Aleksander Czarnowski AVET Information and Network Security
If you look at the CERT/CC annual report for the year 2001 you might be surprised. Of the six most common intruder activities five are network and email worms. The only type of activity left is remotely exploitable buffer overflow in older versions of BIND. If you look at the February 2002 issue of Virus Bulletin you will find an analysis of RST virus and backdoor (see
This paper will inspect possible infection vectors on Unix systems and present problems with detection and analysis of malware found in the wild. The scenario used in the paper presumes that the system has been compromised before our analysis begins. I will describe features available on many Unix systems like Loadable Kernel Modules (LKM) and stealth techniques to hide intruder presence, ELF2 file format, common local and remote vulnerabilities used by malware like: worms or rootkits. Further I will describe different methods of detecting infection and problems regarding rootkit disinfections. This paper also discusses the use of polymorphism in exploit code to make detection of attacks at network level much more difficult. Last but not least I will inspect the security (and its pitfalls) of chroot environment from malware perspective.
Part of the material presented comes from real-life incidents that have happened during the last year.
