Reverse Engineering Malware on Linux with IDA Pro

July 31st, 2008 by Kristian Erik Hermansen

Your rating: None Average: 4.9 (8 votes)

The brief method. If I get good response to this post, I will put up a more detailed and in-depth look at malware reversing on Linux.

Steps:
* Download IDA Pro (freeware)
* Install wine
* Install IDA Pro
* Start reversing

Download IDA Pro (freeware):
$ cd /tmp
$ wget http://85.17.201.4/files/idafree49.exe

Install wine:
$ sudo aptitude install wine

Install IDA Pro:
$ wine /tmp/idafree49.exe

Start reversing:
$ wine "~/.wine/drive_c/Program Files/IDA Free/idag.exe"
-> Now open the malware binary and select the option for ELF executables

This post is a stub for a future longer version if anyone shows interest. I don't even know how many Linux Journal readers actually reverse malware on Linux...
__________________________
Kristian Erik Hermansen is a Linux Journal Reader Advisory Panelist. Track Me.

Special Magazine Offer -- Free Gift with Subscription
Receive a free digital copy of Linux Journal's System Administration Special Edition as well as instant online access to current and past issues. CLICK HERE for offer

Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
slowpoison's picture

+1

On August 9th, 2008 slowpoison (not verified) says:

I need to see more!

Kamal Wickramanayake's picture

I need it too!

On August 7th, 2008 Kamal Wickramanayake (not verified) says:

Count me in.

Gullit's picture

I want to see a more

On July 31st, 2008 Gullit (not verified) says:

I want to see a more detailed and in-depth look at malware reversing on Linux too!

Thanks in advance!

EdT.'s picture

Count me in(terested)

On July 31st, 2008 EdT. (not verified) says:

I am definitely interested in the in-depth version!

~EdT.

b0ne's picture

the linux part is irrelevant

On July 31st, 2008 b0ne (not verified) says:

Reverse engineering malware with IDA is the same regardless of which platform you use, especially if you are using WINE and IDA v4.9 free. There is a linux native version of IDA, except that it is commercial only.

Either way, you are still going to need a virtualbox/vmware/etc virtualization image of Windows XP SP2 or newer in order to effectively unpack most malware using a debugger.

Kristian Erik Hermansen's picture

I dont see why you think a

On July 31st, 2008 Kristian Erik Hermansen says:

I dont see why you think a windows installation is necessary to unpack linux ELF obfuscated binaries :-)

__________________________

Kristian Erik Hermansen is a Linux Journal Reader Advisory Panelist. Track Me.

Post new comment

Please note that comments may not appear immediately, so there is no need to repost your comment.
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <pre> <ul> <ol> <li> <dl> <dt> <dd> <i> <b>
  • Lines and paragraphs break automatically.

More information about formatting options

Newsletter

Each week Linux Journal editors will tell you what's hot in the world of Linux. You will receive late breaking news, technical tips and tricks, and links to in-depth stories featured on www.linuxjournal.com.
Sign up for our Email Newsletter

Tech Tip Videos

See more Linux Journal Videos

From the Magazine

December 2009, #188

If last month's Infrastrucuture issue was too "big" for you then try on this month's Embedded issue. Find out how to use Player for programming mobile robots, build a humidity controller for your root cellar, find out how to reduce the boot time of your embedded system, and if you're new to embedded systems find out the basics that go into one. You can also read about the Beagle Board, the Mesh Potato and a spate of other interestingly named items. And along with our regular columns don't miss our new monthly column: Economy Size Geek.


Read this issue