As an SOC/DFIR Team Member, How to Analyse Real-Time Linux Malware Network Traffic

Network traffic analysis has emerged as one of the most effective methods for detecting and investigating linux based malware infections .

By scrutinizing communication patterns, security professionals can uncover signs of malicious activity, including command-and-control (C2) connections, data exfiltration, and Distributed Denial-of-Service (DDoS) attacks.

This guide explores how traffic analysis aids in malware detection, the essential tools used for this process, and real-world examples of Linux malware analyzed in ANY.RUN’s Interactive Sandbox.

Key Malware Behaviors Detectable Through Traffic Analysis

1. DDoS Attacks

Cybercriminals deploy malware to turn infected devices into botnet “zombies,” instructing them to overwhelm target servers with excessive requests. This can disrupt online services, slow down websites, or take entire networks offline.

Indicators in Network Traffic:

• Unusually high volumes of outgoing traffic
• Sudden bursts of connections to multiple IPs
• Large numbers of SYN packets

2. Command and Control (C2) Communication

Many types of malware, including trojans and ransomware, rely on Command and Control (C2) servers to receive instructions from attackers. These communications may involve downloading additional malicious payloads, executing remote commands, or transmitting stolen data.

Indicators in Network Traffic:

• Repeated communication with suspicious or newly registered domains
• Encrypted traffic over unusual ports
• Regular beaconing patterns

3. Data Exfiltration & Credential Theft

Malware designed to steal sensitive data, such as login credentials, financial information, or proprietary data, often encrypts and transmits stolen information to attacker-controlled servers.

Indicators in Network Traffic:

• Outbound traffic directed to unknown foreign IP addresses
• Unusual spikes in file transfer protocols (FTP, SFTP)
• Large volumes of outbound DNS queries

4. Exploitation Attempts & Lateral Movement

Advanced malware doesn’t just infect one machine; it seeks vulnerabilities to move laterally across a network, escalating privileges and compromising additional systems.

Indicators in Network Traffic:

• Repeated login attempts from a single source, indicative of brute-force attacks
• Unusual spikes in Server Message Block (SMB) traffic
• Evidence of internal IP scanning tools like Nmap being used

5. Malware Download & Dropper Activity

Many infections begin with a simple download. Malware droppers pull additional payloads from the internet to execute further malicious activities.

Indicators in Network Traffic:

• Downloads from unusual or newly registered domains
• Connections to known malware-hosting services
• Execution of PowerShell or wget/curl commands from unknown sources

Essential Tools for Traffic Analysis

1. Malware Sandboxes: Dynamic analysis environments like ANY.RUN, a powerful platform for observing malware behavior in a controlled setting. These sandboxes offer real-time visibility into malicious activities, including detailed network communications.

The sandbox logs and analyzes various network-related actions:

1. Network requests: All outbound connections initiated by the malware are captured, revealing potential command and control (C2) servers or data exfiltration attempts.
2. DNS queries: By analyzing DNS requests, analysts can uncover how malware interacts with remote hosts, often exposing malicious domain names.
3. Protocol usage: The sandbox identifies which network protocols (HTTP, HTTPS, FTP, etc.) the malware employs, helping to understand its communication methods.
4. Traffic interception: Features like MITM (Man-in-the-Middle) proxy allow for deeper inspection of encrypted traffic, crucial for analyzing sophisticated malware.
5. IOC extraction: The system automatically extracts network-based Indicators of Compromise (IOCs) such as IP addresses, domains, and URLs.
6. Unusual port detection: ANY.RUN flags connections to non-standard ports, which can indicate malicious activity.
7. Process correlation: Network activities are linked to specific processes in the sandbox, providing context for each communication.

This comprehensive network analysis, combined with other behavioral observations, enables security professionals to quickly identify malicious patterns, understand malware functionality, and develop effective countermeasures.

1. Wireshark: A powerful packet analysis tool for deep inspection of network activity.
2. tcpdump: A command-line tool for packet capturing and analysis on Linux systems.
3. mitmproxy: An interactive proxy for analyzing HTTP/HTTPS traffic in real-time.

Analyze Linux and Windows threats inside the safe and secure ANY.RUN Interactive Sandbox -
Sign up for free

Linux Malware Traffic Analysis with a Sandbox

ANY.RUN, an advanced Interactive Sandbox designed to revolutionize Linux malware traffic analysis offers real-time, dynamic analysis capabilities, empowering researchers and security teams to more effectively uncover malicious network activities associated with Linux-based threats.

Key features of the ANY.RUN Interactive Sandbox include:

• Real-time Network Monitoring: Analysts can observe malware’s network behavior live, including outbound HTTP, HTTPS, and DNS traffic. This feature enables the detection of hardcoded command and control (C2) servers and unusual encrypted connections.

• Interactive Analysis Environment: Users can actively engage with the infected environment, triggering malware behaviors to bypass sandbox evasion tactics and uncover hidden threats.
• PCAP Export Functionality: The sandbox allows for the capture and export of all network traffic, facilitating deeper analysis using tools like Wireshark.
• Suricata-Driven Threat Detection: Leveraging the power of Suricata, the sandbox automatically flags malicious network behavior, including botnet communications, exploit attempts, and data exfiltration.

Industry experts predict that this tool will significantly reduce the time required for manual traffic analysis, providing security professionals with live, actionable insights and automated reporting capabilities.

As Linux-based malware continues to evolve, ANY.RUN’s Interactive Sandbox represents a significant advancement in the cybersecurity toolkit, offering a more efficient and comprehensive approach to threat analysis and mitigation.

Case Studies: Linux Malware Analysis

1. Gafgyt (BASHLITE)

This Linux botnet malware, analyzed in ANY.RUN’s sandbox, hijacked the virtual machine and attempted to establish connections with over 700 different IP addresses, demonstrating its DDoS capabilities: View analysis session with Gafgyt.

According to ANY.RUN report, After examining it inside ANY.RUN’s sandbox, we can see that the malware hijacked the VM, turning it into a botnet. It then attempted to establish connections with over 700 different IP addresses, flooding the network with malicious traffic.

2. Mirai

A notorious IoT-targeting malware, Mirai’s behavior was automatically detected in the ANY.RUN sandbox, revealing its communication patterns and attempts to establish connections with remote servers: View analysis session with Mirai attack.

3. Exploit

An analysis session in ANY.RUN’s sandbox revealed an exploit attempting to manipulate system processes, automatically flagged by Suricata rules: View analysis session with Exploit.

ANY.RUN is a leading cybersecurity platform serving over 500,000 professionals globally. Our interactive sandbox streamlines malware analysis for both Windows and Linux-based threats. We offer a suite of threat intelligence products:

1. TI Lookup
2. YARA Search
3. Feeds

These tools enable rapid identification of Indicators of Compromise (IOCs) and file analysis, enhancing threat understanding and accelerating incident response.

Try Free malware research with ANY.RUN - 14 Days Free Trial