Skip to comments.Microsoft uses its expertise in malware to help with fileless attack detection on Linux
Posted on 02/25/2020 8:32:01 AM PST by dayglored
Aw, how generous
Hey, Linux fans! Microsoft has got your back over fileless threats. Assuming you've bought into the whole Azure Security Center thing.
Hot on the heels of a similar release for Windows (if by "hot" you mean "nearly 18 months after") comes a preview aimed at detecting that breed of malware that inserts itself into memory before attempting to hide its tracks.
A fileless attack tends to hit via a software vulnerability, inject a stinky payload into an otherwise fragrant system process and then lurk in memory. The malware also attempts to remove any trace of itself on disk, which makes disk-based detection tricky.
Since the malware hides in RAM, a reboot generally gets rid of the thing. However, Linux servers tend to not to be rebooted as frequently as certain other operating systems and so, once infected, the malware can linger in memory, performing its nefarious activities.
An example of such an infection would be an attacker spotting a vulnerable service on an exposed port, copying a malware package and executing it. A few hops, skips and jumps later, and the malware could be listening for TCP instructions, having ensured any trace of itself in the file system has been removed.
A properly locked-down server would, of course, also mitigate things somewhat.
Microsoft's detection feature scans the memory of all processes for the tell-tale footprint of a fileless toolkit, shrieking a warning in the Azure Security Center along with some details of the nasty. An admin can then decide what action to take (and what further investigation is needed).
The scan, according to the Windows giant, is not invasive and the "vast majority" take less than five seconds to run. More importantly for the those fearful of slurpage, memory analysis is performed on the host itself and the results only contain "security-relevant metadata and details of suspicious payloads".
Unsurprisingly, once signed up for the preview, you'll need the Log Analytics Agent for Linux installed, along with a supported distribution (the usual suspects: Red Hat Enterprise Server, SUSE, Ubuntu and Debian are all included in the list). You will also need to be in Standard or Standard Trial Pricing tier to play.
Microsoft isn't the only outfit squaring up to fileless threats. Kaspersky has been quick to trumpet its effectiveness and Trend Micro points to some alarming statistics concerning the surge in threats as criminals seek different means to compromise systems.
However, as its continued love-in with Linux continues (heck, a large chunk of Azure is running the OS), Microsoft has decided that maybe, just maybe, the lessons learned monitoring its proprietary OS could be extended elsewhere. ®
“Never A Dull Moment” *PING*
All versions of Windows was a hackers delight so I wonder how long it will be till someone hacks their cloud?
Would using firejail on your browser and email stop something from being downloaded into memory?
The alternative architecture would be a micro kernal (Minux3) that can re-start OS level services. In Minux, if a low level driver stops working, it can be restarted ... almost like it was a service.
This could potentially provide a very strong defense against this type of attack by regularly restarting drivers and or services.
Ive never needed AV in Mac OSX or Linux. Malware is so rare its not worth the bother of installing security software.
I agree, but use ClamAv for a weekly scan. In 20 years of using Linux I have NEVER found a virus.
Do ya think?
I don't know; perhaps another FReeper has an informed opinion.
I suspect so. OTOH, converting a monolithic arch into a microkernal arch is a staggering undertaking.
I taught some college seminars using MINIX 30 years ago, and was very impressed with the OS. But despite its beauty and technical advantages, it hasn't quite set the world on fire in those 30 years since, and I doubt it will. At least for the foreseeable future, we're stuck with what we have, and have to protect it as-is.
I dont know how current you are with Minux but it’s code base now follows the NetBSD distribution. I have a project to convert from my home Linux Mint to Minux3.
But that is still a few months away.
Honestly, I haven’t stayed familiar with MINIX, so I appreciate your comments, and good luck with the migration!
I can’t get firejail to work dang it- wanted to use it- using linux mint cinnamon 19.3
I’m using 19.3 and had trouble with it as well. Pretty sure I uninstalled firejail and then copied and pasted the below commands into a terminal:
sudo add-apt-repository ppa:deki/firejail
sudo apt-get update
sudo apt install firejail firejail-profiles
The link explaining what’s going on is below. — Good Luck. :)
Thanks, I’ll give that a try (but do a ‘TimeShift’ backup first incase something doesn’t work)
I’m always a little nervous about adding PPA’s
Maybe I shouldn’t be, but i am-
I know just enough about linux to get into trouble, so not sure what a ppa is, but the instructions worked. —Might have to look into ppas a little more.
Ok I looked PPA up... and you’re right, not something to put on your machine lightly. May try to figure out a different way to get firejail up and running. Need to figure out how to get rid of the ppa first though.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.