LD_PRELOAD

Persistence and sideloading shared libraries in Linux

What is LD_PRELOAD

LD_PRELOAD is an environment variable related to dynamic linking and shared libraries in Linux. LD_PRELOAD can be used by TAs to specific a shared library (.so file) to load at runtime and supersede the default shared library. A more persistent method is to load a malicious shared library file path to the system-wide shared library location of /etc/id.so.preload, which is not a file that does not typically exist by default.

LD_PRELOAD Location

  • id.so

  • id-linux.so

  • $LD_PRELOAD=

    • More restricted environemtn variable.

  • etc/id.so.preload

    • System-wide persistence.

What info does LD_PRELOAD contain?

  • File path of malicious shared library.

Pro-Tips:

  • Look for shared library files in unusual locations.

  • Look for shared library files with incorrect or mis-spellings.

  • Google names of identified share library files. They should be well documented.

  • Well known shared library files may not be present in VirusTotal.

Mitigate

Although effective, fortunately this technique is relatively easy to detect on Linux. To check the contents of the LD_PRELOAD envar, the export command can be used. If you suspect your system has been compromised and this envar is set then it’s likely that a malicious library has been used. The unset command can be used to delete the value of the envar and reveal the malware if a process hiding library was used.

Similarly, the /etc/ld.so.preload file shouldn’t exist in a vanilla installation of Linux. If this file exists and it contains paths to arbitrary executables, this is again indicative of malicious libraries being used. Simply delete the file to prevent the libraries being loaded in future and remove the libraries themselves.

TL:DR

  • View contents of $LD_PRELOAD to find persistence.

    • Remove malicious values and target shared libraries to remediate.

  • /etc/ld.so.preload file shouldn’t exist in a vanilla installation of Linux (existence could be indicative of compromise).

    • Delete the fille and remove libraries to remediate.

Remediate

#List contents of environment variable
echo $VARIABLE_NAME

#set the value of an environment variable
export NAME=VALUE

#list all environment variables
set

#remove environment variable
unset VARIABLE_NAME

Last updated