Investigating Hacker Tools

1. Investigating Hacker Tools

2. Outline • Preface • How files are Compiled • Static analysis of a hacker tool • Dynamic analysis of a hacker tool

3. Outline • Preface • How files are Compiled • Static analysis of a hacker tool • Dynamic analysis of a hacker tool

4. The Goals • Prevent similar attacks in the future • Assess an attacker’s skill or threat level • Determine the extent of a compromise • Determine if any damage was done • Determine the number and type of intruders • Prepare yourself for successful subject interview if you catch the attacker • Determine the attacker’s objectives and goals

5. Outline • Preface • How files are Compiled • Static analysis of a hacker tool • Dynamic analysis of a hacker tool

6. Statically Linked Programs • A statically linked executable file contains all the code necessary to successfully run the application • Don’t have any dependencies

7. Dynamically Linked Programs • Shared libraries • Contain commonly used functions and routines • Reduce the size of the executable file • Conserve system memory • Update the shared libraries without the change of the original programs

8. Static Program vs. Dynamic Program Dynamically Compiled Program Shared Libraries Statically Compiled Program Printf Stub to Reference other Memory Location Dynamic Program Printf Function Contained Within the Program’s Object Code Static Program System Memory

9. Programs Compiled with Debug Options • With debug options • Include a lot of information about the program and its source code

10. The comparison of the file size The file size

11. The stripped programs • Strip is a function that discards all symbols from the object code to make a file much smaller and perhaps more optimal for execution The smaller file size The command line

12. Programs Packed with UPX (Ultimate Packer for eXecutables) • An effective compression tool for executable files • A hacker can obscure their illicit programs from signature-based IDS • A review of the ASCII-formatted strings within the rogue code will show whether UPX was used to compress the executable http://upx.sourceforge.net

13. An example of UPX

14. An example of Symbol Extraction (1/2) Debugging information is included, use $nm –al zapdebug $nm –a zapdynamic Symbol type Symbol value

15. An example of Symbol Extraction (2/2) • Symbol type • Lowercase • A local variable • Uppercase • A global variable $man nm

16. Outline • Preface • How files are Compiled • Static analysis of a hacker tool • Dynamic analysis of a hacker tool

17. What and the step you should follow • Static analysis is tool analysis performed without actually executing the rogue code • The general approach to static analysis involves the following steps • Determine the type of file you are examining • Review the ASCII and Unicode strings contained within the binary file • Perform online research to determine if the tool is publicly available on computer security or hacker sites • Perform source code review if you either have the source code or believe you have identified the source code via online research

18. Determine the Type of File The command The magic file

19. Review the ASCII and Unicode Strings • $strings –a filename • $hexedit • Allow you to see Unicode and ASCII strings within a file at the same time • Look for the following items • The name if the source code files before the application was compiled • The exact compiler used to create the file • The “help” strings in the tool • The error messages that the program displays • The value of static variable

20. Performing Online Research and Source Code Review • It’s very helpful to find the same tool • Two occasion • The attacker leaves the source code on the system • Find the identical program from another source with the proper source code

21. Outline • Preface • How files are Compiled • Static analysis of a hacker tool • Dynamic analysis of a hacker tool

22. What and the task you should do • Dynamic analysis of a tool takes place when you execute rogue code and interpret its interaction with the host operating system • Methodology must includes the following tasks • Monitor the time/date stamps to determine what files a tool affects • Run the program to intercept its system calls • Perform network monitoring to determine if any network traffic is generated • Monitor how Windows-based executables interact with the Registry

23. Set up your test environment • You need to invest the time to set up the proper test environment • VMware • Make sure that the test system is not connected to the Internet • Beacon packet • Phone home • Or your can execute it on a closed network

24. Intercept the system call • User applications use system calls to request the kernel • System trace ($strace) • Wiretap between a program and the operating system Execute the rouge program The output file

25. The example_1 of strace

26. The example_2 of strace (1/3)

27. The example_2 of strace (2/3)

28. The example_2 of strace (3/3)

29. Conducting Analysis Beyond strace • Debugging • Decompiling • Linux Assembly web site • http://linuxassembly.org • Tool Interface Standard’s and Manuals on the Mr. Dobbs Microprocessor Resources web site • http://x86.ddj.com/intel.doc/tools.htm • objdump • nm • gdb

30. Dynamic Analysis on a Windows System • filemon • Provide a wiretap between running processes and the file system. • regmon • Tap a process’s interaction with the Windows Registry • listdlls • Show all of the DLLs needed by a process • fport • Determine what port the rouge program opens • flist • Determine if a process changes its process name after execution

31. filemon

32. regmon

33. listdlls

34. fport

35. pslist