• Aucun résultat trouvé

Honeynet data capture - practical analysis of rootkits

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "Honeynet data capture - practical analysis of rootkits"

Copied!
6
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

Malware/... analysis Q and A

Honeynet data capture - practical analysis of rootkits

Alexandre Dulaunoy

ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg)

http://www.csrrt.org/

January 22, 2010

(2)

Malware/... analysis Q and A

Introduction

Introduction

After the ”basic” network analysis, you have now a better

understanding of what happened in the network. Not everything is clear (it’s impossible to reach the truth) but you are facing various part of the attacks and you would like to dig into the components used during the attacks. Some components seem to be software but how to make analysis ?

(3)

Malware/... analysis Q and A

Analysis approach

Analysis approach

There are two ways to analyze unknown components on a compromised system. The dynamic analysis approach and the static analysis approach. Static analysis is the most difficult way and takes a lot time to be properly done but the results can be very good. On the other side, the dynamic analysis is often faster to realize and give sometimes sufficient results but introduce more potential risks.

(4)

Malware/... analysis Q and A

Dynamic analysis

Dynamic analysis

Dynamic analysis means that you are analyzing software during its execution on a computer or in a virtual machine.

I ”Black box approach”. You are studying the component without digging the internal but only the flows (input/output) of the program, its interactions with the external interface (read/write access to files) or its effects on the environment (e.g. smart-card and power usage).

I ”Post mortem approach”. You are studying the effect on the system after the execution of the component. Effects can be memory effects, file access, temporary data created in the file system,...

I ”Conventional approach”. You are studying the execution of the component actively with system call tracker, memory analyzer, real time debugger/wrapper, open files tracker, ...

(5)

Malware/... analysis Q and A

Static analysis

Static analysis

I ”Classical static analysis” is the method to look at the component without any execution on the component itself.

You can look a the string contained in the binary, compares the hashes fingerprint of the software,

I ”Disassembly analysis” is to recover the machine-language code of a component. This can be a complex and long task to analyze large software but realivility small software can be disassembled.

I ”Decompilation analysis” is to recover the source code of the compo- nent from machine-language. Sometimes compiler (from source code to machine-language) adds a lot of information in the compiled pro- gram.

(6)

Malware/... analysis Q and A

Q and A

I Thanks for listening.

I [email protected]

Références

Télécharger maintenant ( PDF - 6 Page - 69.66 KB )

Documents relatifs

The GRAVITY fringe tracker

Lower panel: modified sawtooth signal to search for fringes when the fringe tracker is in SEARCHING state.. Here the research is made on all tele- scopes, meaning that the rank

A real-time tracker for markerless augmented reality

In this paper, a new distance feature ‘s’ is considered as a set of distances between local point features obtained from a fast image processing step and the contours of a more

Mechanical stability of the CMS strip tracker measured with a laser alignment system

Culture, and Helsinki Institute of Physics; the Institut National de Physique Nucléaire et de Physique des Particules / CNRS, and Commissariat à l’Énergie Atomique et aux

The Movement Tracker: A Flexible System for Automated Movement Analysis in Invertebrate Model Organisms.

Representative pictures of individual tracks obtained with the Movement Tracker for worms on solid agar medium (A), in a microfluidic chip (B), and for Drosophila (C).. Movement

Identification of execution modes for real-time systems using cluster analysis

1, where the evolution (i.e., variation over time) of three response times is pre- sented (the tasks belong to the case study described in Section III-B).The green curve corresponds

Building against vacancy : space, shelter, and support for LGBTQ homeless youth on double vacant lots in NYC

Building Against Vacancy: References Thursday, January 17, 2019 Joey Swerdlin © 2019 Blank Page MIT Architecture Master of Architecture Thesis Thursday , January 17, 2019..

Changing the World from the Bottom Up: Leadership in Grassroots Social-Change Organizations

To the extent that this young woman’s comments are more broadly representative of young staff mem- bers, it may be that in terms of providing leadership development to younger

Computing solutions of linear Mahler equations

This reduces the problem to computing a set of polynomial solutions with certain degree constraints, which can be solved efficiently using the primitives developed in § 2 , leading