Article from APNIC explaining how Linux processes can be hidden with deceptive naming.


“Linux kernel process masquerading is sometimes used by malware to hide when it is running. Let’s go over how you can unmask a piece of Linux malware using this tactic.

What is Linux kernel process masquerading?

On Linux, the kernel has many threads created to help with system tasks. These threads can be for scheduling, disk I/O, and so forth.

When you use a standard process listing command, such as ps, these threads will show up as having [brackets] around them to denote that they are threads of some kind. Ordinary processes will not normally show up with [brackets] around them in the ps listing. The brackets denote that the process has no command-line arguments, which usually means it was spawned as a thread.”

Craig Rowland via APNIC

Read more…