Is there a way to check for "hollow" processes, or malware hidden within "normal" processes

Question

I recently came across an article on the The Verge, which centers around the concept of commercial malware production and how it's used around the world. The article introduced me to a number of interesting (and worrisome) concepts such as "process hollowing", remote access to hardware that's hidden from the system/user etc..

While I have no reason to have similar worries mentioned in the article, working with IT issues and developing in Java, together with the recent major bugs (shellshock, heartbleed etc) and the ever increasing complexity of the malware makes me quite paranoid about the vulnerabilities of the systems I use and administer.

Whenever I notice a suspicious behaviour (such as unusual slowness, random wake from sleep, high cpu load while not actively running demanding software) I tend to check the running processes on my mac/*nix machines. I have so far not come across anything that caught my eye, but that doesn't mean there are no "hollow" processes.

Is there a way to investigate the an OSX or Linux system, to check whether or not there's hidden malware?

possible duplicate of How to find processes that are hidden from task manager — RoraΖ, Jan 22 '15 at 15:48
@TildalWave I retract my objection. Just looked up hollow processes, very interesting concept. — RoraΖ, Jan 22 '15 at 20:26
If you like interesting and worrisome concepts regarding malware, do not hesitate to take a look at Blue Pill: between time t and t+1 the whole operating system slipped in a virtualized system owned by the backdoor software without realizing anything and with no currently known way (as far as I know) to detect it... — WhiteWinterWolf, Jan 23 '15 at 13:07
@WhiteWinterWolf There are plenty of ways to detect it, and as it turns out, the attack just isn't very useful. There are better (and more stealthy) ways to hide malware, such as in SMM. — forest, Mar 30 '22 at 22:51

score 2 · Answer 1 · answered Mar 02 '15 at 18:24

You may find a forensic tool called unhide to be of interest!

http://www.unhide-forensics.info

unhide uses a variety of techniques to find (or unhide) hidden processes and TCP/UDP ports utilized by rootkits/LKMs (Loadable Kernel Modules). It supports both Linux/Unix & Windows...

More details on the techniques used can be found on the website:

http://www.unhide-forensics.info/?Linux

score 0 · Answer 2 · answered Feb 25 '15 at 07:07

not exactly.. Most Linuxes have a /proc/ folder which allows you to see various details about processes. one "could" make a simple map of binaries vs open files and manually add to this list up until you have a fairly definitive system profile of your machine. You could even hook this (with a report into a cron job to run every minute or few seconds. )

This would of course require you to understand what each process that is running actually does and what files it should be accessing. and will require some initial work

to write said application
to whitelist processes while the system is still learning.

you could also extend it to moniter network activity.

This way you would atleast know if you have been comprimised.

Is there a way to check for "hollow" processes, or malware hidden within "normal" processes

2 Answers2