Sandfly founder Craig Rowland recently spoke at the Oslo Cold Incident Response Conference on evasive Linux malware. Although talks were not recorded, he made a video of the presentation he gave below.

This talk focused on the infamous BPFDoor backdoor. BPFDoor used a combination of simple evasion techniques to avoid detection on Linux by doing the following:

• Process masquerading

• Anti-forensics

• Firewall bypasses

• Covert communications and encryption

• Professionally written and deployed

In this presentation we go over the elements that make for effective Linux malware and how to detect it using simple command line forensics.

We thank the organizers of the conference for having us speak.