[WIP] A for-fun *Nix malware development syllabus

Nix-Malware-dev-syllabus.md

Hand-on Malware Development on Linux Syllabus

Course Overview

This course provides an in-depth exploration of advanced malware development techniques on Linux, focusing on sophisticated methods such as binary injection, process injection, and file hijacking. Designed for learners with a foundational understanding of Linux and programming, the course emphasizes practical application in a safe, controlled environment (virtual machines) and underscores ethical and legal considerations for academic or authorized security testing purposes.

Malin 101

Day 0: Introduction to Malware and Linux System Programming

• Objectives:
  • Understand malware, its types (virus, worm, trojan, rootkit, backdoor), and historical context.
  • Learn essential Linux commands and basic programming in C, Python, Bash, Nim.
  • Set up a secure testing environment using virtual machines (e.g., VirtualBox, VMware).
  • Understand: just like hacking, malware development is all about using features to create malicious activities
• Activities:
  • Introduce types of malware.
  • Introduce MITRE ATTACK to learn tactics and techniques.
  • Introduce Nim lang.
  • Install and configure a Linux VM.
• Resources:
  • Programming:
    • Nim lang: https://nim-lang.org/docs/tut1.html
    • Python: https://docs.python.org/3/tutorial/index.html
    • Bash: https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html
    • Advanced bash: https://linux.die.net/abs-guide/
    • C lang: https://devdocs.io/c/
  • Linux system:
    • Linux foundation: https://linux-training.be/
    • Malware: https://en.wikipedia.org/wiki/Malware, https://www.kaspersky.com/resource-center/threats/types-of-malware
    • MITRE: https://attack.mitre.org/

Week 1: Remote Shell via TCP connection

• Objectives:
  • Understand TCP/IP and how to programming with it.
  • Linux file description (?) with Socket. TODO verify this content
  • Understand pipeline and redirection via bash.
  • Remote shell via TCP connection: Reverse Shell, Bind Shell.
  • Execute malicious code remotely.
• Activities:
  • File description, pipeline and redirection.
  • Learn TCP/IP, basic Socket development. Socket connection with Bash and Pipeline.
  • Non-interactive reverse shell with Python and Nim. Interactive reverse shell with Bash. Introduce bind shell.
  • Introduce concept of malware loader:
    • Remote Python code execution with eval and / or exec.
    • Remote Python object execution (de-serialization) with pickle
• Resources:
  • TCP: https://en.wikipedia.org/wiki/Internet_protocol_suite
  • Reverse shell: https://gtfobins.github.io/
  • Python pickle: https://docs.python.org/3/library/pickle.html

Week 2: C&C Development

• Objectives:
  • Python OOP, importlib
  • Multi-threading
• Activities:
  • Developing Metasploit-like interpreter with Python
  • Writing modules for post-exploitation
• Resources:
  • https://github.com/threat9/routersploit
  • https://github.com/knownsec/pocsuite3

Week 3: Data collection & Credential Access

• Objectives:
  • Location of Linux's valuable data.
  • Collect data on Linux Desktop and Linux Server. (maybe in memory too)
  • Writing keylogger with X-11 /dev/input/
• Activities:
  • Introduce Linux's Filesystem Hierarchy Standard, examine valuable spots.
  • Introduce Linux Desktop and X-11 Server
  • Write module to enumerate system's info
  • Write module to search and collect valuable data.
  • Examine X-11 keylogger X-spy, a C lang keylogger. Introduction Nim's Binding and write an X-11 keylogger in Nim.
  • Keylogger with /dev/input/.
• Resouces:
  • X-11 on Linux: https://www.x.org/releases/current/doc/
  • TODO add resources.

Week 4: System persistence

• Objectives:
  • Understand Linux's core places: cron, system unit, script hooking
  • Understand Linux Desktop's startup mechanism.
• Activities:
  • Logon execution:
    • System daemon start
    • Autostart on X-11
  • Event trigger execution:
    • System's hooking script introduction
    • Unix shell config modification
    • Udev rules
  • Schedule task / job execution:
    • Systemd timer
    • Cron

Week 5: Basic system evasion Defense evasion

• Objectives:
  • Learn basic concept of signature-based detection and how to evade
  • Traces in system logs
  • Traffic obfuscate.
  • Code obfuscation and encryption.
• Activities:
  • Introduce Yara and signature matching
  • Write encoder and decoder to encode malicious traffic.
  • Encode / encrypt source code and decrypt them.
  • Hide / delete activities from system logs
• Resources:
  • TODO write here

Malin 102 (TODO list)

Week 6: Linux shellcode

• Objectives:
  • ASM on Linux
  • Learn ELF file structure (headers, sections, segments).
  • Shellcode and Shellcode loader
  • Binary patching and malware infection
• Activities:
  • Introduce Linux x86, x86-64 ASM
  • Introduce ELF file structure, writable and executable region
  • Write /bin/sh shellcode and reverse shell shellcode
  • Write shellcode loader
• Resources::
  • Linux x86: https://p403n1x87.github.io/getting-started-with-x86-64-assembly-on-linux.html
  • Linux ELF file: https://en.wikipedia.org/wiki/Executable_and_Linkable_Format

Week 7: Code Injection (and process injection) Techniques

• Objectives:
  • Process Injection:
    • Understand process injection using ptrace, procfs (/proc//mem), and process_vm_writev.
    • Explore advanced methods: stack hijacking, GOT hijacking, and Return-Oriented Programming (ROP).
    • Discuss security measures like ptrace_scope and dumpable attributes.
  • Binary Injection:
    • Modify ELF files to add malicious code, change entry points, or overwrite existing code.
    • Use tools like objcopy and elfkickers for manipulation.
• Activities:
  • Inject code into a running process using ptrace in a VM.
  • Modify an ELF binary to include a backdoor.
• Resources:
  • Shellcode injection: https://www.matteomalvica.com/blog/2019/05/18/injecting-shellcode-into-x64-elf-binaries/
  • https://www.akamai.com/blog/security-research/the-definitive-guide-to-linux-process-injection

Week 7: Discovery and Lateral movement (?). In memory data collection maybe?

TODO dbus

Week 7: Kernel-Level Malware and Rootkits

• Objectives:
  • Develop kernel modules and basic rootkits.
  • Learn to hide processes and files using kernel hooks.
  • Understand risks and detection challenges of kernel-level malware.
• Activities:
  • Create a kernel module that hides a process, tested in a VM.
• Resources:
  • Linux kernel documentation
  • Detecting Linux Binary File Poisoning

Week 8: Advanced Evasion Techniques

• Objectives:
  • Implement encryption and code obfuscation to conceal malware functionality.
  • Apply anti-debugging techniques (e.g., detecting GDB attachment).
  • Use anti-sandbox methods (e.g., checking for VM indicators like VMware tools).
  • Explore persistence via init scripts and cron jobs.
  • Tunneling
• Activities:
  • Develop a malware sample with an encrypted payload, tested for evasion in a VM.
• Resources:
  • Learning to Write Fully Undetected Malware

Week 9: Persistence Mechanisms and File Hijacking

• Objectives:
  • Maintain malware presence using cron jobs, init scripts, and startup services.
  • File Hijacking:
    • Perform binary poisoning (e.g., replacing /bin/ls with a malicious version).
    • Use symbolic links to redirect file operations (e.g., linking /tmp/malware to /bin/ls).
    • Explore library hijacking, including Python library hijacking (e.g., modifying /usr/lib/python3.7/base64.py) and LD_PRELOAD manipulation.
    • Manipulate PYTHONPATH for Python library redirection.
• Activities:
  • Replace a system file in a VM with a malicious version.
  • Demonstrate Python library hijacking.
• Resources:
  • Python Library Hijacking on Linux
  • Hackers hijack Linux devices using PRoot isolated filesystems