With ELF Parser being such a young project there remains a lot of development ahead. Some complicated. Some very simple. The newest ELF Parser release (1.1.0) contains a simple new feature: extracting shell commands.
To illustrate the usefulness of this feature we can use a binary named mysql515 as our use case. If you follow the VirusTotal link than you will find a rather thorough analysis by @unixfreaxjp. In short, the binary is simply an installer and isn’t a member of any malware family. Unfortunately, that means that the Virus Total detection rate is 1/55.
How does ELF Parser help with this use case? First, since ELF Parser extracts the shell commands the RE doesn’t need to do a deep dive into the binary to figure out what it is doing.
Also, since ELF Parser computes a threat score it doesn’t matter that the Virus Total detection rate is low. ELF Parser computes a fairly high score due to the usage of the various shell commands so that there is no doubt that the binary is dangerous.
Many thanks to Rémi Chipaux for pointing out a bug in IP address extraction which is now fixed in release 1.1.0. This release also includes extracting port numbers with IP addresses, extracting https strings, and extracting GET, POST, and User-Agent HTTP strings
download link http://www.elfparser.com/download.html
'취약점 정보1' 카테고리의 다른 글
| About the security content of Apple TV 7.0.1 (0) | 2014.10.22 |
|---|---|
| About the security content of iOS 8.1 (0) | 2014.10.22 |
| Logging SSL (0) | 2014.10.20 |
| Apple Updates (not just Yosemite) (0) | 2014.10.20 |
| Microsoft MSRT October Update (0) | 2014.10.20 |