Detecting Malicious Code

Many malicious attacks are detected too late, if at all. A seasoned

hacker won't necessarily leave a "Hacked!" note on your company's home

page and they often tamper with the system's log files to hide the

traces of their break-in.. Financial and military organizations are

particularly prone to these types of break-ins where hackers install an

eavesdropping agent (e.g., a packet sniffer or a Trojan horse) or a

virus on the target host. What can you do to avoid this from happening?

First, remember that prevention is the best defense. Make sure that

your system doesn't have any weak links that hackers can exploit:

usernames without passwords, short or easy-to-guess passwords, or

poorly configured authorizations. Still, these measures are useless

once a hacker has already broken into the system and installed

malicious code. What can you do now?

Object reconciliation is a reliable technique for detecting malicious

code on your system. Object reconciliation is a process in which system

objects such as files, directories, and devices are compared against

themselves on an earlier date. A system administrator stores snapshot

information of the system and uses that information to compare the

system's state at a later stage. Although backups can be used for this

purpose, comparing complete files takes a long time. A better technique

is to store only the checksum values of the system's files.

For example, suppose you have a file called "defragment" that contains

a disk defragmentation program. After installing the system, you

collected the checksum values of all existing files,

including "defragment", and stored these values in a special database.

Later, a hacker brakes into the system and tampers with this file.

Consequently, an object reconciliation process will detect that the

tampered file's checksum is different from its original checksum.

Clearly, something is wrong here. You can delete the file and restore

the original one from a safe backup.

Object reconciliation must be performed regularly. Furthermore, storing

the checksum database on read-only media is advisable. The best time to

create the checksum database is right after the system has been


Currently, several object reconciliation tools are available for Linux.

Most of them use the MD5 algorithm to compute a file's checksum as a

128-bit "fingerprint". One such tool is AIDE (Advanced Intrusion

Detection Environment), which is a GPL replacement for Tripwire(TM).

You can find more information about AIDE and download it from

What’s wrong? The new clean desk test
View Comments
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies