LIMON
Presentation Material
Abstract
A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform the target for malware attacks, so it becomes important to analyze the Linux malware. Today, there is a need to analyze Linux malwares in an automated way to understand its capabilities.
Limon is a sandbox developed as a research project written in python, which automatically collects, analyzes, and reports on the run time indicators of Linux malware. It allows one to inspect the malware before execution, during execution, and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using open source tools. Limon apart from displaying the characteristics of the ELF binary, analyzes the malware in a controlled environment, monitors its activities and its child processes to determine the nature and purpose of the malware. It determines the malware’s process activity, interaction with the file system, network, memory, and also stores the analyzed artifacts for later analysis, which helps in post mortem analysis. Since Limon relies on open source tools, it’s easy for any security analyst to setup a personal sandbox to perform Linux malware analysis. The presentation will touch on the implementation details of the sandbox and will present a video demo showing the analysis of a real world Linux malware samples using Limon.
AI Generated Summary
This talk presents Limon, an automated sandbox tool for analyzing Linux malware. The research addresses the growing need for Linux threat analysis due to the operating system’s prevalence in servers, embedded systems, and critical infrastructure. Limon automates three core analysis methodologies: static analysis (examining binaries without execution), dynamic analysis (monitoring behavior in a controlled execution environment), and memory forensics (analyzing post-execution memory artifacts).
The tool integrates multiple open-source utilities, including Yara for rule-based detection, volatility for memory analysis, and system call tracers like strace and ltrace. Key features include support for various Linux file types (ELF, PHP, Python, Perl, shell scripts, and kernel modules), configurable sandbox modes (simulating services like DNS/IRC to contain threats or allowing live internet connectivity), and automated report generation. Static analysis extracts file metadata, strings, cryptographic and fuzzy hashes for variant tracking, and identifies packers or capabilities via Yara rules. Dynamic analysis logs file system changes, network connections, and system calls. Memory analysis uses volatility plugins to uncover hidden processes, network sockets, injected code, and kernel modules, providing a forensic post-mortem view.
Demonstrations with real-world samples, such as the Tsunami IRC bot and a PHP dropper (Mayhem), illustrate Limon’s output. For Tsunami, analysis revealed its IRC command-and-control communication, dictionary file usage for password cracking, and flooder capabilitiesβall extracted from strings, system calls, and packet captures. The PHP dropper analysis showed how Limon handles script-based malware, identifying file writes and network activity. The tool consistently produces structured reports containing indicators of compromise (IP addresses, domains, file paths, hashes) and behavioral timelines.
Practical implications include accelerating incident response by automating initial triage, enriching threat intelligence with reproducible IOCs, and enabling systematic tracking of Linux malware families through fuzzy hash comparison. Limon provides a scalable approach to analyzing diverse Linux threats,