Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools

Information Networking Security and Assurance Lab National Chung Cheng University 2 Outline Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool

Information Networking Security and Assurance Lab National Chung Cheng University 3 Outline Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool

Information Networking Security and Assurance Lab National Chung Cheng University 4 The Goals Prevent similar attacks in the future Assess an attacker’s skill or threat level Determine the extent of a compromise Determine if any damage was done Determine the number and type of intruders Prepare yourself for successful subject interview if you catch the attacker Determine the attacker’s objectives and goals

Information Networking Security and Assurance Lab National Chung Cheng University 5 Outline Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool

Information Networking Security and Assurance Lab National Chung Cheng University 6 Statically Linked Programs A statically linked executable file contains all the code necessary to successfully run the application Don’t have any dependencies

Information Networking Security and Assurance Lab National Chung Cheng University 7 Dynamically Linked Programs Shared libraries  Contain commonly used functions and routines Reduce the size of the executable file Conserve system memory Update the shared libraries without the change of the original programs

Information Networking Security and Assurance Lab National Chung Cheng University 8 Shared Libraries System Memory Dynamic Program Static Program Statically Compiled Program Printf Function Contained Within the Program’s Object Code Dynamically Compiled Program Printf Stub to Reference other Memory Location Static Program vs. Dynamic Program

Information Networking Security and Assurance Lab National Chung Cheng University 9 Programs Compiled with Debug Options With debug options  Include a lot of information about the program and its source code

Information Networking Security and Assurance Lab National Chung Cheng University 10 The comparison of the file size The file size

Information Networking Security and Assurance Lab National Chung Cheng University 11 The stripped programs Strip is a function that discards all symbols from the object code to make a file much smaller and perhaps more optimal for execution The command line The smaller file size

Information Networking Security and Assurance Lab National Chung Cheng University 12 Programs Packed with UPX (Ultimate Packer for eXecutables) An effective compression tool for executable files A hacker can obscure their illicit programs from signature-based IDS A review of the ASCII-formatted strings within the rogue code will show whether UPX was used to compress the executable

Information Networking Security and Assurance Lab National Chung Cheng University 13 An example of UPX

Information Networking Security and Assurance Lab National Chung Cheng University 14 An example of Symbol Extraction (1/2) $nm –a zapdynamic Debugging information is included, use $nm –al zapdebug Symbol value Symbol type

Information Networking Security and Assurance Lab National Chung Cheng University 15 An example of Symbol Extraction (2/2) Symbol type  Lowercase A local variable  Uppercase A global variable $man nm

Information Networking Security and Assurance Lab National Chung Cheng University 16 Outline Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool

Information Networking Security and Assurance Lab National Chung Cheng University 17 What and the step you should follow Static analysis is tool analysis performed without actually executing the rogue code The general approach to static analysis involves the following steps  Determine the type of file you are examining  Review the ASCII and Unicode strings contained within the binary file  Perform online research to determine if the tool is publicly available on computer security or hacker sites  Perform source code review if you either have the source code or believe you have identified the source code via online research

Information Networking Security and Assurance Lab National Chung Cheng University 18 Determine the Type of File The command The magic file

Information Networking Security and Assurance Lab National Chung Cheng University 19 Review the ASCII and Unicode Strings $strings –a filename $hexedit  Allow you to see Unicode and ASCII strings within a file at the same time Look for the following items  The name if the source code files before the application was compiled  The exact compiler used to create the file  The “help” strings in the tool  The error messages that the program displays  The value of static variable

Information Networking Security and Assurance Lab National Chung Cheng University 20 Performing Online Research and Source Code Review It’s very helpful to find the same tool Two occasion  The attacker leaves the source code on the system  Find the identical program from another source with the proper source code

Information Networking Security and Assurance Lab National Chung Cheng University 21 Outline Preface How files are Compiled Static analysis of a hacker tool Dynamic analysis of a hacker tool

Information Networking Security and Assurance Lab National Chung Cheng University 22 What and the task you should do Dynamic analysis of a tool takes place when you execute rogue code and interpret its interaction with the host operating system Methodology must includes the following tasks  Monitor the time/date stamps to determine what files a tool affects  Run the program to intercept its system calls  Perform network monitoring to determine if any network traffic is generated  Monitor how Windows-based executables interact with the Registry

Information Networking Security and Assurance Lab National Chung Cheng University 23 Set up your test environment You need to invest the time to set up the proper test environment  VMware Make sure that the test system is not connected to the Internet  Beacon packet  Phone home Or your can execute it on a closed network

Information Networking Security and Assurance Lab National Chung Cheng University 24 Intercept the system call User applications use system calls to request the kernel System trace ($strace)  Wiretap between a program and the operating system The output file Execute the rouge program

Information Networking Security and Assurance Lab National Chung Cheng University 25 The example_1 of strace

Information Networking Security and Assurance Lab National Chung Cheng University 26 The example_2 of strace (1/3)

Information Networking Security and Assurance Lab National Chung Cheng University 27 The example_2 of strace (2/3)

Information Networking Security and Assurance Lab National Chung Cheng University 28 The example_2 of strace (3/3)

Information Networking Security and Assurance Lab National Chung Cheng University 29 Conducting Analysis Beyond strace Debugging Decompiling  Linux Assembly web site  Tool Interface Standard’s and Manuals on the Mr. Dobbs Microprocessor Resources web site  objdump  nm  gdb

Information Networking Security and Assurance Lab National Chung Cheng University 30 Dynamic Analysis on a Windows System filemon  Provide a wiretap between running processes and the file system. regmon  Tap a process’s interaction with the Windows Registry listdlls  Show all of the DLLs needed by a process fport  Determine what port the rouge program opens flist  Determine if a process changes its process name after execution

Information Networking Security and Assurance Lab National Chung Cheng University 31 filemon

Information Networking Security and Assurance Lab National Chung Cheng University 32 regmon

Information Networking Security and Assurance Lab National Chung Cheng University 33 listdlls

Information Networking Security and Assurance Lab National Chung Cheng University 34 fport

Information Networking Security and Assurance Lab National Chung Cheng University 35 pslist