Fidelis Blog


Resolution1 Endpoint as a Malware Slayer Part 1: Conquering Malware in a *nix Environment

Having witnessed the performance of Resolution1 Endpoint 5.8 in action via a Windows and *nix environment, I am definitely excited about the new release. And here’s why.

The Fidelis Consulting Services team was recently called in by an information technology firm to hunt for IOCs on a large network containing over 17,000 Windows endpoints and 11,000 Linux and Unix endpoints. When the organization learned they had been compromised, they originally engaged a competing incident response security firm to find malware on the compromised endpoints. The competing IR team had deployed their endpoint agents to all of the Windows systems, and was making good progress in the investigation with solid results. Unfortunately, their endpoint-hunting agents could only function within the Windows environment. This left the Linux and Unix systems at risk.

During an investigation status update, the investigators noted that the attackers were using PHP web shells to persist in the network. I asked the Fidelis Threat Research Team and Reverse Engineering Team if the PHP web shells could run in a Linux or Unix environment. Their response was: “Definitely – if the system is running the proper type of web server.” Encouraged by this news, I met with the client’s *nix administrators to find out how many systems had web servers running and could run PHP. When I got the answer, “Many of our 11,000 *nix systems are running web servers with PHP capability,” I knew that I wanted to scan these systems for evidence of malware.

The client asked me if I had the ability to scan *nix systems and of course I said: “Yes! With Resolution1 Endpoint, we can scan multiple versions of Red Hat, Suse, CentOS, Ubuntu and Mac OSX.” We quickly got the go-ahead from the client to deploy Resolution1 agents to thousands of endpoints.

While we were deploying the agents, investigators found several compromised Linux systems. The attackers had exploited a vulnerability on a Linux web server, put a web shell on the system and then used the system to tunnel into other systems within the environment. From the CISO’s perspective, hunting and slaying malware on *nix systems was an absolute necessity to contain the intrusion. Resolution1 enabled their security organization to investigate the *nix environment faster and more efficiently with automated detection and response capabilities. The traditional methods proved to be more tedious and extremely time consuming.

Coming next, Resolution1 Endpoint as a Malware Slayer Part 2: Deeper Functionality for Faster Hunting.

-Ryan Vela

Stay up to date on all things security

Subscribe to the Threat Geek Blog