Having just caught up on some of the conference “Source Boston”, I can’t help but call out some of the musings of Andrew Jaquith. Something of a more technical abstract can be read at the code project’s article by Jeffrey Walton (pay special attention to Robin Hood and Friar Tuck). If anybody doubt’s the current trend of sophistication in malware, I’m sure it is somebody who is currently penetrated. I’ve had the opportunity to devote specific analysis on occasion over the years to MAL code and its impact on the enterprise. I know FOR SURE the level of sophistication is on the rise. One thing I had to deal with recently, the extent of capability afforded by most desktop OS’s being so advanced, the majority of functionality desired by MAL code is pre-deployed. Unfortunately paving the way for configuration viruses and their ability to remain undetected in that all they are is an elaborate set of configuration settings. You can imagine, a configuration virus has the entire ability of your OS at its disposal, any VPN/IPSEC, self-(UN) healing, remote administration, etc… The issue is then, how do you determine if that configuration is of MAL intent, it’s surely there for a reason and valid in many deployments. The harm is only when connected to a larger entity/botnet that harm begins to affect a host. Some random points to add hard learned through experience;
-
Use a native execution environment
-
VMWare, prevents the load or typical operation of many MAL code variants
-
I guess VM vendors have a big win here for a while, until the majority of targets are VM hosts.
-
-
-
Have an easily duplicated disk strategy
- MAC systems are great for forensics, target disk mode and ubiquitous fire-wire allows for live memory dumps and ease of off-line disk analysis (without a drive carrier).
-
I’m planning a hash-tree based system to provision arbitrarily sized block checksums of clean/good files, useful of diff’ing out the noise for arbitrary medium (memory, disk, flash).
-
Install a Chinese translator locally
-
As you browse Chinese hack sites, (I think all Russian site’s are so quiet these days due to the fact that they are financially driven, while Chinese are currently motivated by nationalistic motivators), you need to translate locally. Using a .com translation service is detected and false content is rendered, translate locally to avoid that problem.
- Also, keep notes on lingo.. there are no translation-hack dictionaries yet. (I guess code pigeon is referring to a homing pigeon, naturally horse/wood code is a Trojan).
-
Unfortunately part of the attacker advantage is the relatively un-coordinated fashion defenders operate, not being able to trust or vet your allies to compare notes can be a real pain. One interesting aspect of a MAL system recently analyzed was the fact that that it had no persistent signature. It’s net force mobility so complete, that the totality of its functionality could shift boot-to-boot, so long as it compromised a boot-up driver it would rise again. The exalted C. Brown put it best, “Good grief!” http://www.codeproject.com/KB/cpp/VirusProtect.aspx http://www.sourceboston.com/blog/?p=25
The “X” Files « System of Systems said
[…] blog got from images.google.com after Shane included a picture of the great Charlie Brown in his “Good Grief!” post…but I […]
ogle county solid waste said
I wanted to thank you for this very good read!
! I absolutely enjoyed every bit of it. I have you saved as a favorite to look at
new things you post…
water damage cleaning said
My brother suggested I might like this blog. He was totally right.
This publish truly made my day. You can not consider just how so much time I had spent for this info!
Thanks!
baseball banners said
When I originally commented I clicked the “Notify me when new comments are added” checkbox
and now each time a comment is added I get three emails with the same comment.
Is there any way you can remove me from that service?
Thank you!
garcinia cambogia said
garcinia cambogia
lipo g3 offer said
Hi ther it’s me, I amm also visiting this site on
a regular basis, this web page iis in fact gopod and tthe people are truly sharing good thoughts.
DB Vehicle Electrics Home said
I drop a leave a response when I especially enjoy a post on a website or if I have something to
valuable to contribute to the discussion. Usually it’s
a result of the fire displayed in the post I
read. And after this article Good grief! | System of Systems.
I was moved enough to leave a leave a responsea response 🙂 I actually do have a couple
of questions for you if it’s allright. Is it just me or do a few of the comments come across as
if they are left by brain dead folks? 😛 And, if you
are writing on other places, I would like to keep up with you.
Would you list all of your social pages like your twitter feed, Facebook page or linkedin
profile?
Garcinia Sport said
This is my first time pay a quick visit at here and i am actually happy to read all at single
place.
www.dbvehicleelectrics.com said
I do believe all the concepts you have offered in your post.
They are very convincing and can definitely work. Still, the posts are very quick
for beginners. May you please prolong them a bit from subsequent
time? Thank you for the post.
site said
Heya i’m for the primary time here. I came across this board and I in finding It
really helpful & it helped me out a lot. I’m hoping to
present something back and help others like you aided me.
GgSAdvara said
Яркие рассказы проституток на нашем сайте волшебным образом раскрасят ваши будни головокружительными красками и подарят неописуемое наслаждение. Здесь элитные проститутки не только полностью удовлетворят ваш интерес, но и оправдают любые даже самые откровенные ожидания и фантазии. Истории проституток, которые вы здесь прочтете помогут почувствовать себя настоящим мачо в сексе. А фото проституток только дополнят ваше удовольствие. На нашем сайте проститутки Казани и проститутки Одессы откроют для вас дверь в мир сексуальных удовольствий, проститутки Воронежа и проститутки Днепропетровска помогут Вам ощутить себя обожаемым и всегда желанным мужчиной, проститутки Запорожья и проститутки Ростова расскажут самые эротичные истории из своей жизни, проститутки Тюмени и проститутки Николаева откроют для вас науку получения и доставления удовольствия от секса.
Girls Room – Проститутки Москвы: проститутки нижнего
posicionamiento web said
Quality articles or reviews is the secret to invite the viewers to pay a visit the web site, that’s what this site
is providing.