Analyzing Hostile Data
The Malware Roadside Petting Zoo
We're going to see how to analyze malicious software, or "malware". I have some samples that I have collected on Linux and OpenBSD systems, and here we can safely look at their attributes and some of their contents. The Wikipedia article on malware has a good explanation of the nomenclature of malware — viruses, Trojans, dialers, spyware, downloader, ...
Start by reading Jon Kibler's great article on malware. Keep in mind that it was written in 2008 and intended to describe the current state and future of malware. He really nailed it.
Jon's article explains that Trojans were the dominant malware at the time, with rootkits and botnets becoming more common and harder to detect. The big worry was no longer the virus-infected floppy that overwrites your Master Boot Record. Examples of shifts in the threat in 2008 included:
- Gadgets like digital picture frames, USB thumb drives and MP3-playing sunglasses have come from the factories with malware pre-installed. This is in addition to the hard drives that have been shipped with malware:
- There are Cisco IOS rootkits and lots of counterfeit Cisco (and other) network hardware.
- BIOS malware should be pretty easy to create and extremely powerful, so maybe the reason we aren't seeing any is that it exists but it too hard to spot!
- Environmental and industrial control systems like SCADA, PLC, DCS, etc used to be based on proprietary and hardened platforms. But the market has complained that those are too hard to learn, and the suppliers are moving toward buggy general-purpose OS platforms sometimes plugged into the public Internet!
Useful tools for analyzing hostile data start with selecting any operating system other than something made by Microsoft. That gives you something that already includes all the GNU command-line utilities (e.g., Linux, BSD, macOS) or something to which they can easily be added (e.g., Solaris or some other UNIX). You should not use a browser to examine malware, as browsers are large and complicated and therefore buggy and susceptible to the very malware we're examining. The simple but useful command-line utilities provide safe ways of examining hostile data. The utilities you may find particularly useful include:
file,which in its GNU form, does a very good job of guessing just what a given data file contains. The Solaris version is worthless — if you have Solaris, add the GNU version and use it.
strings,which will dump out what appear to be the ASCII, or at least potentially human-readable, strings embedded in a file.
hexdump,which will show you everything contained within a file in (reasonably) human-friendly format.
clamscanis part of the free Clam AntiVirus suite. When you find some potentially malicious software, it can tell you if it matches a known virus signature. Get ClamAV from clamav.net.
- Other good free anti-virus (or really anti-malware) software includes Avira, AVG, and Avast!.
whois,to figure out who those mysterious IP addresses are assigned to.
traceroute,to figure out where those mysterious IP addresses are located, in case
whoisisn't terribly helpful.
upx,an alternative compress/archiving tool. Some malware attempts to hide by compressing itself with
The VirusTotal service is great, you can upload a suspicious file or submit a suspicious URL to get a quick detection and description of malware.
And now, on to the hostile data — your choices so far are:
Speaking of Trojan Horses, here is a passage from the beginning of Book II of Virgil's Aenid about the origins of the technology:
The Greeks grew weary of the tedious war,
And by Minerva's aid a fabric rear'd,
Which like a steed of monstrous height appear'd:
The sides were plank'd with pine; they feign'd it made
For their return, and this the vow they paid.
Thus they pretend, but in the hollow side
Selected numbers of their soldiers hide:
With inward arms the dire machine they load,
And iron bowels stuff the dark abode.
In sight of Troy lies Tenedos, an isle
(While Fortune did on Priam's empire smile)
Renown'd for wealth; but, since, a faithless bay,
Where ships expos'd to wind and weather lay.
There was their fleet conceal'd. We thought, for Greece
Their sails were hoisted, and our fears release.
The Trojans, coop'd within their walls so long,
Unbar their gates, and issue in a throng,
Like swarming bees, and with delight survey
The camp deserted, where the Grecians lay:
The quarters of the sev'ral chiefs they show'd;
Here Phoenix, here Achilles, made abode;
Here join'd the battles; there the navy rode.
Part on the pile their wond'ring eyes employ:
The pile by Pallas rais'd to ruin Troy.
Thymoetes first ('t is doubtful whether hir'd,
Or so the Trojan destiny requir'd)
Mov'd that the ramparts might be broken down,
To lodge the monster fabric in the town.