Investigating Hacker Tools

Introduction
• Computer crime- computer intrusions- rogue files present which do
not have any known purpose.
• We have the idea that the files are doing something related to what
the attacker wants, but we just have a binary file with us. (as
attackers hide their source code.)

• We will see an approach to perform tool analysis.

• We will learn how to take an executable file with an unknown
function and perform operations on it to gain insight into the file’s
intended purpose.
What are the goals of tool analysis?
• To prevent similar attacks in the future.
• Assess an attacker’s skill or threat level.
• Determine the extent of compromise.
• Determine if any damage was done.
• Determine the number and type of intruders.
• Prepare yourself for a successful subject interview if we catch the
attacker.
• Determine the attackers objectives and goals.
How files are compiled?
• A compiler, such as the GNU C compiler, reads an entire program
written in a high-level language, such as C or Pascal, and converts it to
object code, which is often called machine code, binary code, or
executable code.
Statically Linked Programs
• A statically linked executable file contains all the code necessary to
successfully run the application. It typically does not have any
dependencies. This means that the program will run without relying
on a specific version of an operating system.
• Here is an example of a command to statically compile a program
within the Linux operating system using the GNU compiler:
gcc -static zap.c -o zapstatic
• In this command line, the source code zap.c was compiled to create a
statically linked object file called zapstatic.
Dynamically Linked Programs
• Nearly all modern operating systems support the use of shared
libraries, which contain commonly used functions and routines. By
compiling a program to use the shared libraries, a programmer can
reference them somewhere in memory when the program needs to
use those functions and routines, rather than incorporating all that
code in the application itself.
• This reduces the size of the executable file, conserves system
memory, and permits updates to the shared libraries without the
need to change any of the original programs. Programs that use
shared libraries are dynamically compiled. Each dynamically compiled
program references the single copy of the shared library located in
memory.
Programs Compiled with Debug Options
• On rare occasions, you will be lucky enough to encounter hacker tools
that have been compiled in debug mode. Debug compilations are
normally used by software developers during the early stages of the
program’s development to help them troubleshoot problems and
optimize their code. When debug options are enabled, the compiler
will include a lot of information about the program and its source
code.
Compilation type and size of the program
• The following is a listing of a directory that contains the log-wiping
tool zap compiled dynamically, statically, and with debug options.
Stripped Programs
• Strip is a function that discards all symbols from the object code to
make a file much smaller and perhaps more optimal for execution.
Since stripped, dynamically compiled programs result in the smallest
size executable, these types of files are usually the most difficult for
an investigator to analyse when using string and symbol extraction
techniques.
• For example, if the file has not been stripped and contains symbols,
the nm command will display them. Conversely, the strip command
will remove that information.
Programs Packed with UPX
• UPX, or the Ultimate Packer for eXecutables, is becoming increasingly
popular as an effective compression tool for executable files. Perhaps
another reason for its popularity is that attackers can use it to
obscure their illicit programs from signature-based IDS.
• UPX will pack and unpack Linux and Win32 applications, as well as
DOS 16-bit executable and .com files, DOS 32-bit COFF files, DOS 32-
bit executables, and Atari TOS/MiNT executables.
Compilation Techniques and File Analysis
• Now that you’ve been
exposed to several
compilation techniques,
let’s examine a suspect
file called Z, found
recently on a Linux
system.
Continued..
• The file command output
indicates that UPX was used
to pack this file. The next step
is to use UPX to unpack
(decompress) the suspect
binary.
• The following command
decompresses (unpacks) the
suspect file and stores the
output in the file named foo.
• Since the previous file
command was
executed on the
compressed file, we
run the file command
again. As you can see,
the uncompressed
object file was not
stripped.
• While a previous strings
command showed little of
value (since the file was
compressed), executing
strings –a on the
unpacked output file
immediately reveals
material of interest:
• From this strings output, you can see the program looks for the
/var/run/utmp, /var/log/wtmp, and /var/log/lastlog files; has
functions kill_utmp, kill_wtmp, kill_lastlog; and contains the word
“Zap.”
• Additional debug information is present, and we can see that the
GNU version 3.2 of GCC for Red Hat Linux version 8.0 was used to
compile the tool.
STATIC ANALYSIS OF A HACKER TOOL
• Static analysis is tool analysis performed without actually executing
the rogue code. Because you do not intend to execute the rogue code
during static analysis, you can perform static analysis on any
operating system, regardless of the type of object code.
• For example, you can use the Solaris operating system to perform
static analysis of a Win32 application.
Continued..
The general approach to static analysis involves the following steps:
1. Determine the type of file you are examining.
2. Review the ASCII and Unicode strings contained within the binary
file.
3. Perform online research to determine if the tool is publicly available
on computer security or hacker sites. Compare any online tools
identified with the tool you are analysing.
4. Perform source code review if you either have the source code or
believe you have identified the source code via online research.