Hackers of India

Jugaad Beta: Linux Thread Injection malware PoC

 Aseem Jakhar 

2011/02/25

Abstract

Windows malware conveniently use the CreateRemoteThread() function to delegate critical tasks inside of other (trusted) processes. However till now there is no API on Linux to perform such operation. But the wait ends now for malcoders and researchers ;-) . This paper is part of an ongoing research to create an API similar to createRemoteThread() on *nix OSes. The PoC currently works on Linux, allocates space inside a process and injects and executes arbitrary payload as a thread into that process.

It utilizes the ptrace() functionality to manipulate other processes on the system. ptrace() is an API generally used by debuggers to manipulate(debug) a program. By using the same functionality to inject and manipulate the flow of execution of a program Jugaad is able to inject the payload as a thread. There is another awesome tool injectSo that injects the whole library into a process, however it leaves traces in the process maps file with the path of the library that is injected. Jugaad does not inject a library but creates a thread and hence there are no traces of any library found in the maps file. It however allocates memory in the process using mmap2 system call which only shows up as allocated memory in maps file but does not reveal anything about the injection.