DOCSLIB.ORG

A Study of Rootkit Stealth Techniques and Associated Detection Methods

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Study of Rootkit Stealth Techniques and Associated Detection Methods Air Force Institute of Technology AFIT Scholar Theses and Dissertations Student Graduate Works 3-5-2007 A Study of Rootkit Stealth Techniques and Associated Detection Methods Daniel D. Nerenberg Follow this and additional works at: https://scholar.afit.edu/etd Part of the Other Computer Engineering Commons Recommended Citation Nerenberg, Daniel D., "A Study of Rootkit Stealth Techniques and Associated Detection Methods" (2007). Theses and Dissertations. 3106. https://scholar.afit.edu/etd/3106 This Thesis is brought to you for free and open access by the Student Graduate Works at AFIT Scholar. It has been accepted for inclusion in Theses and Dissertations by an authorized administrator of AFIT Scholar. For more information, please contact [email protected]. A Study of Rootkit Stealth Techniques and Associated Detection Methods THESIS Daniel D. Nerenberg, 1st Lieutenant, USAF AFIT/GCE/ENG/07-10 DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY AIR FORCE INSTITUTE OF TECHNOLOGY Wright-Patterson Air Force Base, Ohio APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED. The views expressed in this thesis are those of the author and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the U.S. Government. AFIT/GCE/ENG/07-10 A Study of Rootkit Stealth Techniques and Associated Detection Methods THESIS Presented to the Faculty Department of Electrical and Computer Engineering Graduate School of Engineering and Management Air Force Institute of Technology Air University Air Education and Training Command In Partial Fulfillment of the Requirements for the Degree of Master of Science in Computer Engineering Daniel D. Nerenberg, B.S.C.E. 1st Lieutenant, USAF March 2007 APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED. AFIT/GCE/ENG/07-10 A Study of Rootkit Stealth Techniques and Associated Detection Methods Daniel D. Nerenberg, B.S.C.E. 1st Lieutenant, USAF Approved: /signed/ 5 Mar 2007 Major P. Williams, PhD (Chairman) date /signed/ 5 Mar 2007 Dr. R. Baldwin (Member) date /signed/ 5 Mar 2007 Dr. R. Raines (Member) date AFIT/GCE/ENG/07-10 Abstract In today’s world of advanced computing power at the fingertips of any user, computer security should be a primary concern. Information is power and this power is within the computer system. If the information within computer systems cannot be trusted then the power that comes from such information cannot be properly used. Rootkits are software programs that are designed to establish and maintain an environment in which malware may hide on a computer system after successful compromise of that computer system. Rootkits cut at the very foundation of the trust in information and subsequent power. This thesis examines rootkit hiding techniques, rootkit finding techniques and develops attack trees and defense trees to identify deficiencies in detection and further increase the trust in information systems. The developed attack and defense trees identified that enumeration is not sufficient to defend against rootkits. A developed classification of rootkits helps fill the gaps in enumeration of rootkit techniques and gives direction for further detection development. By fully understanding what areas need to be addressed in detection, better and more complete tools will come to fruition. iv Acknowledgements First and foremost I would like to thank my Heavenly Father for blessing me with the ability to complete this thesis. Secondly, I would like to thank my wife and children for supporting and encouraging me throughout this educational adventure. I would also like to express my sincere appreciation to my faculty advisor, Major Paul Williams, and committee members, Dr. Rusty Baldwin and Dr. Richard Raines, for their guidance and support throughout the course of this thesis effort. Their insight and experience was certainly appreciated. I would, also, like to thank Mr. Lacey for his expertise and support in everything. Special thanks to Greg Hoglund, James Butler and all those who participate in www.rootkit.com, and in the writing of Rootkits: Subverting the Windows Kernel; these were priceless in my rootkit research. Daniel D. Nerenberg v Table of Contents Page Abstract..................................... iv Acknowledgements ............................... v ListofFigures ................................. ix ListofTables.................................. xi ListofAbbreviations.............................. xii I. Introduction ............................. 1 1.1 Motivation ......................... 1 1.2 Overview .......................... 2 1.3 ResearchStatement .................... 2 1.4 ThesisOrganization .................... 3 II. LiteratureReview .......................... 4 2.1 Background......................... 4 2.2 OperatingSystems ..................... 5 2.2.1 WindowsOS ................... 7 2.2.2 Linux&FreeBSDOSs .............. 8 2.2.3 Prevention..................... 9 2.3 Classifications........................ 11 2.3.1 Achieved Access . 11 2.3.2 Automation .................... 11 2.3.3 AttackType.................... 11 2.3.4 AttackTree .................... 11 2.4 TrustedComputing..................... 14 2.5 ExploitsvsPatches..................... 16 2.6 Rootkits........................... 17 2.6.1 Binary Rootkits . 18 2.6.2 Kernel Rootkits . 19 2.6.3 LibraryRootkits ................. 20 2.7 Summary .......................... 21 vi Page III. RootkitHidingandFindingTechniques . 22 3.1 ChapterOverview ..................... 22 3.2 RootkitStealth....................... 22 3.2.1 Hooking ...................... 23 3.2.2 Patching...................... 30 3.2.3 Data Structure Manipulation . 30 3.2.4 Virtual Machine and Virtual Memory . 32 3.2.5 Hardware ..................... 33 3.2.6 Rootkit Examples - Hooking . 33 3.2.7 Rootkit Examples - Patching . 35 3.2.8 Rootkit Examples - Data Structure Manipulation 36 3.2.9 Rootkit Examples - Virtual Memory . 37 3.3 Rootkit Detection . 37 3.3.1 Behavioral Detection Class . 42 3.3.2 Static Detection Class . 43 3.3.3 Rootkit Detection Examples - Behavioral . 45 3.3.4 Rootkit Detection Examples - Signature . 47 IV. ExperimentationandResults .................... 52 4.1 ChapterOverview ..................... 52 4.2 RootkitAttackTree .................... 52 4.3 Rootkit Defense Tree . 54 4.4 Furtheringthestateoftheart. 55 4.5 SystemUnderTest..................... 55 4.5.1 BaseSystem.................... 56 4.5.2 TestedSystem................... 56 4.5.3 Software...................... 56 4.6 Experiment Overview: Rooted Rootkits . 56 4.7 Experimentsetup...................... 57 4.8 Outcomes.......................... 57 4.8.1 Experiment 1 Modified HPH vs unmodified HPH 57 4.8.2 Experiment 2 Modified HPH vs Hxdef100r . 57 4.8.3 Experiment 3 Modified HPH vs AFX2005 . 57 4.8.4 Experiment 4 Modified HPH vs Fu . 57 4.9 Metrics ........................... 58 vii Page V. Summary............................... 59 5.1 Conclusion ......................... 59 5.2 FutureResearch ...................... 59 5.2.1 Rootkit Detection concept: Screen Sweeping . 59 5.2.2 Rootkit Detection concept: Memory Tracking . 60 5.2.3 Research Questions . 60 AppendixA. WindowsArchitecture ................... 62 AppendixB. UNIXArchitecture..................... 63 Bibliography .................................. 64 Glossary..................................... 69 viii List of Figures Figure Page 2.1. Abstract view of the components of a computer system. 5 2.2. UNIX-like OS: System call flow. 7 2.3. Block Diagram of Windows XP OS. 8 2.4. BlockDiagramofLinuxOS. ................... 9 2.5. Example Threat Tree, House Burglary . 13 2.6. Exploitation Cycle . 17 2.7. Protection Rings from the Intel Developer Manual . 20 3.1. Rootkit Technology Picture . 23 3.2. Temporal ordering of a detoured function . 24 3.3. ExampleSSDTHook ....................... 26 3.4. ExampleIDTHook ........................ 27 3.5. ExampleIRPHook ........................ 27 3.6. Device Driver Physical Structure from Microsoft . 28 3.7. Normal execution path vs. hooked execution path for an IAT hook ................................ 29 3.8. Direct Kernel Object Manipulation . 31 3.9. Rootkit Hiding Categories . 34 3.10. Detection Classification 1 . 41 3.11. Detection Classification 2 . 42 3.12. Detection Classification 3 . 43 3.13. Trampoline Function with Modification . 46 4.1. Attack Tree 2: Rootkit Hiding Techniques . 52 4.2. RootkitHierarchy ......................... 53 4.3. RootkitDefenseTree ....................... 54 4.4. Rootkit Defense Tree:Klister Example . 55 ix Figure Page 4.5. TestResults ............................ 58 A.1. WindowsArchitecture....................... 62 B.1. UNIXArchitecture......................... 63 B.2. UNIXArchitecture......................... 63 x List of Tables Table Page 2.1. Incident Categories (AFI 33-138) . 12 3.1. InlineFunctionHook ....................... 30 3.2. RootkitExamples ......................... 38 3.3. Rootkit Detection Examples . 50 xi List of Abbreviations Abbreviation Page IDS Intrusion Detection Systems . 1 IPS InstrusionPreventionSystems................ 1 RHTs Rootkit Hiding Techniques . 2 RDTs Rootkit Detection Techniques . 2 SUT SystemUnderTest...................... 3 LKM LoadableKernelModule................... 19 SSDT System Service Descriptor Table . 24 IDT InterruptDescriptorTable.................. 24 IRP I/O Request Packet . 24 IAT ImportAddressTable .................... 28 DSM DataStructureManipulation ................ 30 DKOM Direct Kernel Object Manipulation . 30 FLINK forwardlink.......................... 31 BLINK backwardlink........................
Load more

Recommended publications
  • Trojan Vs Rat Vs Rootkit Mayuri More1, Rajeshwari Gundla2, Siddharth Nanda3 1U.G
    IJRECE VOL. 7 ISSUE 2 (APRIL- JUNE 2019) ISSN: 2393-9028 (PRINT) | ISSN: 2348-2281 (ONLINE) Trojan Vs Rat Vs Rootkit Mayuri More1, Rajeshwari Gundla2, Siddharth Nanda3 1U.G. Student, 2 Senior Faculty, 3Senior Faculty SOE, ADYPU, Lohegaon, Pune, Maharashtra, India1 IT, iNurture, Bengaluru, India2,3 Abstract - Malicious Software is Malware is a dangerous of RATs completely and prevent confidential data being software which harms computer systems. With the increase leaked. So Dan Jiang and Kazumasa Omote researchers in technology in today’s days, malwares are also increasing. have proposed an approach to detect RAT in the early stage This paper is based on Malware. We have discussed [10]. TROJAN, RAT, ROOTKIT in detail. Further, we have discussed the adverse effects of malware on the system as III. CLASSIFICATION well as society. Then we have listed some trusted tools to Rootkit vs Trojan vs Rat detect and remove malware. Rootkit - A rootkit is a malicious software that permits a legitimate user to have confidential access to a system and Keywords - Malware, Trojan, RAT, Rootkit, System, privileged areas of its software. A rootkit possibly contains Computer, Anti-malware a large number of malicious means for example banking credential stealers, keyloggers, antivirus disablers, password I. INTRODUCTION stealers and bots for DDoS attacks. This software stays Nowadays, this world is full of technology, but with the hidden in the computer and allocates the remote access of advantages of technology comes its disadvantages like the computer to the attacker[2]. hacking, corrupting the systems, stealing of data etc. These Types of Rootkit: malpractices are possible because of malware and viruses 1.
    [Show full text]
  • Cross-Platform Analysis of Indirect File Leaks in Android and Ios Applications
    Cross-Platform Analysis of Indirect File Leaks in Android and iOS Applications Daoyuan Wu and Rocky K. C. Chang Department of Computing, The Hong Kong Polytechnic University fcsdwu, [email protected] This paper was published in IEEE Mobile Security Technologies 2015 [47] with the original title of “Indirect File Leaks in Mobile Applications”. Victim App Abstract—Today, much of our sensitive information is stored inside mobile applications (apps), such as the browsing histories and chatting logs. To safeguard these privacy files, modern mobile Other systems, notably Android and iOS, use sandboxes to isolate apps’ components file zones from one another. However, we show in this paper that these private files can still be leaked by indirectly exploiting components that are trusted by the victim apps. In particular, Adversary Deputy Trusted we devise new indirect file leak (IFL) attacks that exploit browser (a) (d) parties interfaces, command interpreters, and embedded app servers to leak data from very popular apps, such as Evernote and QQ. Unlike the previous attacks, we demonstrate that these IFLs can Private files affect both Android and iOS. Moreover, our IFL methods allow (s) an adversary to launch the attacks remotely, without implanting malicious apps in victim’s smartphones. We finally compare the impacts of four different types of IFL attacks on Android and Fig. 1. A high-level IFL model. iOS, and propose several mitigation methods. four IFL attacks affect both Android and iOS. We summarize these attacks below. I. INTRODUCTION • sopIFL attacks bypass the same-origin policy (SOP), Mobile applications (apps) are gaining significant popularity which is enforced to protect resources originating from in today’s mobile cloud computing era [3], [4].
    [Show full text]
  • ENDPOINT MANAGEMENT 1 Information Systems Managers
    STAFF SYMPOSIUM SERIES INFORMATION TECHNOLOGY TRACK FACILITATORS Carl Brooks System Manager ‐ Detroit, MI Chapter 13 Standing Trustee – Tammy L. Terry Debbie Smith System Manager – Robinsonville, NJ Chapter 13 Standing Trustee – Al Russo Scot Turner System Manager –Las Vegas, NV Chapter 13 Standing Trustee – Rick Yarnall Tom O’Hern Program Manager, ICF International, Baltimore, MD STACS ‐ Standing Trustee Alliance for Computer Security STAFF SYMPOSIUM ‐ IT TRACK 5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 1 Information Systems Managers Windows 10 Debbie Smith System Manager Regional Staff Symposium ‐ IT Track May 11 and 12, 2017 Las Vegas, NV STAFF SYMPOSIUM ‐ IT TRACK 5/11/2017 SESSION 4 ‐ ENDPOINT MANAGEMENT 2 Windows lifecycle fact sheet End of support refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance. This is the time to make sure you have the latest available update or service pack installed. Without Microsoft support, you will no longer receive security updates that can help protect your PC from harmful viruses, spyware, and other malicious software that can steal your personal information. Client operating systems Latest update End of mainstream End of extended or service pack support support Windows XP Service Pack 3April 14, 2009 April 8, 2014 Windows Vista Service Pack 2April 10, 2012 April 11, 2017 Windows 7* Service Pack 1 January 13, 2015 January 14, 2020 Windows 8 Windows 8.1 January 9, 2018 January 10, 2023 Windows 10, July 2015 N/A October 13, 2020 October 14, 2025 * Support for Windows 7 RTM without service packs ended on April 9, 2013.
    [Show full text]
  • Adaptive Android Kernel Live Patching
    Adaptive Android Kernel Live Patching Yue Chen Yulong Zhang Zhi Wang Liangzhao Xia Florida State University Baidu X-Lab Florida State University Baidu X-Lab Chenfu Bao Tao Wei Baidu X-Lab Baidu X-Lab Abstract apps contain sensitive personal data, such as bank ac- counts, mobile payments, private messages, and social Android kernel vulnerabilities pose a serious threat to network data. Even TrustZone, widely used as the se- user security and privacy. They allow attackers to take cure keystore and digital rights management in Android, full control over victim devices, install malicious and un- is under serious threat since the compromised kernel en- wanted apps, and maintain persistent control. Unfortu- ables the attacker to inject malicious payloads into Trust- nately, most Android devices are never timely updated Zone [42, 43]. Therefore, Android kernel vulnerabilities to protect their users from kernel exploits. Recent An- pose a serious threat to user privacy and security. droid malware even has built-in kernel exploits to take Tremendous efforts have been put into finding (and ex- advantage of this large window of vulnerability. An ef- ploiting) Android kernel vulnerabilities by both white- fective solution to this problem must be adaptable to lots hat and black-hat researchers, as evidenced by the sig- of (out-of-date) devices, quickly deployable, and secure nificant increase of kernel vulnerabilities disclosed in from misuse. However, the fragmented Android ecosys- Android Security Bulletin [3] in recent years. In ad- tem makes this a complex and challenging task. dition, many kernel vulnerabilities/exploits are publicly To address that, we systematically studied 1;139 An- available but never reported to Google or the vendors, droid kernels and all the recent critical Android ker- let alone patched (e.g., exploits in Android rooting nel vulnerabilities.
    [Show full text]
  • Adware-Searchsuite
    McAfee Labs Threat Advisory Adware-SearchSuite June 22, 2018 McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent malware. This Threat Advisory contains behavioral information, characteristics and symptoms that may be used to mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs. To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and Threat Reports” at the following URL: https://www.mcafee.com/enterprise/en-us/sns/preferences/sns-form.html Summary Detailed information about the threat, its propagation, characteristics and mitigation are in the following sections: Infection and Propagation Vectors Mitigation Characteristics and Symptoms Restart Mechanism McAfee Foundstone Services The Threat Intelligence Library contains the date that the above signatures were most recently updated. Please review the above mentioned Threat Library for the most up to date coverage information. Infection and Propagation Vectors Adware-SearchSuite is a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them. Mitigation Mitigating the threat at multiple levels like file, registry and URL could be achieved at various layers of McAfee products. Browse the product guidelines available here (click Knowledge Center, and select Product Documentation from the Support Content list) to mitigate the threats based on the behavior described in the Characteristics and symptoms section.
    [Show full text]
  • UPLC™ Universal Power-Line Carrier
    UPLC™ Universal Power-Line Carrier CU4I-VER02 Installation Guide AMETEK Power Instruments 4050 N.W. 121st Avenue Coral Springs, FL 33065 1–800–785–7274 www.pulsartech.com THE BRIGHT STAR IN UTILITY COMMUNICATIONS March 2006 Trademarks All terms mentioned in this book that are known to be trademarks or service marks are listed below. In addition, terms suspected of being trademarks or service marks have been appropriately capital- ized. Ametek cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. This publication includes fonts and/or images from CorelDRAW which are protected by the copyright laws of the U.S., Canada and elsewhere. Used under license. IBM and PC are registered trademarks of the International Business Machines Corporation. ST is a registered trademark of AT&T Windows is a registered trademark of Microsoft Corp. Universal Power-Line Carrier Installation Guide ESD WARNING! YOU MUST BE PROPERLY GROUNDED, TO PREVENT DAMAGE FROM STATIC ELECTRICITY, BEFORE HANDLING ANY AND ALL MODULES OR EQUIPMENT FROM AMETEK. All semiconductor components used, are sensitive to and can be damaged by the discharge of static electricity. Be sure to observe all Electrostatic Discharge (ESD) precautions when handling modules or individual components. March 2006 Page i Important Change Notification This document supercedes the preliminary version of the UPLC Installation Guide. The following list shows the most recent publication date for the new information. A publication date in bold type indicates changes to that information since the previous publication.
    [Show full text]
  • Advance Dynamic Malware Analysis Using Api Hooking
    www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume – 5 Issue -03 March, 2016 Page No. 16038-16040 Advance Dynamic Malware Analysis Using Api Hooking Ajay Kumar , Shubham Goyal Department of computer science Shivaji College, University of Delhi, Delhi, India [email protected] [email protected] Abstract— As in real world, in virtual world also there are type of Analysis is ineffective against many sophisticated people who want to take advantage of you by exploiting you software. Advanced static analysis consists of reverse- whether it would be your money, your status or your personal engineering the malware’s internals by loading the executable information etc. MALWARE helps these people into a disassembler and looking at the program instructions in accomplishing their goals. The security of modern computer order to discover what the program does. Advanced static systems depends on the ability by the users to keep software, analysis tells you exactly what the program does. OS and antivirus products up-to-date. To protect legitimate users from these threats, I made a tool B. Dynamic Malware Analysis (ADVANCE DYNAMIC MALWARE ANAYSIS USING API This is done by watching and monitoring the behavior of the HOOKING) that will inform you about every task that malware while running on the host. Virtual machines and software (malware) is doing over your machine at run-time Sandboxes are extensively used for this type of analysis. The Index Terms— API Hooking, Hooking, DLL injection, Detour malware is debugged while running using a debugger to watch the behavior of the malware step by step while its instructions are being processed by the processor and their live effects on I.
    [Show full text]
  • Userland Hooking in Windows
    Your texte here …. Userland Hooking in Windows 03 August 2011 Brian MARIANI SeniorORIGINAL Security SWISS ETHICAL Consultant HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch SOME IMPORTANT POINTS Your texte here …. This document is the first of a series of five articles relating to the art of hooking. As a test environment we will use an english Windows Seven SP1 operating system distribution. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch WHAT IS HOOKING? Your texte here …. In the sphere of computer security, the term hooking enclose a range of different techniques. These methods are used to alter the behavior of an operating system by intercepting function calls, messages or events passed between software components. A piece of code that handles intercepted function calls, is called a hook. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch THE WHITE SIDE OF HOOKING TECHNIQUES? YourThe texte control here …. of an Application programming interface (API) call is very useful and enables programmers to track invisible actions that occur during the applications calls. It contributes to comprehensive validation of parameters. Reports issues that frequently remain unnoticed. API hooking has merited a reputation for being one of the most widespread debugging techniques. Hooking is also quite advantageous technique for interpreting poorly documented APIs. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch THE BLACK SIDE OF HOOKING TECHNIQUES? YourHooking texte here can …. alter the normal code execution of Windows APIs by injecting hooks. This technique is often used to change the behavior of well known Windows APIs.
    [Show full text]
  • Digital Vision Network 5000 Series BCM Motherboard BIOS Upgrade
    Digital Vision Network 5000 Series BCM™ Motherboard BIOS Upgrade Instructions October, 2011 24-10129-128 Rev. – Copyright 2011 Johnson Controls, Inc. All Rights Reserved (805) 522-5555 www.johnsoncontrols.com No part of this document may be reproduced without the prior permission of Johnson Controls, Inc. Cardkey P2000, BadgeMaster, and Metasys are trademarks of Johnson Controls, Inc. All other company and product names are trademarks or registered trademarks of their respective owners. These instructions are supplemental. Some times they are supplemental to other manufacturer’s documentation. Never discard other manufacturer’s documentation. Publications from Johnson Controls, Inc. are not intended to duplicate nor replace other manufacturer’s documentation. Due to continuous development of our products, the information in this document is subject to change without notice. Johnson Controls, Inc. shall not be liable for errors contained herein or for incidental or consequential damages in connection with furnishing or use of this material. Contents of this publication may be preliminary and/or may be changed at any time without any obligation to notify anyone of such revision or change, and shall not be regarded as a warranty. If this document is translated from the original English version by Johnson Controls, Inc., all reasonable endeavors will be used to ensure the accuracy of translation. Johnson Controls, Inc. shall not be liable for any translation errors contained herein or for incidental or consequential damages in connection
    [Show full text]
  • Guide to Enterprise Patch Management Technologies
    NIST Special Publication 800-40 Revision 3 Guide to Enterprise Patch Management Technologies Murugiah Souppaya Karen Scarfone C O M P U T E R S E C U R I T Y NIST Special Publication 800-40 Revision 3 Guide to Enterprise Patch Management Technologies Murugiah Souppaya Computer Security Division Information Technology Laboratory Karen Scarfone Scarfone Cybersecurity Clifton, VA July 2013 U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director Authority This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is responsible for developing information security standards and guidelines, including minimum requirements for Federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate Federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A- 130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III, Security of Federal Automated Information Resources. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other Federal official.
    [Show full text]
  • A Review Paper on Effective Behavioral Based Malware Detection and Prevention Techniques for Android Platform
    International Journal of Engineering Research and Technology. ISSN 0974-3154 Volume 10, Number 1 (2017) © International Research Publication House http://www.irphouse.com A Review Paper on Effective Behavioral Based Malware Detection and Prevention Techniques for Android Platform Mr. Sagar Vitthal Shinde1 M.Tech Comp. Department of Technology, Shivaji University, Kolhapur, Maharashtra, India. Email id: [email protected] Ms. Amrita A. Manjrekar2 Assistant Professor, Department of Technology, Shivaji University, Kolhapur, Maharashtra, India. Email Id: [email protected] Abstract late). It has been recently reported that almost 60% of Android is most popular platform for mobile devices. existing malware send stealthy premium rate SMS messages. Smartphone’s and mobile tablets are rapidly indispensable in Most of these behaviors are exhibited by a category of apps daily life. Android has been the most popular open sources called Trojanized that can be found in online marketplaces mobile operating system. On the one side android users are not controlled by Google. However, also Google Play, the increasing, but other side malicious activity also official market for Android apps, has hosted apps which have simultaneously increasing. The risk of malware (Malicious been found to be malicious [1] [21]. apps) is sharply increasing in Android platform, Android Existing system consist of some limited features of android mobile malware detection and prevention has become an app, malware detection is based on behavioral base. The important research topic. Some malware attacks can make the malware detection and prevention process is also static which phone partially or fully unusable, cause unwanted SMS/MMS create some problems such as it increase false positive rate.
    [Show full text]
  • Crimeware on the Net
    Crimeware on the Net The “Behind the scenes” of the new web economy Iftach Ian Amit Director, Security Research – Finjan BlackHat Europe, Amsterdam 2008 Who Am I ? (iamit) • Iftach Ian Amit – In Hebrew it makes more sense… • Director Security Research @ Finjan • Various security consulting/integration gigs in the past – R&D – IT • A helping hand when needed… (IAF) 2 BlackHat Europe – Amsterdam 2008 Today’s Agenda • Terminology • Past vs. Present – 10,000 feet view • Business Impact • Key Characteristics – what does it look like? – Anti-Forensics techniques – Propagation methods • What is the motive (what are they looking for)? • Tying it all up – what does it look like when successful (video). • Anything in it for us to learn from? – Looking forward on extrusion testing methodologies 3 BlackHat Europe – Amsterdam 2008 Some Terminology • Crimeware – what we refer to most malware these days is actually crimeware – malware with specific goals for making $$$ for the attackers. • Attackers – not to be confused with malicious code writers, security researchers, hackers, crackers, etc… These guys are the Gordon Gecko‟s of the web security field. The buy low, and capitalize on the investment. • Smart (often mislead) guys write the crimeware and get paid to do so. 4 BlackHat Europe – Amsterdam 2008 How Do Cybercriminals Steal Business Data? Criminals’ activity in the cyberspace Federal Prosecutor: “Cybercrime Is Funding Organized Crime” 5 BlackHat Europe – Amsterdam 2008 The Business Impact Of Crimeware Criminals target sensitive business data
    [Show full text]