Linux Hypervisor-level behavior analysis

Behavioral analysis in Linux operating systems is challenging due to a wide variety of distributions, lack of convenient tools, and incompleteness of data that the tools provide. Even well-known tools have their flaws. All this makes it easy for attackers to remain invisible to protection tools, including sandboxes. Attackers use various techniques:

Make direct system calls that bypass intercepts on user functions.
Use non-standard techniques to inject themselves into a legitimate process that doesn’t trigger alerts.
Run malicious code in the OS kernel to interfere with the standard user activity monitoring system.

This is just a small sample of practices employed by attackers.

In our report, we will introduce the audience to the DRAKVUF open source solution and its advantages. We will discuss the flaws of the existing Linux security auditing tools and talk about the challenges we encountered when developing a hypervisor-level solution.

Mr. Alexey Kolesnikov

Alexey Kolesnikov, Malware Detection Team, PT ESC (Positive Technologies Expert Security Center)
I analyze and parse malware designed for Windows and Linux, create signature- and behavior-based rules for PT Sandbox and PT EDR, and develop solutions for agentless malware analysis in isolated environments.