Linux Malware Detection with LimaCharlie
At Lab539 we do a lot of work with Linux. Following our principle of “making the known easy” we’re sharing a free public version of a LimaCharlie lookup which provides hourly updates of known bad hashes which can be queried directly from within LimaCharlie.
You’ll find the lookup in the lookups section of the “Add-ons”: https://app.limacharlie.io/add-ons/category/lookup
Hit the “Subscribe” button in order to enable this lookup for your organisation:
Then you simply need to create some detections which use it. Here is an example detection which will trigger whenever a NEW_PROCESS, EXISTING_PROCESS or CODE_IDENTITY occurs where the event/HASH value is present in the list of known Linux malware:
events:
- NEW_PROCESS
- EXISTING_PROCESS
- CODE_IDENTITY
op: lookup
path: event/HASH
resource: lcr://lookup/linux-malware-hashes
How Do I Test That it is Working?
Obviously we wouldn’t advise running malware on your machines in order to test to see if your rules work. So instead you are very welcome to use a test binary that we use. This binary has a hash of 94e4a7b630559b6f7de2997cce39cb8d9ecc15139e245e5a978ca78b2b4927aa which we have included in our lookup. The binary itself is very simple and safe, it simply prints a string to the screen. The C code for it is here:
#include <stdio.h>
int main() {
printf("Lab539 test script for Linux malware detection 2f247c79-67de-48e4-8f0b-75449292e728\n");
return 0;
}
Whilst you can have a go compiling it yourself you’ll end up with a different hash to what we have (different system etc.). So you can download a copy by clicking the button below. (It’s compiled for x86_64 on a CentOS 7 system)
Once you’re done just make sure you chmod 750 the binary and then execute it. You may also want to ensure that the sha256 hash matches 94e4a7b630559b6f7de2997cce39cb8d9ecc15139e245e5a978ca78b2b4927aa otherwise you won’t be getting any hits.