Hackers of India

The Convergence Of eBPF, Buildroot, And QEMU For Automated Linux Malware Analysis

By  Nikhil Ashok Hegde  on 23 Sep 2023 @ Nullcon


Presentation Material

Abstract

In recent years, malware targeting Linux-based systems has been on the rise. Malware strains range from pervasive DDoS botnets to devastating ransomware. The analysis of such malware has historically been a pain point. Much is attributed to the fact that they target diverse architectures, thereby increasing the costs of developing and maintaining comprehensive automated analysis systems. This talk will go over open-source technologies that can be leveraged to conduct an in-depth analysis of Linux-based malware such as Mirai, AvosLocker, and more. We will cover the principles of the extended Berkeley Packet Filter (eBPF) and how it enables tracing and observability, specifically in the context of behavioral analysis. We will look at leveraging Buildroot to develop effective Linux sandboxes for various architectures and QEMU for emulating them. Lastly, we will look at the ELFEN sandbox which was developed as an automated analysis system, and showcase the analysis of popular Linux malware families.