Presentation Material
Abstract
In recent years, malware targeting Linux-based systems has been on the rise. Malware strains range from pervasive DDoS botnets to devastating ransomware. The analysis of such malware has historically been a pain point. Much is attributed to the fact that they target diverse architectures, thereby increasing the costs of developing and maintaining comprehensive automated analysis systems. This talk will go over open-source technologies that can be leveraged to conduct an in-depth analysis of Linux-based malware such as Mirai, AvosLocker, and more. We will cover the principles of the extended Berkeley Packet Filter (eBPF) and how it enables tracing and observability, specifically in the context of behavioral analysis. We will look at leveraging Buildroot to develop effective Linux sandboxes for various architectures and QEMU for emulating them. Lastly, we will look at the ELFEN sandbox which was developed as an automated analysis system, and showcase the analysis of popular Linux malware families.
AI Generated Summary
The talk addresses the challenge of analyzing Linux malware targeting diverse architectures (e.g., MIPS, PowerPC, ARM), where traditional dynamic analysis tools are less common than for Windows. It presents an open-source toolchain for automating this analysis.
The core technologies are eBPF (extended Berkeley Packet Filter) and Buildroot. eBPF enables safe, kernel-level runtime tracing via probes (Kprobes, Kretprobes) and tracepoints, allowing observation of system calls and kernel events without modifying kernel code. Buildroot generates lightweight, customizable Linux images for specific target architectures, which can be emulated. These images can be modified to include debug filesystems or necessary libraries.
These components are integrated into Elfin, an open-source sandbox for Linux malware analysis. Elfin combines static analysis (ELF header inspection, YARA rules, Capa) with dynamic analysis using the lightweight eBPF-based tracer ply. It supports multiple architectures, automatically injects target-specific files (e.g., ESXi paths for x86_64 ransomware), and generates reports with behavioral detectors, file/process/network event logs, and memory dumps. Reports include scoring for static and behavioral detections and allow download of dropped files.
Practical implications include a scalable, Dockerized system for analyzing multi-architecture Linux malware. The current implementation uses a minimal tracer (ply) and has limited detection rules, with future work planned to add MITRE ATT&CK mapping, network capabilities in Buildroot images, and support for more architectures. The tools aim to lower the barrier for systematic Linux malware analysis across embedded and server environments.