Using Command Line Tools to Find Process Masquerading Linux Malware

Malware Rootkits Linux Security Linux Forensics

February 27, 2019
The Sandfly Security Team

In this video Sandfly founder Craig Rowland goes over the basics behind using command line tools on Linux to look into a suspicious process. You’ll learn how to start a benign process and have it masquerade to hide what it is like malware (process masquerading). Then, we’ll use basic tools to look at the process under the /proc filesystem to see where it really is located and how it was started at the command line. The techniques in this video are also on our Linux command line forensics cheat sheet.

The commands used in this video are referenced below.

Process Masquerading Setup

Setup a benign process to run in a way that mimics common Linux malware by masquerading what it is. In this case we use the simple system sleep command but rename it as cron before running it:

export PATH=.:$PATH
cd /tmp
cp /bin/sleep cron
cron 3600 &

The export PATH statement makes the command in the immediate directory run without needing to add a “./” in front of it. Then we cd to /tmp which is an extremely common location for malicious activity on Linux. We next copy the system /bin/sleep command to something named cron under /tmp. Finally, we run our new “cron” command with 3600 as the argument. Since this is really a sleep command it will simply wait for 3600 seconds (an hour) before exiting.

The above mimics malware in the following ways:

  1. It’s a memory resident binary running from /tmp

  2. The current working directory will also be /tmp which is also suspicious for a system binary to be doing.

  3. It’s a process masquerading as a system process with a similar name but not in a system directory.

Process Masquerading Basic Forensic Investigation

Commands used to view process start-up basics (strings or cat versions):

strings /proc/<PID>/comm
cat /proc/<PID>/comm

Display the full command line used with the process:

strings /proc/<PID>/cmdline
cat /proc/<PID>/comm

View a link where the binary is located on the filesystem:

ls -al /proc/<PID>/exe

This is an ongoing series of basic command line forensics for Linux. Please subscribe to see more.

Let Sandfly keep your Linux systems secure.

Learn More