Following MF pages 490 and 576, what characteristics of an interesting program are we looking at?

What is this program and why is it here?
How does it operate?
How does it work inside the system?
Does it work over the net, and if so, how so?
Is it a naive or sophisticated attack?
How did it get there?
How compromised is the system?

Quick disassembly

You can use "objdump --disassemble-all" to get a quick disassembly of a suspect program.

Baselining the work environment

One old standby for "fingerprinting" a system is Tripwire. While it went commercial many years ago, there are open source forks of the code.

Another program is AIDE.

Watching the environment

First, run your newly installed fingerprint software on a virtual machine (or other "throwaway" machine).

Now you can use the standard programs that we talked about back in the beginning with live analysis: "ps", "top", "lsof", "netstat", and even "ls" to look at the pseudo-directory /proc/<pid>/. Two that we haven't talked about but that are very useful are "wireshark" and "tcpdump" (both built on the same set of routines in libpcap.) Your book also mentions "etherape", which might be useful for imaging network activity (and certainly is an amusing program just to run!)

IDS

Snort is a very standard IDS. It, like tcpdump and wireshark, is based on the excellent libpcap package. Unfortunately, it's not as easy to configure, and you will have to spend some time to get it working.

Tracing

The program "strace" is an excellent tool for following the system calls made by a process.

The program "ltrace" might also be useful, but there are two caveats here: (1) it shows library calls, not system calls (at least, not by defualt); (2) these library calls are much less meaningful to users not familiar with the particulars of a given library (and there are thousands of these libraries!)

You can also use "pmap PID" to find information about where in memory bits of programs are at.

Reconstruction

The easiest item to check probably are filesystem changes using "tripwire -m c" or "aide".

You can try to postprocess your tcpdump data with various programs.

Rootkits

A rootkit is a modification, usually of the operating system itself or access to the operating system, in an attempt to hide the presence of malware.

What is Blue Pill?

It's a complete replacement of the user's operating system by a virtualized environment. While it is generally termed as a rootkit, the idea is that the only state that is the same is non-volatile or non-local state.

Rootkits in the real world

The first place to look was the venerable http://www.rootkit.com from HB Gary. Unfortunately, with the compromise of HB Gary, rootkit.com seems to be defunct. Some of the more interesting techniques mentioned were:

"Hide in plain sight": reversing the paradigm of trying to be as unobtrusive as possible, the rootkit simply exists in an ordinary file and use standard WIN32 API calls.
"Catch me if you can": use a technique where the rootkit is always moving itself around, and uses ostensible HTTP traffic to obfuscate command and control communications.
"Project B": use a Firewire port's vulnerable to memory manipulation to inject the initial code; the code then moves to the MBR to circumvent defenses.
"Air gap" attack: the scenario is that the defenders are using an air gap to protect their most important machines. The vulnerability that the attacker attempts to exploit is if the defender uses USB sticks to move data; try to infect those (like Stuxnet, for instance). Then try to generate high frequencies (above normal hearing) and have these picked up by microphone on compromised machine.

Detection

One prevalent idea is the idea of "crossviews"; you use any differences in the view from the suspect system and a different one to detect rootkits. Another is direct analysis (to the extent possible, at least) of memory from within a suspect system and what standard tools are telling you is there.