10 Malware
INFORMATION IN THIS CHAPTER:
The file command
Using hash databases to identify malware
Using strings to gather clues
The nm command
The ldd command
Using readelf to get the big picture
Using objdump for disassembly
Using strace to track system calls
Using ltrace to track library calls
Using the GNU Debugger Obfuscation techniques
IS IT MALWARE?
You’ve discovered a file left by an attacker on the subject system. Naturally, you want to know if it is some sort of malware. The first thing you want to do is classify the file. Is it an executable or some sort of data file? If it is executable, what does it do? What libraries does it use? Does it connect to the attacker across the network?
While this is not a book on reverse engineering Linux malware, the information from this chapter should be sufficient for you to distinguish malware from benign files and glean a high-level understanding of what types of functions malware performs. From your client’s perspective, they do not care what the malware does or how many clever techniques were used by the programmer. Their biggest concern is what information may have been compromised as the result of the malware. This should be your biggest concern as well. In some cases, you may need to do some investigation of the malware to help you determine the extent of the damage.