Analyzing Hostile Data

Start by reading Jon Kibler's great article on the future (and the current state) of malware: http://blogs.stopbadware.org/articles/2008/06/16/the-future-of-malware/
See the Wikipedia article on malware for an explanation of the nomenclature of malware — viruses vs Trojans vs dialers vs spyware vs downloader vs ....

Jon's article explains that Trojans are the dominant malware today, with rootkits and botnets becoming more common and harder to detect. The big worry is no longer the virus-infected floppy that overwrites your Master Boot Record. Recent examples of shifts in the threat include:

• Gadgets like digital picture frames, USB thumb drives and MP3-playing sunglasses have come from the factories with malware pre-installed. This is in addition to the hard drives that have been shipped with malware:
  • http://blog.wired.com/27bstroke6/2008/01/digital-photo-f.html
  • http://www.theregister.co.uk/2008/04/07/hp_proliant_usb_key_infection/
  • http://www.securityfocus.com/news/11499
• There are Cisco IOS rootkits and lots of counterfeit Cisco (and other) network hardware.
• BIOS malware should be pretty easy to create and extremely powerful, so maybe the reason we aren't seeing any is that it exists but it too hard to spot!
• Environmental and industrial control systems like SCADA, PLC, DCS, etc used to be based on proprietary and hardened platforms. But the market has complained that those are too hard to learn, and the suppliers are moving toward buggy general-purpose OS platforms sometimes plugged into the public Internet!

Useful tools for analyzing hostile data start with selecting any operating system other than something made by Microsoft. That gives you something that already includes all the GNU command-line utilities (e.g., Linux, BSD, MacOS) or something to which they can easily be added (e.g., Solaris or some other UNIX). You should not use a browser to examine malware, as browsers are large and complicated and therefore buggy and susceptible to the very malware we're examining. The simple but useful command-line utilities provide safe ways of examining hostile data. The utilities you may find particularly useful include:

• file, which in its GNU form, does a very good job of guessing just what a given data file contains. The Solaris version is worthless — if you have Solaris, add the GNU version and use it.
• strings, which will dump out what appear to be the ASCII, or at least potentially human-readable, strings embedded in a file.
• hexdump, which will show you everything contained within a file in (reasonably) human-friendly format.
• clamscan, part of the free Clam AntiVirus suite. When you find some potentially malicious software, it can tell you if it matches a known virus signature. Get it from http://www.clamav.net/
• whois, to figure out who those mysterious IP addresses are assigned to.
• traceroute, to figure out where those mysterious IP addresses are located, in case whois isn't terribly helpful.
• upx, an alternative compress/archiving tool. Some malware attempts to hide by compressing itself with upx: http://upx.sourceforge.net/

And now, on to the hostile data — your choices so far are:

1. The Downloader.Tibs.Gen-1 Trojan
2. The Bagel worm
3. The Mytob worm
4. The Mydoom worm
5. The Downloader.Small-1109 Trojan
6. The Stration.JH Worm
7. The Sober.U-3 Worm
8. Hacking the Human — Bank Scam
9. The Russian M.O.B. (Mail-Order Bride)

Back to the information security page

© Bob Cromwell Oct 2008. Created with /bin/vi and ImageMagick, hosted on OpenBSD with Apache.    Root password available here