Sandfly founder Craig Rowland gave a presentation for the FIRST Cold Incident Response Conference in Oslo on evasive Linux backdoors and malware below:

Evasive Linux Backdoors and Malware Presentation

This talk focused on the infamous BPFDoor backdoor. BPFDoor used a combination of simple evasion techniques to avoid detection on Linux by doing the following:

• Process masquerading

• Anti-forensics

• Firewall bypasses

• Covert communications and encryption

• Professionally written and deployed

In this presentation we go over the elements that make for effective Linux malware and how to detect them using simple command line forensics such as the following:

• Discovering processes that are hiding their real names

• Anti-forensic detection

• Finding processes sniffing network traffic

• General tips and ideas to find evasive Linux malware

We thank the organizers of the conference for having us speak.