Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Vulnerability in widely used 'strings' utility could spell trouble for malware analysts

Lucian Constantin | Oct. 28, 2014
One of the first things a malware analyst does when encountering a suspicious executable file is to extract the text strings found inside it, because they can provide immediate clues about its purpose. This operation has long been considered safe, but it can actually lead to a system compromise, a security researcher found.

"The bottom line is that if you are used to running strings on random files, or depend on any libbfd-based tools for forensic purposes, you should probably change your habits," Zalewski said. "For strings specifically, invoking it with the -a parameter seems to inhibit the use of libbfd. Distro vendors may want to consider making the -a mode default, too."

It's true that most malware researchers and computer forensics specialists analyze suspicious files in controlled environments, on systems specifically set up for this purpose. However, they are also known to make the occasional exception when they need a quick result, especially with such seemingly safe operations as string extraction.

"I'm sure many of us are guilty of running 'strings' on an untrusted file at one point or another outside of our test systems, so this does serve as a reminder that nothing is safe and vulnerabilities can be found in any code," said Carsten Eiram, the chief research officer at vulnerability intelligence firm Risk Based Security, via email.

A compromise is not desirable even when it involves just a dedicated system used for analysis.

"A researcher wouldn't want that system to be probed from the outside," said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, via email. "An attacker could gain intelligence about the network topology, the tools running on the respective computer or even deny service on that machine. It's mostly intelligence harvesting rather than compromising the organization, but it's still a threat that should be taken into account."

The risk posed by libbfd vulnerabilities also extends beyond the security industry.

"There are various tools that use libbfd, including some debug utilities that extract relevant data from crash dumps," Botezatu said. "They all depend on libbfd, whether these tools are used for forensics or debugging."

Exploitation is also not limited to cases where strings is used manually. There are also automated tools that leverage libbfd-related utilities to analyze samples submitted by other internal systems or directly by users from the Internet.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.