Many security tools rely on the presence of known files associated with an exploit, attack or attacker to detect...
a compromised system. Once those files are found, the system can be further investigated. These types of security tools and investigation techniques have been around for a long time, and are well-understood within the security community.
When attackers began using fileless malware in attacks on Windows, enterprises were required to verify or update their security programs to ensure their systems were protected. Now, similar work needs to be done for Linux systems.
Researcher Chris Evans created a proof-of-concept scriptless exploit for Linux to demonstrate an existing vulnerability in the open source operating system and to improve Linux desktop security. This tip will take a closer look at the scriptless Linux exploit and how enterprises can defend against such attacks.
What is the scriptless exploit?
The exploit created by Evans targets Linux desktops running Fedora 24. Evans decided to target Fedora because it has implemented many standard security protections, like address space layout randomization (ASLR), and he wanted to show that a scriptless exploit can be performed on these types of Linux systems.
Evans found a heap corruption vulnerability in the most recent version of the GStreamer decoder for the FLIC file format, where memory can be corrupted to execute arbitrary code to open a malicious file. Evans also stated that this Linux exploit could be combined with a previous browser exploit to create a drive-by download exploit.
The exploit is classified as scriptless because it doesn't require an external file, outside of the malicious file being used by the Linux exploit, to run arbitrary code on the system. The malicious file is a malformed video file, where individual video frames have been specially crafted to have specific values written to memory during decoding of the video. Once the file is done being processed, the malicious command -- to run the calculator application -- is written to memory, and then executed by the GStreamer application.
This is difficult to detect because it is common for applications to write different values to memory based on the functions of the application and the data being processed, and system calls are commonly used to include third-party applications or functionality in applications.
Enterprise defenses against a scriptless exploit
While file system and whitelisting-focused tools are less effective, enterprises have several options for detecting scriptless exploits, like monitoring system calls and using network-based detection tools.
The initial malicious file could be detected or sandboxed when opened. The file would need to get downloaded or copied to the system via a web browser, email reader or other desktop application to be detected by file system monitoring. These steps need to be built upon standard security controls, such as not running as root or administrator, and kept up to date with patching to ensure that the exploit can't be used to gain complete control of the system.
Many of the tools used for monitoring file systems for malicious files also have functionality to monitor for suspicious system calls. In the scriptless Linux exploit, when the system call is made to run the calculator application (an executable on the file system), that system call could be intercepted or logged for further investigation, and may be blocked by application whitelisting. Once an exploit runs, it will typically run a dropper for the next stage in the attack, which can be detected through network monitoring, as can be done for any download. Depending on how the malicious file was accessed, it can be detected or blocked by network monitoring when downloaded.
Evans also points out that ASLR, data execution prevention and RELRO need to be used for memory protection against exploits more frequently, and that operating systems and applications should enable the functionality. Enterprises may want to enable them even if their vendors do not do so. While Evans bypasses ASLR in this Linux exploit, it is still a critical defense, and greatly increases the costs of developing the exploit.
As part of hardening a system, any utility that indexes files, like images, audio or video, should run in a sandbox to avoid attacks like this.
Learn how your enterprise's security program can stop fileless malware attacks
Find out how to spot and remove obfuscated macro malware
Read about the differences between sandboxes and software containers