Analysis of the “lib__mdma.so.1” userland rootkit

Note to the reader: This blogpost was written “as it happened”, so it may jump around the place a bit. I’ll try clean it up somewhat before I hit publish, but I probably won’t have time to do much serious editing. Also, there is some value in showing the process, I guess. Or maybe that …

OpenSSL Engines for Linux Persistence

So a while back I read a blog post about using OpenSSL engines on Windows as part of a local privesc exploit against a certain VPN client. This got me thinking. If every time the OpenSSL library is called, an engine gets loaded, that seems like a fairly decent place to persist a process. So …