Real World Forensics

The three files below are part of a current malware infestation of NAS devices, routers, and even DVRs.

This infestation is quite interesting from many aspects; one quite unusual aspect is exactly how it answers the "Profit!" side of the malware equation.

cmd.so D72BNr mzkk8g

(The above files were provided courtesy of the SANS Institute.)

1. Research the current news on these infections in order to get a background on what is going in this infestation of the "Internet of Things" (or "Internet of Everything" as it sometimes is styled). Write up the current status of the investigation, particularly on how the malware generates profits for the malefactors.
2. Examine each of the binaries. Report on:
   1. The structure of the binaries — what are these files? What kind of hardware/software are they designed for?
   2. The content of the binaries — what's in each of these files?
   3. The function of the binaries — what's does each of these files probably do?
3. Finally, consider how practical (or impractical) this attack has been in terms of likely profits for the attackers.

For extra credit: You can earn up to 3 points on your final grade for the class if you can use a virtual machine under qemu (or equivalent) to study the live execution of any portion of this code. Your write-up should include (at a minimum) a trace of all of the system calls that you manage to see execute.

Your Work Product:

Please turn in your answers to the three above questions via Blackboard. Please submit a PDF file or a text file.

If you do tackle the extra credit section, please clearly label the section "For Extra Credit".