• Aucun résultat trouvé

Honeynet data capture - practical analysis of rootkits

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "Honeynet data capture - practical analysis of rootkits"

Copied!
6
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

Malware/... analysis Q and A

Honeynet data capture - practical analysis of rootkits

Alexandre Dulaunoy

[email protected]

January 20, 2012

(2)

Malware/... analysis Q and A Introduction

Introduction

After the ”basic” network analysis, you have now a better

understanding of what happened in the network. Not everything is clear (it’s impossible to reach the truth) but you are facing various part of the attacks and you would like to dig into the components used during the attacks. Some components seem to be software but how to make analysis ?

(3)

Malware/... analysis Q and A Analysis approach

Analysis approach

There are two ways to analyze unknown components on a compromised system. The dynamic analysis approach and the static analysis approach. Static analysis is the most difficult way and takes a lot time to be properly done but the results can be very good. On the other side, the dynamic analysis is often faster to realize and give sometimes sufficient results but introduce more potential risks.

(4)

Malware/... analysis Q and A Dynamic analysis

Dynamic analysis

Dynamic analysis means that you are analyzing software during its execution on a computer or in a virtual machine.

I ”Black box approach”. You are studying the component without digging the internal but only the flows (input/output) of the program, its interactions with the external interface (read/write access to files) or its effects on the environment (e.g. smart-card and power usage).

I ”Post mortem approach”. You are studying the effect on the system after the execution of the component. Effects can be memory effects, file access, temporary data created in the file system,...

I ”Conventional approach”. You are studying the execution of the component actively with system call tracker, memory analyzer, real time debugger/wrapper, open files tracker, ...

(5)

Malware/... analysis Q and A Static analysis

Static analysis

I ”Classical static analysis” is the method to look at the component without any execution on the component itself.

You can look a the string contained in the binary, compares the hashes fingerprint of the software,

I ”Disassembly analysis” is to recover the machine-language code of a component. This can be a complex and long task to analyze large software but realivility small software can be disassembled.

I ”Decompilation analysis” is to recover the source code of the compo- nent from machine-language. Sometimes compiler (from source code to machine-language) adds a lot of information in the compiled pro- gram.

(6)

Malware/... analysis Q and A

Q and A

I Thanks for listening.

I [email protected]

Références

Télécharger maintenant ( PDF - 6 Page - 87.09 KB )

Documents relatifs

Computing solutions of linear Mahler equations

This reduces the problem to computing a set of polynomial solutions with certain degree constraints, which can be solved efficiently using the primitives developed in § 2 , leading

Nuits blanches sur l'océan, M.J.Meyer

Pour une fois il semblait fier de moi, mais en même temps tellement étonné que je me vexai un peu, après tout je pouvais réussir aussi bien que lui dans mon travail.. Je commençais

The GRAVITY fringe tracker

Lower panel: modified sawtooth signal to search for fringes when the fringe tracker is in SEARCHING state.. Here the research is made on all tele- scopes, meaning that the rank

Mechanical stability of the CMS strip tracker measured with a laser alignment system

Culture, and Helsinki Institute of Physics; the Institut National de Physique Nucléaire et de Physique des Particules / CNRS, and Commissariat à l’Énergie Atomique et aux

La formation linguistique de l’apprenti-traducteur - Le cas des Départements de Traduction en Algérie

Bref, la linguistique a apporté une contribution importante à l’éclaircissement des problèmes que pose la traduction. Traduire ne signifie pas « bricoler » dans la langue,

The Movement Tracker: A Flexible System for Automated Movement Analysis in Invertebrate Model Organisms.

Representative pictures of individual tracks obtained with the Movement Tracker for worms on solid agar medium (A), in a microfluidic chip (B), and for Drosophila (C).. Movement

A general theory of rock glacier creep based on in-situ and remote sensing observations

To this end, we combine a model to calculate rock glacier thickness with an empirical creep model for ice-rich debris, in order to derive the Bulk Creep Factor (BCF), which allows

Static analysis of run-time errors in embedded real-time parallel C programs

We presented a static analysis by Abstract Interpretation to detect in a sound way run-time errors in embedded C software featuring several threads, a shared memory with