Just in case you think, you catched a real rootkit, then you have to assume, that some binaries like ls, strings, md5sum ... are changed. I've seen rootkits that gave perfect md5sums and the output of strings for the manipulated binaries were the same as the original. Boot from CD/DVD and inspect your disk! On 01/04/2013 02:31 PM, Greg Freemyer wrote:
ellanios82 <ellanios82@gmail.com> wrote:
On 01/03/2013 05:37 PM, Greg Freemyer wrote:
In general: - Manually inspect the file, is it clearly innocuous? - look at its permissions, does it have the substitute user or group bits set - Get it's MD5, SHA1 and SHA-256 hash. (use md5sum, sha1sum,
and sha256sum respectively) - Google search for the error messages and the hash values. - if the suspicious file has contents, submit it to www.virustotal.com for analysis (free). - run strings against the file, do you see strange strings in there - Greg
- excuse my lack of knowledge . . . can you please give an example of how to use and compare MD5 sums for the purpose of rootkit forensics ??
Often malware is tracked and cataloged based on it's hash (md5, sha1, etc.)
From the command line "md5sum suspect_file" will give the the md5 hash of that file. It should be a fairly long seemingly useless number, but every copy of that file in the world should have the same hash.
Now take that number and google it. If it is a known malicious file, malware investigative professionals will have reported the hash in any reports they published about it, so you may find a description of the malware on the internet this way.
I always do this with md5, sha1, and sha256.
The above assumes the malware is known, the exact malicious file you found was used before. Often a simple recompile can change the hash, so bad guys will often recompile their malware and re-release it.
Thus the above is just a first step in identifying malware, but it is the standard first step.
Greg