Malware memory analysis of the Jynx2 Linux rootkit (Part 1) – Investigating a publicly available Linux rootkit using the Volatility memory analysis framework

PDF

Authors
  1. Carbone, R.
Corporate Authors
Defence Research and Development Canada, Valcartier Research Centre, Quebec QC (CAN)
Abstract
This report is the second in a series that will examine Linux Volatility-specific memory malware-based analysis techniques. Windows-based malware memory analysis techniques were analysed in a previous series. Unlike these Windows-based reports, some of the techniques described therein are not applicable to Linux-based analyses including data carving and anti-virus scanning. Thus, with minimal use of scanner-based technologies, the author will demonstrate what to look for while conducting Linux-specific Volatility-based investigations. Each investigation consists of an infected memory image and its accompanying Volatility memory profile that will be used to examine a different open source rootkit. Some of the rootkits are user-land while others are kernel-based. Rootkits were chosen over Trojans, worms and viruses as rootkits tend to be more sophisticated. This specific investigation examines the Jynx2 rootkit. However, this analysis is broken into two parts. The first examines a system infected with Jynx2 but which has not yet loaded any new processes with the infected library/rootkit while the second examines a system completely infected by Jynx2. It is hoped that through the proper application of various Volatility plugins combined with an in-depth knowledge of the Linux operating system, these case studies will provide guidance to other investigators in their own analyses.

Il y a un résumé en français ici.

Keywords
anti-virus;antivirus;computer forensics;computer infection;computer memory forensics;digital forensics;digital memory forensics;forensics;infection;Jynx2;Linux;malware;memory analysis;memory forensics;memory image;rootkit;scanners;virus scanner;volatility
Report Number
DRDC-RDDC-2014-R176 — Scientific Report
Date of publication
01 Oct 2014
Number of Pages
106
DSTKIM No
CA039821
CANDIS No
800829
Format(s):
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: