Analyzing Hostile Data

Start by reading Jon Kibler's great article on the future (and the current state) of malware: http://blogs.stopbadware.org/articles/2008/06/16/the-future-of-malware/
See the Wikipedia article on malware for an explanation of the nomenclature of malware — viruses vs Trojans vs dialers vs spyware vs downloader vs ....

Jon's article explains that Trojans are the dominant malware today, with rootkits and botnets becoming more common and harder to detect. The big worry is no longer the virus-infected floppy that overwrites your Master Boot Record. Recent examples of shifts in the threat include:

• Gadgets like digital picture frames, USB thumb drives and MP3-playing sunglasses have come from the factories with malware pre-installed. This is in addition to the hard drives that have been shipped with malware:
  • http://blog.wired.com/27bstroke6/2008/01/digital-photo-f.html
  • http://www.theregister.co.uk/2008/04/07/hp_proliant_usb_key_infection/
  • http://www.securityfocus.com/news/11499
• There are Cisco IOS rootkits and lots of counterfeit Cisco (and other) network hardware.
• BIOS malware should be pretty easy to create and extremely powerful, so maybe the reason we aren't seeing any is that it exists but it too hard to spot!
• Environmental and industrial control systems like SCADA, PLC, DCS, etc used to be based on proprietary and hardened platforms. But the market has complained that those are too hard to learn, and the suppliers are moving toward buggy general-purpose OS platforms sometimes plugged into the public Internet!

Useful tools for analyzing hostile data start with selecting any operating system other than something made by Microsoft. That gives you something that already includes all the GNU command-line utilities (e.g., Linux, BSD, MacOS) or something to which they can easily be added (e.g., Solaris or some other UNIX). You should not use a browser to examine malware, as browsers are large and complicated and therefore buggy and susceptible to the very malware we're examining. The simple but useful command-line utilities provide safe ways of examining hostile data. The utilities you may find particularly useful include:

• file, which in its GNU form, does a very good job of guessing just what a given data file contains. The Solaris version is worthless — if you have Solaris, add the GNU version and use it.
• strings, which will dump out what appear to be the ASCII, or at least potentially human-readable, strings embedded in a file.
• hexdump, which will show you everything contained within a file in (reasonably) human-friendly format.
• clamscan, part of the free Clam AntiVirus suite. When you find some potentially malicious software, it can tell you if it matches a known virus signature. Get it from http://www.clamav.net/
• whois, to figure out who those mysterious IP addresses are assigned to.
• traceroute, to figure out where those mysterious IP addresses are located, in case whois isn't terribly helpful.
• upx, an alternative compress/archiving tool. Some malware attempts to hide by compressing itself with upx: http://upx.sourceforge.net/

And now, on to the hostile data — your choices so far are:

1. Gibe-F Worm, also known as the Swen Worm, one of the more interesting pieces of malware I have.
2. Downloader.Tibs.Gen-1 Trojan
3. Bagel worm
4. Mytob worm
5. Mydoom worm
6. Downloader.Small-1109 Trojan
7. Stration.JH Worm
8. Sober.U-3 Worm
9. Trojan.Agent-59561
10. Trojan.Exchanger.DL
11. Hacking the Human — Bank Scam
12. The Russian M.O.B. (Mail-Order Bride)

Speaking of Trojan Horses, here is a passage from the beginning of Book II of Virgil's Aenid about the origins of the technology:

By destiny compell'd, and in despair,
The Greeks grew weary of the tedious war,
And by Minerva's aid a fabric rear'd,
Which like a steed of monstrous height appear'd:
The sides were plank'd with pine; they feign'd it made
For their return, and this the vow they paid.
Thus they pretend, but in the hollow side
Selected numbers of their soldiers hide:
With inward arms the dire machine they load,
And iron bowels stuff the dark abode.
In sight of Troy lies Tenedos, an isle
(While Fortune did on Priam's empire smile)
Renown'd for wealth; but, since, a faithless bay,
Where ships expos'd to wind and weather lay.
There was their fleet conceal'd. We thought, for Greece
Their sails were hoisted, and our fears release.
The Trojans, coop'd within their walls so long,
Unbar their gates, and issue in a throng,
Like swarming bees, and with delight survey
The camp deserted, where the Grecians lay:
The quarters of the sev'ral chiefs they show'd;
Here Phoenix, here Achilles, made abode;
Here join'd the battles; there the navy rode.
Part on the pile their wond'ring eyes employ:
The pile by Pallas rais'd to ruin Troy.
Thymoetes first ('t is doubtful whether hir'd,
Or so the Trojan destiny requir'd)
Mov'd that the ramparts might be broken down,
To lodge the monster fabric in the town.

Back to the information security page

Home Unix/Linux Networking Infosec Travel Technical Radio Site Map Contact