Sandfly founder Craig Rowland gave a presentation for the FIRST Cold Incident Response Conference in Oslo on evasive Linux backdoors and malware below:
Evasive Linux Backdoors and Malware Presentation
This talk focused on the infamous BPFDoor backdoor. BPFDoor used a combination of simple evasion techniques to avoid detection on Linux by doing the following:
Process masquerading
Anti-forensics
Firewall bypasses
Covert communications and encryption
Professionally written and deployed
In this presentation we go over the elements that make for effective Linux malware and how to detect them using simple command line forensics such as the following:
Discovering processes that are hiding their real names
Anti-forensic detection
Finding processes sniffing network traffic
General tips and ideas to find evasive Linux malware
We thank the organizers of the conference for having us speak.