未加星标

Interview: MalwareMustDie and their Linux malware research

字体大小 | |
[系统(linux) 所属分类 系统(linux) | 发布者 店小二04 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏
linux malware, research, and more

With great pleasure, we interviewed unixfreakjp. He is theleader and founder of the malware research group MalwareMustDie . We want to learn about their activities, Linux malware, and useful skills for security professionals. Keep reading!


Interview: MalwareMustDie and their Linux malware research
InterviewMalwareMustDie About the MalwareMustDie organization

So for those never heard about MalwareMustDie, can you tell us who you are?

As stated on our web site. MalwareMustDie, is a white-hat anti cybercrime security research workgroup. launched in August 2012, is an Non Profit Organization media for security professionals and researchers gathered to form the work-flow to reduce malware infection in internet. We work to raise malware awareness by sharing general information of malware infection scheme and trend to the common users, helping security vendors and public automation malware-related scanning/decoding tools by providing in depth decode analysis to the recent malware infection frameworks, and work with legal authorities to take down malware domains, and its further threat intelligence.

We aim to establish good relationship vertically with authorities, and horizontally with the fellow researchers and security entities, so that cooperation can be enlisted in dismatling domains that host malware and its infectors in internet.

Why do work for free? What is there to gain?

We work as non profit “organization”, hardly can be called as a company. All of us are mostly employees or engineers with the day-work duties related with the network and internet administration or security profession. The organization is not receiving any income and costs were paid by the involved member’s own money on operations.

Can you tell us a little bit about the MMD team?How big is it?

We maintained a steady value of members around 30 members, with the supporters included, it is around 60 people right now.

Linux malware

We typically hear that there aren’t viruses for Linux. Seeing the samples collected on websites like Packet Storm Security we know there is quite some malicious software around. What type of malware do you encounter?

Malware or virus in Linux exists for along time. In 10 years ago, it is not as popular as windows malware. But things had changed since 2012 when the abuse of Linux infection through unattended Linux devices has started. And we have a complete series of types since then, from backdoors, rootkit, hacking tools (scanner/bruter etc), spam tools, exploit distribution tool, ransomware, botnet kits (via irc or etc protocols) and to the traffic DoS attack malware tool.

Do you see any trend that suggests malicious software on Linux is increasing during the last years? What about ransomware for Linux, does that show up now?

In each time security community announces a new linux’s (or unix) services related vulnerability, the linux malware trend and infection is raising. In example: During the shellshock, The PMA phpMyAdmin) vulnerabilities, Apache Struts vulnerabilities, various OpenSSL vulnerabilities that leads to illegal authentication, and now the IoT’s factory credential setting flaw, all of these is (was) raising the Linux malware infection and distribution to the affected systems.

Ransomware is in “a boom” in cyber crime business. There are various type of Linux ransomware that encrypt websites data or the server’s data now, since to code an encoder or encrypter program is not difficult at all. For the cyber crime, ransomware is always high in profit and low in risk compares to the in real life extortion or ransom crime, most of the professional cyber mafia are on this “business” now.

The thing is that Linux is based on open source, dissecting ransomware in Linux is only a matter of time. You just can not mess with Linux/UNIX system administrators, for years they are the one who ready with backups, images and more savvy solution to prevent any of their services go down.

When someone finds a piece of malware on their machine, they can upload it on your website. What happens with the samples?

We just analyzed each samples, each one of it. Then we checked whether the protection layer i.e. antiviruses or etc signature (IDS, Yara, etc) already cover it, then we go deeper to the uncovered ones. When it comes to an unknown malware and it is aiming public level of threat then we post the awareness in our blog. Sensitive cases like APT for example, we don’t expose at all.

Recent developments

You are known on Twitter as @malwaremustdie . You are using a lot of crusader pictures. Has it to do with religion, or is it something else?

It is just a symbol, just as Linux uses Penguin and FreeBSD uses a Daemon, we use knight images during the medieval era. No it is not related to any religion at all but all of the members are religious and decent citizens. The “Crusade” term is also symbolizing the hard effort we face to fight malware and crime scene behind it, it is a big deal, knowing that the malware still exist for, more than 20 years now.

Last year the Twitter handle became a private account. You also announced a lot of people to be removed from the followers. What was that about?

We are not active anymore on twitter.It’s all about security. There were malware people are lurking us. @malwaremustdie had 15,000+ followers and now we have around 1,300 after I reduce them. Most of the followers are the blackhat lurkers. They learned from what we tweet and use the information to improve their malware, some blackhats are using the vulnerability that we found to improve their malware too.

These lurkers are using the predicate as “security enthusiast”, “malware researcher”, “reverse engineer students”, “system administrator” and some of them are even faking real researcher’s pictures, names or avatars that they stole from respectful researchers from other SNS. In order to avoid this, to the people that we don’t know, we vetted and asked followers to inform about them self. We disconnect the follower who doesn’t explain. But our direct message is always open for them who want to re-follow after they give more details about them self.

I also run several scripts connected via twitter API to check the validity of accounts who tried to follow us, if the indicator is RED we won’t even answer to the request. Right now we have almost 500 requests already, that was still flagged as RED.We need to conduct our research peacefully and to OPSEC our comm better, right now we are in the most happiest state.

But people can still read the blog and learn about the details, right?

Yes, blog is the recommended ways for the public, including the malware bad guys, to read. The information in the blog was filtered, we passed all of the necessary details to the law enforcement before or during the time we blog it now.

If someone interested in malware and security, do they make a chance of being accepted as a new follower?

We are done with Twitter, if you refer to it. Right now I am not willing to add twitter followers anymore. People can follow us via blog or IOC feed we released, journalism and legit researchers know exactly where to reach us.

Our twitter DM in twitter is open to anyone.To ask questions or for anintroduction. The funny thing is, blackhats are using this channel a lot to send “their messages” etc, instead of whitehats.

Professional skills

Is there a benefit for security professionals to learn analyzing malware samples? How could you use it in your daily work?

It is important for security professionals to know how to check a malware sample. Th

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

主题: LinuxStrutsOpenSSLWindowsTwitterSNS
分页:12
转载请注明
本文标题:Interview: MalwareMustDie and their Linux malware research
本站链接:http://www.codesec.net/view/485556.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(22)