Advanced Linux Server-Side Threats: How they work and what you can do about them
Server-side malware has evolved. Attackers used to be motivated by defacement or direct damage, using small-scale and targeted operations. Nowadays we are seeing an increase in organized crimeware campaigns leveraging compromised Linux servers for financial gain through website redirections infecting end-users and spam. Furthermore, malicious gangs base their operation's infrastructure on these same compromised servers, making takedown or law enforcement intervention complex since they run legitimate workloads.
This presentation will cover the evolution of the financially motivated Linux malware and will describe the threats that were part of Operation Windigo which affects more than 25 000 servers. We will give in-depth technical details on the pieces of malware involved, show how they are deployed by the operators and how they are able to defeat current defensive technologies. More importantly, we will describe hands-on detection and incident response tricks to quickly assess one's servers and help in the fight.
Coming from the dusty Unix server room world, Olivier evolved professionally in networking, information security and open source software development to become malware researcher at ESET. He likes to do memory forensic on infected servers, reverse engineer obfuscated Perl scripts and brew beer. He is interested in bringing more openness in the malware research field by releasing elaborate indicators of compromise (IOC) and code created as part of our research on github. He spoke at Defcon, OWASP Montreal, Hackfest and lectures on information security at ETS in Montreal Canada. He also drives the NorthSec Hacker Jeopardy and co-organizes the MontreHack capture-the-flag training initiative.