Analyzing Hostile Data

The Malware Roadside Petting Zoo

We're going to see how to analyze malicious software, or "malware". I have some samples that I have collected on Linux and OpenBSD systems, and here we can safely look at their attributes and some of their contents. The Wikipedia article on malware has a good explanation of the nomenclature of malware — viruses, Trojans, dialers, spyware, downloader, ...

Start by reading Jon Kibler's great article on malware. Keep in mind that it was written in 2008 and intended to describe the current state and future of malware. He really nailed it.

Jon's article explains that Trojans were the dominant malware at the time, with rootkits and botnets becoming more common and harder to detect. The big worry was no longer the virus-infected floppy that overwrites your Master Boot Record. Examples of shifts in the threat in 2008 included:

• Gadgets like digital picture frames, USB thumb drives and MP3-playing sunglasses have come from the factories with malware pre-installed. This is in addition to the hard drives that have been shipped with malware:
  • http://blog.wired.com/27bstroke6/2008/01/digital-photo-f.html
  • http://www.theregister.co.uk/2008/04/07/hp_proliant_usb_key_infection/
  • http://www.securityfocus.com/news/11499
• There are Cisco IOS rootkits and lots of counterfeit Cisco (and other) network hardware.
• BIOS malware should be pretty easy to create and extremely powerful, so maybe the reason we aren't seeing any is that it exists but it too hard to spot!
• Environmental and industrial control systems like SCADA, PLC, DCS, etc used to be based on proprietary and hardened platforms. But the market has complained that those are too hard to learn, and the suppliers are moving toward buggy general-purpose OS platforms sometimes plugged into the public Internet!

Useful tools for analyzing hostile data start with selecting any operating system other than something made by Microsoft. That gives you something that already includes all the GNU command-line utilities (e.g., Linux, BSD, macOS) or something to which they can easily be added (e.g., Solaris or some other UNIX). You should not use a browser to examine malware, as browsers are large and complicated and therefore buggy and susceptible to the very malware we're examining. The simple but useful command-line utilities provide safe ways of examining hostile data. The utilities you may find particularly useful include:

• file, which in its GNU form, does a very good job of guessing just what a given data file contains. The Solaris version is worthless — if you have Solaris, add the GNU version and use it.
• strings, which will dump out what appear to be the ASCII, or at least potentially human-readable, strings embedded in a file.
• hexdump, which will show you everything contained within a file in (reasonably) human-friendly format.
• clamscan is part of the free Clam AntiVirus suite. When you find some potentially malicious software, it can tell you if it matches a known virus signature. Get ClamAV from clamav.net.
• Other good free anti-virus (or really anti-malware) software includes Avira and AVG. I used to recommend Avast!, but then it was fined US$ 16.5 million for selling users' browsing data.
• whois, to figure out who those mysterious IP addresses are assigned to.
• traceroute, to figure out where those mysterious IP addresses are located, in case whois isn't terribly helpful.
• upx, an alternative compress/archiving tool. Some malware attempts to hide by compressing itself with upx: http://upx.sourceforge.net/

The VirusTotal service is great, you can upload a suspicious file or submit a suspicious URL to get a quick detection and description of malware.

And now, on to the hostile data — your choices so far are: