linux installs. You can run it against your Linux hosts as a test and add in any programs unique to your environment that get flagged if needed.
This check is located under the Incident Response tab. You can run it as a manual scan, or clone it and change the type from incident to process with a new name. Once you do this it will run as part of your normal automated threat hunting schedule.
Immutable SSH authorized_keys
This update we improved the ability to search inside user home directories in a targeted way and now will look specifically for SSH authorized_keys files that are marked immutable. Immutable files on Linux are not common and often is done by malware to prevent removal either by admins, automated tools and frequently by other pieces of malware trying to infect the same box.
Build Your Own Home Directory Scan
You may want to explore the feature that allows you to build your own file scan, particularly inside user home directories. You can for instance build a scan like the one for authorized_keys above quickly. Or how about checking for certain files under user’s public HTML directories? There are many ways to leverage this. Let’s look at a quick example.
First, you can see the full forensic keyword list you can use to make your own modules below:Sandfly Linux Forensic Keyword List
The red arrows show what we are doing to look for immutable SSH authorized_keys.
First, we say we want to know about any file with an immutable flag set.
Secondly, we’ll set home_dir_scan to true. This tells Sandfly to automatically look at the users under /etc/passwd and use their registered home directories as the top-level for the searches. Each user will be iterated over so you don’t have to waste time searching the entire hard drive.
Third, we’ll set the search path to refine things even more. This is a list of paths you want to search under the user home directory. In this example if the user home dir is /root when we look at /etc/passwd, then the path /.ssh will be appended like this: /root/.ssh
The above again allows us to be very specific what directory we want to search without wasting time. You can even have a list of directories here. For instance putting the following in the list “/.ssh”, “/.ssh2”, “/.ssh_custom” will mean Sandfly will search /root/.ssh, /root/.ssh2, /root/.ssh_custom for immutable files for the root user’s home directory.
The search_paths_patterns is a list of REGEX to use to match against a file. Here we put in an anchored exact match for authorized_keys because we know that’s the file we want. But if you wanted to search the entire directory, you could wild card it with .* or even *authorized_.*. This again is a list of REGEX so you can have a comma separated list of patterns you want to search for like “file1.*”, “*.jpg”, “^index.html$”* and so on.
Finally, we’ll mark the search_paths_recurse flag as false. This tells Sandfly to not recurse below the top of this directory. This again can save time if you are not interested in knowing if anything is below this area. For other checks though, you’ll want to use recursion to not miss anything. However this can result in large searches across the file system if used without care. It is good to experiment on a test host to see if your search will be efficient.
After you set what you want, be sure to change the name to something unique. Save it and you’re ready to use it.
More cron Persistence Mechanisms
We have added in some additional ways to spot persistence attacks in Linux cron.
Process Stack Detection with ptrace
We are now starting to flag suspicious actions against running processes. In this release we will flag a process that is showing ptrace usage in the basic stack. This can help spot a process that has a debugger attached, or someone using ptrace commands to modify a process runtime in memory. More advanced features in this area are coming as well so stay tuned.
Task Queue Bug Fix
In Sandfly 2.3.0 we introduced a task queue to detect if duplicate scans are trying to be run and will prevent users from doing this. Under some error conditions it was possible for the task queue entry for a host to not get cleared. This would result in users not being able to scan the same host again as the system thought it was still busy with the prior scan. This has been fixed.
How to Upgrade Sandfly
Sandfly is easy to upgrade. Please follow the instructions here:Upgrading Sandfly
681 Sandfly Checks and Growing
Sandfly 2.3.3 has now brought the number of compromise and incident response checks we do on Linux up to 681. We can spot a tremendous amount of Linux malware, rootkits and intruder activity without loading any agents on your endpoints. Thank you for using our product.