Investigative guide for Linux machines - termcap/cybersecurity GitHub Wiki

# LD_PRELOAD

Can be used by attackers to implement user level root kits. If the attacker is able to force the system to load a malicious .so, it can hook into all of the important syscalls like read(), open() etc and hide its actions.

Malware: Symbiote

Exploit: Setting the LD_PRELOAD system variable or inserting the path to the malicious so file inside /etc/ld.so.preload. This will cause all processes to load the malicious .so on startup.

Evasion:

  • When /bin/ls is executed, the open() call is hooked and an error is returned to hide the existence of malware files, but, for all other files, the real open() function is evoked.
  • When ps calls getdents(), the malware process is first removed from the list of processes.
  • When grep calls a log file, all the malicious entries are first filtered out before the output is presented to the user.

Investigate:

  • Check the contents of LD_PRELOAD
  • Compare the contents of /etc/ld.so.preload with a confirmed non infected machine