filefile command helps identifying file type and displays general information about the suspected binary.
lddldd command can be used to identify all shared libraries used by the suspicious software.
gdbgdb is a GNU debugger useful for debugging executable “see what is going on 'inside' another program while it executes—or what another program was doing at the moment it crashed” (Free Software Foundation, Inc. 2002). gdb allows an investigator to run a suspicious program step by step, view a value of a specific expression or print a stacktrace using bt command.
stracestrace can be used to display system calls and signals, including access to local and remote resources such as /etc/passwd. strace command could be used with -o parameter to output the content to a specified file.
The information includes:
- a name of a system call
- arguments; and
- return values
The output file could be parsed with grep with appropriate regular expression to identify accessed and/or modified system resources.
|grep strace output|
stringsstrings prints all printable characters in a specified file. It could be useful to identify system calls, resources, URLs, IP addresses, names, etc. when analyzing a suspected software.
AppArmorAppArmor is a “Linux application security system” (AppArmor Security Project, 2011) using whitelist approach to protect the operating system and its users. It is done by enforcing “good” behaviour including open ports, allowed resources, etc. to prevent from known and unknown application flows.
AppArmor includes a “a combination of advanced static analysis and learning-based tools” (AppArmor Security Project, 2011) which could be helpful when investigator a malicious software behaviour. For purpose of forensic investigation aa-genprof command can be used to record all software activities which could be analyzed at the later stage.
When using aa-genprof to analyze potential malware behaviour, the investigator has to invoke all possible functionality to force the software to access all local and remote resource. In many cases, it is required to let the software run for a few days as some malware such as infected bots communicate with the bot controller periodically.
|Skype main window|
|Skype calling echo123|
|Skype messaging echo123|
|aa-genprof analyzing Skype access to Pulse resources|
|aa-genprof analyzing Skype access to system fonts configuration|
|aa-genprof analyzing Skype access to local chat|
|aa-genprof analyzing Skype access to Firefox bookmarks|
|aa-genprof analyze Skype access to Firefox extensions|
ConclusionsSkype application access resources required to display a graphic user interface (GUI) using Qt library, interact with audio devices through Pulse framework and resources required to use a network, all of which could be considered ass legitimate behaviour for a VoIP application.
On the other, Skype access to resources such as Firefox bookmarks and extensions such as LassPass (advance password manager), and system resources such as /etc/passwd raise suspicious as it resembles typical malware behaviour.
- Free Software Foundation, Inc. (2002), “GNU Tools
- AppArmor Security Project (2011), “Wiki Main Page” [online]. Available from: http://wiki.apparmor.net/index.php/Main_Page (accessed: July 27, 2011).