11.5. Analysis of malware

Some other tools that can be used for forensic analysis provided in the Debian distribution are: strace and ltrace

Any of these packages can be used to analyze rogue binaries (such as back doors), in order to determine how they work and what they do to the system. Some other common tools include ldd (in libc6), strings and objdump (both in binutils).

If you try to do forensic analysis with back doors or suspected binaries retrieved from compromised systems, you should do so in a secure environment (for example in a bochs or xen image or a chroot‘ed environment using a user with low privileges[71]). Otherwise your own system can be back doored/r00ted too!

If you are interested in malware analysis then you should read the http://www.porcupine.org/forensics/forensic-discovery/chapter6.html chapter of Dan Farmer’s and Wietse Venema’s forensics book.


[71] >Be very careful if using chroots, since if the binary uses a kernel-level exploit to increase its privileges it might still be able to infect your system