10 Malware

INFORMATION IN THIS CHAPTER:

The file command

Using hash databases to identify malware

Using strings to gather clues

The nm command

The ldd command

Using readelf to get the big picture

Using objdump for disassembly

Using strace to track system calls

Using ltrace to track library calls

Using the GNU Debugger Obfuscation techniques

IS IT MALWARE?

You’ve discovered a file left by an attacker on the subject system. Naturally, you want to know if it is some sort of malware. The first thing you want to do is classify the file. Is it an executable or some sort of data file? If it is executable, what does it do? What libraries does it use? Does it connect to the attacker across the network?

While this is not a book on reverse engineering Linux malware, the information from this chapter should be sufficient for you to distinguish malware from benign files and glean a high-level understanding of what types of functions malware performs. From your client’s perspective, they do not care what the malware does or how many clever techniques were used by the programmer. Their biggest concern is what information may have been compromised as the result of the malware. This should be your biggest concern as well. In some cases, you may need to do some investigation of the malware to help you determine the extent of the damage.