Linux/GNU provides a wealth of tools which can be used to analyze
binaries such as file, strings, md5sum, hexdump, ldd, strace and gdb.
Moreover, profiling tools such as AppArmor could be useful when
analyzing behaviour of an unknown binary.
For the purpose of demonstrating forensic software analysis
process and recoverable artifacts, a number of Linux/GNU tools will
be used to investigate Skype application. Conclusions of the
investigation will be presented at the end of the document.
file
file command helps identifying file type and displays general information about the suspected binary.
 |
| file command |
ldd
ldd command can be used to identify all shared
libraries used by the suspicious software.
 |
| ldd command |
gdb
gdb is a GNU debugger useful for debugging executable “see what is going on 'inside' another program while it executes—or what another program was doing at the moment it
crashed” (Free Software Foundation, Inc. 2002).
gdb allows an investigator to run a suspicious program step by step, view a value of a specific expression or print a stacktrace using
bt command.
 |
| gdb command |
 |
| gdb stacktrace |
strace
strace can be used to display system calls and signals, including access to local and remote resources such as
/etc/passwd.
strace command could be used with
-o parameter to output the content to a specified file.
The information includes:
- a name of a system call
- arguments; and
- return values
 |
| strace command |
 |
| strace output |
The output file could be parsed with
grep with appropriate regular expression to identify accessed and/or modified system resources.
 |
| grep strace output |
strings
strings prints all printable characters in a specified file. It could be useful to identify system calls, resources, URLs, IP addresses, names, etc. when analyzing a suspected
software.
 |
| strings command |
 |
| strings output |
AppArmor
AppArmor is a “Linux application security system” (AppArmor Security Project, 2011) using whitelist approach to protect the operating system and its users. It is done by enforcing “good”
behaviour including open ports, allowed resources, etc. to prevent from known and unknown application flows.
AppArmor includes a “a combination of advanced static analysis and learning-based tools” (AppArmor Security Project, 2011) which could be helpful when investigator a malicious software behaviour. For purpose of forensic investigation
aa-genprof command can be used to record all software activities which could be analyzed at the later stage.
When using
aa-genprof to analyze potential malware behaviour, the investigator has to invoke all possible functionality to force the software to access all local and remote resource. In many cases, it is required to let the software run for a few days as some malware such as infected bots communicate with the bot controller periodically.
 |
| aa-genprof command |
 |
| skype command |
 |
| Skype main window |
 |
| Skype calling echo123 |
 |
| Skype messaging echo123 |
 |
| aa-genprof analyzing Skype access to Pulse resources |
 |
| aa-genprof analyzing Skype access to system fonts configuration |
 |
| aa-genprof analyzing Skype access to local chat |
 |
| aa-genprof analyzing Skype access to Firefox bookmarks |
 |
| aa-genprof analyze Skype access to Firefox extensions |
Conclusions
Skype application access resources required to display a graphic user interface (GUI) using Qt library, interact with audio devices through Pulse framework and resources required to use a network, all of which could be considered ass legitimate behaviour for a VoIP application.
On the other, Skype access to resources such as Firefox bookmarks and extensions such as LassPass (advance password manager), and system resources such as
/etc/passwd raise suspicious as it resembles typical malware behaviour.
Bibliography
- Free Software Foundation, Inc. (2002), “GNU Tools
Manual”.
-
No comments:
Post a Comment