"Dustin" == Dustin Marquess <[EMAIL PROTECTED]> writes:
Dustin> That's why after you ungzip a binary in Linux that you got
Dustin> from email, you do a: strings file | more on it. Usually
Dustin> if to contains questionable strings (like '/etc/shadow'),
Dustin> then you know to look out :)
Keep in mind that on the Windows box, you're essentially running
everything as root. At least on the Linux box, you are (er, should be)
running it as a user with reduced permissions. Which should at minimum
prevent the binary from being able to read /etc/shadow.
But, I hope you do a lot more than just run strings on binaries of
questionable source. Hiding suspicious strings is a trivial exercise:
An example from a program called lsu:
#define MAKELSUPERM(buf) { /* build the permission file name */ \
/* begin LSUPERM */\
buf[0] = '.';\
buf[1] = '/';\
buf[2] = '.';\
buf[3] = 'l';\
buf[4] = 's';\
buf[5] = 'u';\
buf[6] = '\0';\
/* end LSUPERM */\
If permissions are correct on your OS, the OS should contain most of
the more malicious stuff the binary could do. I'd truss/strace the
binary in a chrooted environment with networking disabled if I were
suspicious. If I were really suspicious, I wouldn't run it at all or
I'd run it on a sacrificial host not plugged into a network.
j.
--
Jay Soffian <[EMAIL PROTECTED]> UNIX Systems Administrator
404.572.1941 Cox Interactive Media
