Hex dump of Gibe-F worm.

Analyzing Hostile Data

The Malware Roadside Petting Zoo

We're going to see how to analyze malicious software, or "malware". I have some samples that I have collected on Linux and OpenBSD systems, and here we can safely look at their attributes and some of their contents. The Wikipedia article on malware has a good explanation of the nomenclature of malware — viruses, Trojans, dialers, spyware, downloader, ...

Start by reading Jon Kibler's great article on malware. Keep in mind that it was written in 2008 and intended to describe the current state and future of malware. He really nailed it.

Jon's article explains that Trojans were the dominant malware at the time, with rootkits and botnets becoming more common and harder to detect. The big worry was no longer the virus-infected floppy that overwrites your Master Boot Record. Examples of shifts in the threat in 2008 included:

Useful tools for analyzing hostile data start with selecting any operating system other than something made by Microsoft. That gives you something that already includes all the GNU command-line utilities (e.g., Linux, BSD, MacOS) or something to which they can easily be added (e.g., Solaris or some other UNIX). You should not use a browser to examine malware, as browsers are large and complicated and therefore buggy and susceptible to the very malware we're examining. The simple but useful command-line utilities provide safe ways of examining hostile data. The utilities you may find particularly useful include:

The VirusTotal service is great, you can upload a suspicious file or submit a suspicious URL to get a quick detection and description of malware.

And now, on to the hostile data — your choices so far are:


Speaking of Trojan Horses, here is a passage from the beginning of Book II of Virgil's Aenid about the origins of the technology:

By destiny compell'd, and in despair,
The Greeks grew weary of the tedious war,
And by Minerva's aid a fabric rear'd,
Which like a steed of monstrous height appear'd:
The sides were plank'd with pine; they feign'd it made
For their return, and this the vow they paid.
Thus they pretend, but in the hollow side
Selected numbers of their soldiers hide:
With inward arms the dire machine they load,
And iron bowels stuff the dark abode.
In sight of Troy lies Tenedos, an isle
(While Fortune did on Priam's empire smile)
Renown'd for wealth; but, since, a faithless bay,
Where ships expos'd to wind and weather lay.
There was their fleet conceal'd. We thought, for Greece
Their sails were hoisted, and our fears release.
The Trojans, coop'd within their walls so long,
Unbar their gates, and issue in a throng,
Like swarming bees, and with delight survey
The camp deserted, where the Grecians lay:
The quarters of the sev'ral chiefs they show'd;
Here Phoenix, here Achilles, made abode;
Here join'd the battles; there the navy rode.
Part on the pile their wond'ring eyes employ:
The pile by Pallas rais'd to ruin Troy.
Thymoetes first ('t is doubtful whether hir'd,
Or so the Trojan destiny requir'd)
Mov'd that the ramparts might be broken down,
To lodge the monster fabric in the town.
Back to the information security page