[colug-432] Necropsy: Virus?: objdump -x; comparing binaries
jep200404 at columbus.rr.com
jep200404 at columbus.rr.com
Tue May 3 21:21:45 EDT 2011
On Tue, 3 May 2011 23:58:35 +0000, "Matthew W. Miller" <mwmiller at columbus.rr.com> wrote:
> On Tue, May 03, 2011 at 07:14:21PM -0400, jep200404 at columbus.rr.com wrote:
> > [root at localhost backup]# diff <(objdump -d 20110322/bin/cp) <(objdump -d 20110324bad/bin/cp)
> > [root at localhost backup]# diff <(objdump -d 20110322/bin/rpm) <(objdump -d 20110324bad/bin/rpm)
> Try specifying -x to objdump as well so it dumps all sections, not just
> 'the parts that matter'.
[root at localhost backup]# diff <(objdump -x 20110322/bin/cp) <(objdump -x 20110324bad/bin/cp)
2,3c2,3
< 20110322/bin/cp: file format elf32-i386
< 20110322/bin/cp
---
> 20110324bad/bin/cp: file format elf32-i386
> 20110324bad/bin/cp
[root at localhost backup]# diff <(objdump -x 20110322/bin/rpm) <(objdump -x 20110324bad/bin/rpm)
2,3c2,3
< 20110322/bin/rpm: file format elf32-i386
< 20110322/bin/rpm
---
> 20110324bad/bin/rpm: file format elf32-i386
> 20110324bad/bin/rpm
[root at localhost backup]#
> > Even if the parts that changed do not matter, what non-malicious
> > causes for those differences are there? That there is any change
> > at all is suspect.
>
> It's possible some filler bytes were filled by different values in
> different compiles.
If the programs had been recompiled,
why did they have the same timestamps?
The last day Centos worked was 2011-03-22.
The last time I ran yum update was 2011-03-12.
So I am thinking that there should be _no_ change in the
programs from 2011-03-22 to 2011-03-23.
> Spotting binary differences the quick-'n'-dirty way:
>
> $ cmp -lb thisbinary thatbinary | less
> $ diff <(hd thisbinary) <(hd thatbinary)
http://www.colug.net/~jep/screenscrape.txt
http://www.colug.net/~beware/danger-possible-malicious-software.tgz
In the latter URL, change beware to jep to download the suspect software.
More information about the colug-432
mailing list