Investigative guide for Linux machines - termcap/cybersecurity GitHub Wiki
# LD_PRELOAD
Can be used by attackers to implement user level root kits. If the attacker is able to force the system to load a malicious .so, it can hook into all of the important syscalls like read(), open() etc and hide its actions.
Malware: Symbiote
Exploit: Setting the LD_PRELOAD system variable or inserting the path to the malicious so file inside /etc/ld.so.preload. This will cause all processes to load the malicious .so on startup.
Evasion:
- When /bin/ls is executed, the open() call is hooked and an error is returned to hide the existence of malware files, but, for all other files, the real open() function is evoked.
- When ps calls getdents(), the malware process is first removed from the list of processes.
- When grep calls a log file, all the malicious entries are first filtered out before the output is presented to the user.
Investigate:
- Check the contents of LD_PRELOAD
- Compare the contents of /etc/ld.so.preload with a confirmed non infected machine