Sandfly founder Craig Rowland recently spoke at the Oslo Cold Incident Response Conference on evasive Linux malware. Although talks were not recorded, he made a video of the presentation he gave below.
This talk focused on the infamous BPFDoor backdoor. BPFDoor used a combination of simple evasion techniques to avoid detection on Linux by doing the following:
Process masquerading
Anti-forensics
Firewall bypasses
Covert communications and encryption
Professionally written and deployed
In this presentation we go over the elements that make for effective Linux malware and how to detect it using simple command line forensics.
We thank the organizers of the conference for having us speak.