• Aucun résultat trouvé

Honeynet data capture - practical analysis of rootkits

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "Honeynet data capture - practical analysis of rootkits"

Copied!
6
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

Honeynet data capture - practical analysis of rootkits

Alexandre Dulaunoy

Malware/...

analysis Introduction Analysis approach Dynamic analysis Static analysis Q and A

Honeynet data capture - practical analysis of rootkits

Alexandre Dulaunoy

ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg)

http://www.csrrt.org/

10th January 2006

(2)

Honeynet data capture - practical analysis of rootkits

Alexandre Dulaunoy

Malware/...

analysis Introduction Analysis approach Dynamic analysis Static analysis Q and A

Introduction

After the ”basic” network analysis, you have now a better understanding of what happened in the network. Not everything is clear (it’s impossible to reach the truth) but you are facing various part of the attacks and you would like to dig into the components used during the attacks. Some components seem to be software but how to make analysis ?

(3)

Honeynet data capture - practical analysis of rootkits

Alexandre Dulaunoy

Malware/...

analysis Introduction Analysis approach Dynamic analysis Static analysis Q and A

Analysis approach

There are two ways to analyze unknown components on a compromised system. The dynamic analysis approach and the static analysis approach. Static analysis is the most difficult way and takes a lot time to be properly done but the results can be very good. On the other side, the dynamic analysis is often faster to realize and give sometimes sufficient results but introduce more potential risks.

(4)

Honeynet data capture - practical analysis of rootkits

Alexandre Dulaunoy

Malware/...

analysis Introduction Analysis approach Dynamic analysis Static analysis Q and A

Dynamic analysis

Dynamic analysis means that you are analyzing software during its execution on a computer or in a virtual machine.

I ”Black box approach”. You are studying the component without digging the internal but only the flows

(input/output) of the program, its interactions with the external interface (read/write access to files) or its effects on the environment (e.g. smart-card and power usage).

I ”Post mortem approach”. You are studying the effect on the system after the execution of the component.

Effects can be memory effects, file access, temporary data created in the file system,...

I ”Conventional approach”. You are studying the execution of the component actively with system call tracker, memory analyzer, real time debugger/wrapper, open files tracker, ...

(5)

Honeynet data capture - practical analysis of rootkits

Alexandre Dulaunoy

Malware/...

analysis Introduction Analysis approach Dynamic analysis Static analysis Q and A

Static analysis

I ”Classical static analysis” is the method to look at the component without any execution on the component itself. You can look a the string contained in the binary, compares the hashes fingerprint of the software,

I ”Disassembly analysis” is to recover the

machine-language code of a component. This can be a complex and long task to analyze large software but realivility small software can be disassembled.

I ”Decompilation analysis” is to recover the source code of the compo- nent from machine-language. Sometimes compiler (from source code to machine-language) adds a lot of information in the compiled pro- gram.

(6)

Honeynet data capture - practical analysis of rootkits

Alexandre Dulaunoy

Malware/...

analysis Introduction Analysis approach Dynamic analysis Static analysis Q and A

Q and A

I Thanks for listening.

I http://www.csrrt.org.lu/

I [email protected]

Références

Télécharger maintenant ( PDF - 6 Page - 70.39 KB )

Documents relatifs

A new look at the interfaces in percolation

configuration, some additional edges are closed, but they are typically within a distance of order (ln |Λ|) 2 of the set P of the pivotal edges.. The edges which are further away from

Independent Component analysis of the Cosmic Microwave Background

Section 2 describes a generic method for the blind separation of noisy mixtures of stationary processes, based on a spectral approximation to the likelihood which seems to work

The right angle to look at orthogonal sets

A hyperdefinable version of Schlichting’s Theorem Recall that Schlichting’s Theorem [6], generalized by Bergman and Lenstra [3], states that if H is a family of uniformly

A Hard Look at the Costs of Peace

The United States was able to reap huge peace dividends, thanks to the acceleration of economic productivity, and Washington became the greatest economic and

Classification of defects by the SVM method and the Principal Component Analysis (PCA).

The problems as well as the objective of this realized work are divided in three parts: Extractions of the parameters of wavelets from the ultrasonic echo of the detected defect -

Classification of defects by the SVM method and the Principal Component Analysis (PCA).

The problems as well as the objective of this realized work are divided in three parts: Extractions of the parameters of wavelets from the ultrasonic echo of the detected defect -

A unifying look at the Apostolico-Giancarlo string-matching algorithm

To remedy the oblivious feature of the Boyer-Moore algorithm, Apostolico and Giancarlo [1] gave in 1986 an algorithm which remembers at each position of the text previously aligned

The Tenth Anniversary of the CreaRE Workshops: A Look Back and a Look Forward

To ful- fill this role, CreaRE has published mainly papers about specific techniques to enhance creativity in and for RE and about empirical studies of specific techniques,