ELF analysis -a/--all-strings option doesn't work

[Mohannadcse]

I've using FLOSS on Ubuntu machine for analyzing strings in ELF files. Seems the option -a isn't supported as described in the usage document of FLOSS. So could you please advise me about this issue. It's also not clear how to ask FLOSS for doing the obfuscation. Also seems FLOSS doesn't support analyzing ELFs because I received the following error message after running FLOSS over an ELF ERROR:floss:FLOSS currently supports the following formats for string decoding and stackstrings: PE

[williballenthin]

Hi @Mohannadcse

As you've found, we've only provided support for analyzing PE files via FLOSS. The is primarily because our corpus of obfuscated samples is nearly all PE files. If you were able to share some ELF files with obfuscated strings, we can begin looking into adding ELF support. The underlying analysis framework, Vivisect, already supports ELF files.

[Mohannadcse]

Thanks for the swift response Yes, I have a dataset of ELFs but don't know if they contain obfuscated strings. If you please inform me how to check that, then I can verify and let you know Also, How about the 2nd part of my inquiry, the documentation shows there is -a option, but the actual executable FLOSS doesn't.

[williballenthin]

Hi @Mohannadcse

There's a little bit of a chicken-and-egg problem here: I haven't seen many obfuscated ELF binaries, so I haven't been able to update FLOSS, but since I haven't updated FLOSS, I can't easily find obfuscated ELF binaries.

We initially developed FLOSS using our experience from manually reversing malware. We knew how to look for obfuscated strings cause we had seen it scores of times across hundreds of binaries. Its possible (probable, even) that many of these ideas translate easily to ELF files, but I don't have the data set or experience to be confident.

Here are some (non-exhaustive) ways you might decide if an ELF file contains obfuscated strings:

• look for stack strings. you could try this YARA rule: https://gist.github.com/williballenthin/ed7b3de224d5b986bc04dc882c5ee7c5

• compare the output of strings.exe to the artifacts referenced during a sandbox run. If there's a lot of strings only available at runtime, perhaps they've been obfuscated in the binary.

• do manual inspect of files with few strings found by strings.exe. This will probably be time consuming.

[williballenthin]

@Mohannadcse would you clarify where you saw references to the -a flag? We'll create a new issue to track that item.

[Mohannadcse]

I found it in the readme file that came with FLOSS after cloning it. Under the sample output, there is $ ~/env/bin/floss -a malware.bin, that's why I also was expecting that FLOSS supports analyzing ELF files.

README.md.txt

[mr-tz]

Hey, we've changed FLOSS default behavior and usage in v1.3.0. The -a command line option is now the default behavior. Please see the most current documentation here: https://github.com/fireeye/flare-floss/blob/master/doc/usage.md

[mr-tz]

Closing per old discussion above.

[idanr1986]

here is a good example of an obfuscated elf binary: a0cd554c35dee3fed3d1607dc18debd1296faaee29b5bd77ff83ab6956a6f9d6 https://www.intezer.com/blog/research/new-linux-threat-symbiote/

[mr-tz]

Thanks for the sample, I've referenced it in #40.