Abstract

Windows malware conveniently uses the CreateRemoteThread() api to delegate critical tasks inside of other processes. However till now there is no API on Linux to perform such operation. This paper talks about my research on creating an API similar to createRemoteThread() on *nix OSes. The aim of the research is to show how a simple debugging functionality in *nix oses can be exploited by a malware to hide itself and delegate(inject) the critical(malicious) operation to an innocent process. The Proof of concept toolkit code named “Jugaad” currently works on Linux, allocates space inside a process and injects and executes arbitrary payload as a thread into that process. It utilizes the ptrace() functionality to manipulate other processes on the system. ptrace() is an API generally used by debuggers to manipulate(debug) a program. The talk will conclude with options for protecting against any such kind of attacks.