Following MF pages 490 and 576, what characteristics of an interesting program are we looking at?

Quick disassembly

You can use "objdump --disassemble-all" to get a quick disassembly of a suspect program.

Baselining the work environment

One old standby for "fingerprinting" a system is Tripwire. While it went commercial many years ago, there are open source forks of the code.

Another program is AIDE.

Watching the environment

First, run your newly installed fingerprint software on a virtual machine (or other "throwaway" machine).

Now you can use the standard programs that we talked about back in the beginning with live analysis: "ps", "top", "lsof", "netstat", and even "ls" to look at the pseudo-directory /proc/<pid>/. Two that we haven't talked about but that are very useful are "wireshark" and "tcpdump" (both built on the same set of routines in libpcap.) Your book also mentions "etherape", which might be useful for imaging network activity (and certainly is an amusing program just to run!)


Snort is a very standard IDS. It, like tcpdump and wireshark, is based on the excellent libpcap package. Unfortunately, it's not as easy to configure, and you will have to spend some time to get it working.


The program "strace" is an excellent tool for following the system calls made by a process.

The program "ltrace" might also be useful, but there are two caveats here: (1) it shows library calls, not system calls (at least, not by defualt); (2) these library calls are much less meaningful to users not familiar with the particulars of a given library (and there are thousands of these libraries!)

You can also use "pmap PID" to find information about where in memory bits of programs are at.


The easiest item to check probably are filesystem changes using "tripwire -m c" or "aide".

You can try to postprocess your tcpdump data with various programs.


A rootkit is a modification, usually of the operating system itself or access to the operating system, in an attempt to hide the presence of malware.

What is Blue Pill?

It's a complete replacement of the user's operating system by a virtualized environment. While it is generally termed as a rootkit, the idea is that the only state that is the same is non-volatile or non-local state.

Rootkits in the real world

The first place to look was the venerable http://www.rootkit.com from HB Gary. Unfortunately, with the compromise of HB Gary, rootkit.com seems to be defunct. Some of the more interesting techniques mentioned were:


One prevalent idea is the idea of "crossviews"; you use any differences in the view from the suspect system and a different one to detect rootkits. Another is direct analysis (to the extent possible, at least) of memory from within a suspect system and what standard tools are telling you is there.