Malware Forensics:   
                             Investigating and Analyzing Malicious Code
Linux Tools   

July 11, 2009:

Leaf is an extendable ELF analysis and disassembly framework written in C. Leaf contains ELF parsing functions, an x86 disassembler library (udis86) and a plugin interface. Leaf does not rely on libelf or any GNU BFD libraries. All of the ELF parsing code is written from scratch and will work on any stripped binary without a Section Header. It can parse 32-bit x86 ELF objects for Linux, BSD and Sun Solaris platforms (other x86 ELF objects from other OS's may also work). It's disassembly library (udis86) can parse 64-bit x86 instructions but it is not enabled yet.

The core engine correlates many things such as xref's, symbols and code relocations. By itself, Leaf is nothing special. The plugin framework for developing quick information extracting tools is what adds value. The code is currently in a beta stage and is available through the downloads tab above. I have also provided a few example plugins such as a hit tracer which uses Leaf's debugging API, a plugin that searches data sections for embedded files using libmagic, and a basic command line disassembler.

Leaf was written to run on x86 Linux platforms. The debug API is strictly Ptrace and still needs a few changes in order to run on BSD.

Elfinfo is an ELF  parser to display the sections and symbols in an ELF file.

July 7, 2009:
A fundamental part of Linux malware forensics during the behavioral analysis of a malware specimen is monitoring open files on the infected host.  The de facto tool for this task is lsof, a utility native to most Linux flavors.  Lsof output can be viewed in a terminal window or piped to a file for later analysis.  I've always thought that a GUI version of lsof would be an interesting prospect, particularly one that allowed for granular control of input and output.  Daniel Francesconi has developed such a tool suite, GLSOF, which is now in it's second incarnation (the original version is written in C; the current version is Java).  GLSOF is two separate utilities-- GLSOF-Queries and GLSOF-Filemonitor.  Daniel was very receptive and responsive to question regarding the tools and advised that he is still in the process of refining the functionality of the tools.  I have not fully explored the functionality of the tools, but I'm intrigued with what I've seen thus far.

                                                                GLSOF-Filemonitor in action                                                             

                                                               Invoking  GLSOF-Queries

July 6, 2009:
FEATURED TOOL: Net Activity Viewer-
Net Activity Viewer is a graphical network connections viewer for Linux, with similar  functionality as netstat. It includes features like process information, host name retrieval, automatic refresh and sorting. It has a fully featured GTK 2 graphical interface.  Net Activity Viewer is a great tool for malware investigators that are familiar with TCPView, Active Ports, CurrPorts, and other GUI absed port monitoring tools for Windows malware analysis.

Net Activity Viewer has an intuitive menu allowing the user to choose the output and the items displayed in the viewing pane.  The benefit to using Net Activity Viewer is that unlike netstat, it automatically refreshes.  Further, if the user chooses the "Color Highlight" feature, freshly opened connections are highlighted green (see the image above, displaying a freshly created ssh connection attempt).

July 5, 2009:
FEATURED TOOL:  DAVIX- [from the SecViz (Security Visualization) web site]: DAVIX, a live CD for data analysis and visualization, brings the most important free tools for data processing and visualization to your desk. There is no hassle with installing an operating system or struggle to build the necessary tools to get started with visualization. You can completely dedicate your time to data analysis.

The DAVIX CD is based on SLAX and features broad out-of-the-box hardware support for graphic cards and network adapters. SLAX is based on Slackware and follows a modularized approach. Thus, the SLAX ISO image can easily be customized for various purposes. It can even be installed on USB sticks and provide you with mobile analysis capabilities."  The following is a list of all the visualization tools installed on DAVIX distribution:

    * AfterGlow
    * TreeMap
    * Mondrian
    * Parvis
    * LGL
    * R Project
    * InteVis
    * EtherApe
    * GGobi
    * Tulip
    * Cytoscape
    * GUESS
    * RT3DG
    * Walrus
    * Dottty and lneato
    * GraphViz
    * glTail
    * Shoki
    * TimeSearcher
    * TNV
    * NVisionIP
    * Rumint
    * MRTG/RRD
    * GnuPlot
    * Ploticus
July 3, 2009:
FEATURED TOOL   Unhide-    Unhide is a forensic tool to find processes and TCP/UDP ports hidden by rootkits, Linux kernel modules or by other techniques.
It includes two utilities: unhide and unhide-tcp.

Unhide detects hidden processes using three techniques:

* comparing the output of /proc and /bin/ps
* comparing the information gathered from /bin/ps with the one gathered from system calls (syscall scanning)
* full scan of the process ID space (PIDs bruteforcing)

Unhide-tcp identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available.

Invoking unhide is intuitive and can be used in three modes: proc, sys and brute

The  proc  mode compares  /proc with the output of /bin/ps.

root@MalwareLab:/home/malwarelab/Desktop# unhide proc
Unhide 02-11-2007

[*]Searching for Hidden processes through /proc scanning

The sys mode compares  information  gathered  from /bin/ps with information gathered from system calls.

root@MalwareLab:/home/malwarelab/Desktop# unhide sys
Unhide 02-11-2007

[*]Searching for Hidden processes through getpriority() scanning

[*]Searching for Hidden processes through getpgid() scanning

[*]Searching for Hidden processes through getsid() scanning

[*]Searching for Hidden processes through sched_getaffinity() scanning

[*]Searching for Hidden processes through sched_getparam() scanning

[*]Searching for Hidden processes through sched_getscheduler() scanning

[*]Searching for Hidden processes through sched_rr_get_interval() scanning

[*]Searching for Hidden processes through sysinfo() scanning

 The  brute mode consists of bruteforcing the all process IDs (this technique is only available on Linux 2.6 kernels).

March 4, 2009:
FEATURED TOOL: Selective File Dumper
Selective File Dumper is an open source command line tool written in Bash Script for Linux systems allowing the user to retrieve all the files of a particular file type (for a GUI front-end option, Zenity can  be used). 

February 7, 2009:
FEATURED TOOL: DepSpec: Dependency Viewer
Some digital investigators/malware analysts prefer to analyze suspect Windows binaries on a *nix system--whether out of preference for working on *nix or because it offers a safe environment for this sort of analysis.  Most *nix flavors have the dependency identifying tool ldd natively installed, however, probing a Windows binary with  ldd can be challenging as it often struggles with the .exe file format, leading to error such as this:

lab@MalwareLab:/home/lab/Desktop# ldd Video.exe
        not a dynamic executable

Unfortunately, this error gives the investigator the false impression that the executable is statically linked.  An alternative to ldd is DepSpec (Dependency Viewer) by Kyle McFarland, which provides for a dual-paned GUI allowing the user to drill down through file dependencies.  Although the output is not a granular as other Windows based dependency analysis tools, DepSpec offers digital investigators great alternative to ldd on *nix systems.

January 17, 2009:
FEATURED TOOL: Malware Analysis Frameworks
There are a number of freely available malware analysis frameworks that enable a user to conduct automated dynamic analysis of suspicious executable files.  Some of these frameworks include:

The Reusable Unknown Malware Analysis Net ("TRUMAN")-
Developed by venerable malware researcher Joe Stewart of Secureworks (formerly of LURQ), "Truman can be used to build a "sandnet", a tool for analyzing malware in an environment that is isolated, yet provides a virtual Internet for the malware to interact with. It runs on native hardware, therefore it is not stymied by malware which can detect VMWare and other VMs. The major stumbling block to not using VMs is the difficulty involved with repeatedly imaging machines for re-use. Truman automates this process, leaving the researcher with only minimal work to do in order to get an initial analysis of a piece of malware.

Truman consists of a Linux boot image (originally based on Chas Tomlin's Windows Image Using Linux) and a collection of scripts. Also provided is pmodump, a Perl-based tool to reconstruct the virtual memory space of a process from a PhysicalMemory dump. With this tool it is possible to circumvent most packers to perform strings analysis on the dumped malware."

Automated aNalysis and Network emulation ("ANNE")-   Developed by the Luxembourg Computer Security Research & Response Team, ANNE Is a framework to analyze unknown binaries in an automated fashion. More information can be found at Malware/Anne_-_release_0.1

ANNE is composed of

  • backend xmlserver
  • a daemon that process the jobs
  • UML (user mode linux) Malware/UML Howto for ANNE
  • a web interface frontend
  • simulation scripts that run inside the UML

Zero-Wine- Authored by Joxean Koret, "Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program.  The tool is distributed as a prebuilt QEmu virtual machine (or in source code form)."

December 13, 2008:

HeX LiveCD 2.0 released: "As effort of the Honeynet Project Malaysian chapter and the RawPacket team initiative, HeX LiveCD was created. It is a Network Security Monitoring (NSM) centric Live CD, built based on the principles of NSM, for analysts, by analysts. This project will be eventually forked to Hex Sensor and Hex Server to complete the cycle of NSM processes. Besides, HeX LiveCD is the blueprint for HornyD. HornyD and HoneySuckle are the toolkits for the Malaysia Distributed Honeynet Project. HeX LiveCD contains most of the popular Open Source NSM and network forensics tools. The LiveCD also includes the NSM-Console framework which acts as aggregated protocols analyst for performing packet analysis on capture files." (description from the Honeynet Project website)

October 25, 2008:

Elfcmpelfcmp compares running processes to the their respective binary image to ensure that the process image in memory has not been tampered with after execution.

October 19, 2008:

The Sleuth Kit and Autopsy Browser updated- Brian Carrier's popular open source digital investigation tools, The Sleuth Kit  (TSK) 3.0.0 ( a C library and a collection of command line tools [based on code from The Coroner's Toolkit ]) and the Autopsy Browser 2.20  (an HTTP graphical interface to TSK) are available for download.

October 18, 2008:
FEATURED TOOL    ForensiX Live Response CD

ForensiX  Live Response CD has been updated- Alexander Geschonneck has recently updated the ForensiX Linux Incident Response Script on the ForensiX Live Response CD.  According to Geschonneck's web site, the new script contains an "extract organize the memory dump for an easy investigation."

September 3, 2008:
FEATURED TOOL    SANS Investigative Forensic Toolkit (SIFT)

SANS releases the SANS Investigative Forensic Toolkit (SIFT) Workstation,  a VMware Appliance that is preconfigured with all the necessary tools to perform a forensic examination.

September 2, 2008:


OSSEC v. 1.6 is released.  OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response.