How to investigate an unknown 1.5GB file named "sudo" in my Linux home directory?
You probably made it by accident with a botched shell command. I've done stuff like that myself. As a result it is probably filled with innocuous data. Here are a few reasons why I would guess it is not malicious:
- 1.5 GB would be an extremely large virus. Since viruses are usually transmitted over a network, smaller is better.
- It isn't executable.
- Malware typically hides much better than this.
file
thinks it is just a data file.
Of course none of that proves that it isn't malicious (a.k.a. viruses don't have to be small, just because it isn't executable doesn't mean it might not be part of a malicious payload, and sometimes they don't bother hiding), but I suspect this is harmless. This is probably too old, but I would see if your bash history goes to the day/time in question.
I realize I haven't given you any hints on how to analyze the file, but you've already hit the main helpers (file
and strings
), and they haven't helped! A file filled with random data from an errant command would explain what you are seeing, and likely has a better chance of generating a file named sudo
in your home directory than malware does, IMO.
Does anybody have any tips on how to proceed investigating this file?
Since file
doesn't recognize the "data" as an executable, it will be difficult to try to analyze dynamically (by running it) unless you can find the proper entry point.
Another standard Linux tool you could try is:
stat
This will give you a little more of the metadata information than what you can see with just the directory listing.
Another tool you could try is:
binwalk
which can provide analysis of binary files like firmware images. For example, if the binary file contains a file system binwalk
may recognize it.
Yet another tool freely available on Linux is "The Sleuth Kit." If the binary file happens to be a raw disk image or file system data then you can try to process it with "The Sleuth Kit."
You could also try dropping the binary into IDA (the "Interactive Disassembler" from Hexrays--a freeware version is available) to see if IDA can make sense of it. But if file
doesn't recognize it, I'm not too hopeful that IDA will.
I'd start with history | grep sudo
from the terminal and look at the most recent sudo commands to see if any are malformed.
- It's your home directory.
- You haven't said it has special ownership so I'll assume you own it.
- It's almost certainly a botched shell command, so you probably made it from the terminal.
- It might be something created by a script but it's pretty rare to put "sudo" commands in a script.
- It's displaying itself openly and obviously so you probably would have noticed it if you hadn't created recently.