The first principle of analyzing compromised machines

August 12, 2008

The first principle of analyzing compromised machines is simple:

You can't trust anything running on a compromised machine.

If you are sufficiently paranoid, everything on a compromised machine might be compromised and lying to you: the programs, the shared libraries, the data files, even the kernel. You cannot trust any of it. This means that you cannot use a compromised machine to examine itself. Not even a little bit, however convenient it would be.

(The partial exception is that if a test on the compromised machine says that something is compromised, it probably is. But don't stop there.)

If you need to examine a thoroughly compromised machine you must do it completely from the outside, using some sort of environment that is known beforehand to be good. The traditional way is to connect the disks up to another system and use it to poke around; these days you can also use a live CD, if you are sure that the system is actually running it. Only then can you be confidant that you are not being lied to and your tools are actually reading what is really there and so aren't being fooled when they say that something isn't compromised.

(This sort of paranoia can run very deep. For example, are you sure that the BIOS hasn't been compromised to boot a hypervisor that then boots your live CD in a fake environment to hide bits of the disk from it? Really, it's simpler to add the disks to another system.)

The time and effort required for this sort of complete external verification is why the common advice for compromised machines is to just reinstall them from scratch.

(And you have to perform a complete verification, because an attacker might have hidden their compromise anywhere. For example, your kernel could be intact on the disk but the attacker has added a startup script that dynamically installs their rootkit through a kernel bug.)

Written on 12 August 2008.
« How RPM verification deals with prelinking
A bash irritation: the incompatible exec »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Aug 12 23:48:15 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.