DOCSLIB.ORG

Part I ATTACK VECTORS

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Part I ATTACK VECTORS Attack Simulation and Threat Modeling Olu Akindeinde February 8, 2010 Copyright © 2009 Olu Akindeinde Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in Appendix B entitled "GNU Free Documentation License". 2 ATTACK SIMULATION AND THREAT MODELING i PREFACE “The purpose of computing is insight not numbers” I wrote this book as a direct consequence of Security Analysis and Data Visualization1. A lot of ground rules were laid there - we simply follow up here. Attack Simulation and Threat Modeling explores the abundant resources available in advanced security data collection, processing and mining. It is often the case that the essential value inherent in any data collection method is only as good as the processing and mining technique used. Therefore, this book attempts to give insight into a number of alternative security and attack analysis methods that leverage techniques adopted from such subject areas as statistics, AI, data mining, graphics design, pattern recognition and to some extent psychology and economics. As security design and implementation become major components of the overall enterprise architecture and data collection tools improve and evolve, the ability to collect data will no doubt increase dramatically. This then brings us to the value of the data which is often only as useful as what the analysis can shape it into. Whilst the security process itself is key, the collection, processing and mining techniques used to analyze the data are even more important. As much as information security is a unique and evolving field with particular needs, analysis techniques typically span the boundaries of different disciplines. Analysts that limit themselves to the boundaries imposed by one field may unnecessarily miss out all the possibilities that may exist in the multitude of disciplines that exists outside of it. This is by no means different with information security: by aligning it with different disciplines, we expand the possibilities exponentially. This book examines various tools and techniques from these other disciplines in extracting valuable findings to support security research and decision making. The objective of Attack Simulation and Threat Modeling is essentially to serve as an eye opener for security analysts and practitioners that there are many more techniques, tools and options beyond the security research field that can be used and are fit-for-purpose. Hopefully, this will lay the foundation for a cross-discipline concerted and collaborative effort that will help identify more techniques for security research and modeling. 1http://inverse.com.ng/sadv/Security_Analysis_and_Data_Visualization.pdf iii On a final note, this book is also heavy on the use of free and open source tools (both on Microsoft Windows and Linux platforms). Part of the rationale for this is to bring the analyst up to speed with the concepts and techniques of computer (security) simulation and modeling without having a recourse to proprietary tools and applications. I think in my humble estimation, it bridges the knowledge gap quicker whilst bringing the core subject matter to the fore. HOW THIS BOOK IS ORGANIZED This book consists of four parts described below. Part 1: Attack vectors Chapter 1 - Attack Vectors explores the classifications and different vectors of security at- tacks. We examine the roles of configuration errors, bugs, flaws as well as trust rela- tionships in computer security attacks. Part 2: Attack Simulation Chapter 2 - Virtual Lab is all about setting the stage for various attack simulations. Virtual machine theory is discussed in depth whilst also exploring the implementations of three notable virtual machine applications that will be employed throughout - VMware server, VirtualBox and Qemu. Virtual lab will be the platform upon which we build all other components. Chapter 3 - Attack Signatures examines attack vectors using various implementations of In- trusion Detection Systems (IDS). We discuss various IDS technologies, architectures and distributed configurations. We then home in on the Snort IDS and how it is deployed in various modes to aid and assist in detecting intrusion and threat payload propagation. Chapter 4 - Signature Detection describes the various aspects of detecting attack signatures through the use of Honeypots and Honeynets. We also explore their use in modern computer security as well as implementations in security research environments. We enumerate the different types and functions of Honeypots. The deployments and ben- efits of Honeypots in modeling and simulation environments are primed. Lastly we explore the technique of building conceptual intelligent honeypots and honeynets. iv Part 3: Attack Analytics Chapter 5 - Behavioural Analysis profiles the different forms of threat propagation - from botnet tracking, malware extraction, propagation and behavioural analysis through to security and attack visualization. The tools and methodologies employed in capturing, processing and visualizing a typical security dataset are discussed. Chapter 6 - Attack Correlation describes the methodology of simple and complex event cor- relation techniques from event filtering, aggregation and masking through to root cause analysis employing various tools and techniques. Log processing and analysis are given an in-depth coverage. Part 4: Attack Modeling Chapter 7 - Pattern Recognition attempts to uncover alternative techniques used in security data analytics. Special emphasis is given to data mining and machine learning algo- rithms especially as research in these fields have been extremely active in the last couple of years with the resultant huge number of accurate and efficient learning algorithms. We will also employ some inductive learning algorithms in classifying and recognizing patterns in typical security dataset. Finally, The primary aim of this book is to bring to the front burner alternative methods of security analytics that leverage methodologies adopted from various other disciplines in ex- tracting valuable data to support security research work and chart a course for enterprise security decision making. AUDIENCE Since there is no way for me to gauge the level of aptitude of the audience, I can only make certain assumptions. I assume that the reader has a good grasp of the technical aspects of in- formation security and networking concepts and is very conversant with the TCP/IP model. I also assume that the reader is familiar with the Linux Operating System especially the com- mand line interface (CLI) environment as well as installation and execution of Linux binary and source code applications. Even at that, I try as much as possible (where necessary) to provide clear and comprehensive explanations of the concepts you need to understand and v the procedures you need to perform so as to assist you in your day-to-day attack simulation and threat modeling activities. Overall, Attack Simulation and Threat Modeling is an intermediate level book but the con- cepts and methodologies covered are what you are most likely to encounter in real life. That means you can obtain enough information here to aid your comprehension of the subject mat- ter better. It can also be used as a reference source and as such will be useful to security research analysts, technical auditors, network engineers, data analysts and digital forensics investigators. It is also suitable as a self-study guide. The approach taken of evolving a se- curity and threat architecture from first principles, may provide useful insight to those that are learning about Internet security architectures and attack methodology. Whilst the book is intended for professional use, it is also suitable for use in training programmes or seminars for organizations as well as research institutes. At the end of the book, there is a glossary of frequently used terms and a bibliography. DEDICATION This book is dedicated to my late brother and grandmother. They were my friends and my confidants. They were loved by everyone who knew them, and they were described as angels by family and friends. They were my precious angels Though I can’t see them anymore, I thank God for the blessing of His gifts to me. ACKNOWLEDGMENTS This book again owes much to the people involved in the collation and review process, with- out whose support it would never have seen the light of day. A further special note of thanks goes to all the staff of Inverse and Digital Encode whose contributions throughout the whole process, from inception of the initial idea to final publication, have been invaluable. In partic- ular I wish to thank Wale Obadare, Sina Owolabi and Ola Amudipe - brilliant minds, artists vi and scientists sculpting the future - for their insights and excellent contributions to this book. Many thanks also to everyone who assisted me in the review process. Finally, I say thank you to my glorious mother and best friend Mrs T.A. Akindeinde - a perfect convergence of grace and substance, a paragon of virtues without whom I may never have been able to write this book. Many women do noble things, but mum, you surpass them all. Olu Akindeinde Lagos, Nigeria January 2010 ABOUT THE AUTHOR Olu has 9 years experience working in the IT and information security arena, but has spent the better part of the last few years exploring the security issues faced by Electronic Funds Transfer (EFT) and Financial Transaction Systems (FTS). He has presented the outcome of his research work at several conferences; including the Information Security Society of Africa (ISS), the forum of the Committee of Chief Inspectors of Banks in Nigeria, the apex bank - Central Bank of Nigeria (CBN), the Chartered Institute of Bankers (CIBN) forum as well as 13 financial institutions in Nigeria. In his professional life, Seyi, as he is otherwise called, sits on the board of two companies.
Load more

Recommended publications
  • A Comparative Analysis of Open- Source Intrusion Detection Systems
    TALLINN UNIVERSITY OF TECHNOLOGY Faculty of Information Technology Department of Computer Science Chair of Network Software A COMPARATIVE ANALYSIS OF OPEN- SOURCE INTRUSION DETECTION SYSTEMS Master’s Thesis ITI70LT Student: Mauno Pihelgas Student code: 106497IVCMM Advisor: Risto Vaarandi, Ph.D Tallinn 2012 Declaration I hereby declare that I am the sole author of this thesis. The work is original and has not been submitted for any degree or diploma at any other University. I further declare that the material obtained from other sources has been duly acknowledged in the thesis. ……………………………………. ……………………………… (date) (signature) 2 3 List of Acronyms and Abbreviations BSD license A class of extremely simple and very liberal licenses for computer software. Acronym BSD is short for Berkley Source Distribution. [1] CERT Computer Emergency Response Team. CPU Central Processing Unit. DoS Denial of Service. GNU A recursive acronym for GNU's Not Unix. [2] GNU GPL GNU General Public License. The most widely used license for free software. [2] GNU GRUB A multi-boot boot loader responsible for loading and transferring control to the operating system kernel. GPU Graphics processing unit. A processing unit on a graphics cards. HDD Hard Disk Drive. ICMP Internet Control Message Protocol. One of the core protocols of the Internet Protocol suite. IDS Intrusion Detection System. IPS Intrusion Protection System. md5sum A program used to calculate and verify 128-bit MD5 hashes. NIC Network Interface Card. NIDS Network-based Intrusion Detection System. Nmap Nmap ("Network Mapper") is a free and open-source utility for network discovery and security auditing. [3] PCAP A libpcap library file format that is the primary capture format for many networking tools.
    [Show full text]
  • Cyber Security Assessment Tools and Methodologies for the Evaluation of Secure Network Design at Nuclear Power Plants
    Cyber Security Assessment Tools and Methodologies for the Evaluation of Secure Network Design at Nuclear Power Plants A Letter Report to the U.S. NRC January 27, 2012 Prepared by: Cynthia K. Veitch, Susan Wade, and John T. Michalski Sandia National Laboratories P.O. Box 5800 Albuquerque, New Mexico 87185 Prepared for: Paul Rebstock, NRC Program Manager U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Division of Engineering Digital Instrumentation & Control Branch Washington, DC 20555-0001 U.S. NRC Job Code: JCN N6116 Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy's National Nuclear Security Administration under contract DE-AC04-94AL85000. Issued by Sandia National Laboratories, operated for the United States Department of Energy by Sandia Corporation. NOTICE: This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government, nor any agency thereof, nor any of their employees, nor any of their contractors, subcontractors, or their employees, make any warranty, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represent that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government, any agency thereof, or any of their contractors or subcontractors.
    [Show full text]
  • (Ids) Snort Dan Suricata Berbasis Aturan/Rules Standar Pengembang
    PLAGIATPLAGIAT MERUPAKAN MERUPAKAN TINDAKAN TINDAKAN TIDAK TIDAK TERPUJI TERPUJI MEMBANDINGKAN KEMAMPUAN DETEKSI INTRUSION DETECTION SYSTEM (IDS) SNORT DAN SURICATA BERBASIS ATURAN/RULES STANDAR PENGEMBANG SKRIPSI Diajukan untuk Memenuhi Salah Satu Syarat Memperoleh Gelar Sarjana Komputer Program Studi Teknik Informatika Oleh : Benedictus Yoga Pradana 095314040 HALAMAN JUDUL PROGRAM STUDI TEKNIK INFORMATIKA JURUSAN TEKNIK INFORMATIKA FAKULTAS SAINS DAN TEKNOLOGI UNIVERSITAS SANATA DHARMA YOGYAKARTA 2016 i PLAGIATPLAGIAT MERUPAKAN MERUPAKAN TINDAKAN TINDAKAN TIDAK TIDAK TERPUJI TERPUJI COMPARING DETECTION CAPABILITY OF SNORT AND SURICATA INTRUSION DETECTION SYSTEM (IDS) BASED ON DEVELOPER’S STANDARD RULES A Thesis Presented as Partial Fulfillment ofThe Requirements to Obtain Sarjana Komputer Degree in Informatics Engineering By : Benedictus Yoga Pradana 095314040 INFORMATICS ENGINEERING STUDY PROGRAM INFORMATICS ENGINEERING DEPARTMENT FACULTY OF SCIENCE AND TECHNOLOGY SANATA DHARMAUNIVERSITY YOGYAKARTA 2016 ii PLAGIATPLAGIAT MERUPAKAN MERUPAKAN TINDAKAN TINDAKAN TIDAK TIDAK TERPUJI TERPUJI HALAMAN PERSETUJUAN SKRIPSI MEMBANDINGKAN KEMAMPUAN DETEKSI INTRUSION DETECTION SYSTEM (IDS) SNORT DAN SURICATA BERBASIS ATURAN/RULES STANDAR PENGEMBANG Oleh: Benedictus Yoga Pradana NIM: 095314040 Telah disetujui Oleh: Pembimbing Iwan Binanto, S.Si., M.Cs. Pada tanggal: iii PLAGIATPLAGIAT MERUPAKAN MERUPAKAN TINDAKAN TINDAKAN TIDAK TIDAK TERPUJI TERPUJI ALAMAN PENGESAHAN SKRIPSI MEMBANDINGKAN KEMAMPUAN DETEKSI INTRUSION DETECTION SYSTEM (IDS) SNORT DAN
    [Show full text]
  • Darknoc: Dashboard for Honeypot Management
    DarkNOC: Dashboard for Honeypot Management Bertrand Sobesto, Michel Cukier Matti Hiltunen, Dave Kormann, Gregg Vesonder Clark School of Engineering AT&T Labs Research University of Maryland 180 Park Ave. College Park, MD, USA Florham Park, NJ, USA fbsobesto, [email protected] fhiltunen, davek, [email protected] Robin Berthier Coordinated Science Laboratory Information Trust Institute University of Illinois Urbana-Champaign, IL, USA [email protected] Abstract been used to conduct various studies of attackers [1, 9] and analysis of cyber crimes such as unsollicited elec- Protecting computer and information systems from secu- tronic mails, phishing [10], identity theft and denial of rity attacks is becoming an increasingly important task service. The computer security community has used hon- for system administrators. Honeypots are a technol- eypots to analyze different techniques deployed by the ogy often used to detect attacks and collect information attackers to reach their objectives. Attackers’ arsenal about techniques and targets (e.g., services, ports, oper- includes distributed denial of service [24], botnets [2], ating systems) of attacks. However, managing a large worms [11] or SPAM [15]. However few studies focus and complex network of honeypots becomes a challenge on the usage of honeypots data to help network adminis- given the amount of data collected as well as the risk that trators to better protect their production networks. Hon- the honeypots may become infected and start attacking eypot deployment is challenging and the architecture of other machines. In this paper, we present DarkNOC, a such networks is complex. For example, distributed hon- management and monitoring tool for complex honeynets eynets require secure tunnels and different levels of pro- consisting of different types of honeypots as well as other tection must be in place to ensure a total containment of data collection devices.
    [Show full text]
  • Intrusion Detection System and Intrusion Prevention System with Snort Provided by Security Onion
    Bezborodov Sergey Intrusion Detection System and Intrusion Prevention System with Snort provided by Security Onion. Bachelor’s Thesis Information Technology May 2016 DESCRIPTION Date of the bachelor's thesis 06.05.2016 Author(s) Degree programme and option Bezborodov Sergey Information Technology Name of the bachelor's thesis Intrusion Detection Systems and Intrusion Prevention System with Snort provided by Security Onion. Abstract In this thesis I wanted to get familiar with Snort IDS/IPS. I used the Security Onion distribution with a lot of security tools, but I concentrated on Snort. Also I needed to evaluate Security Onion environment and check what features it provides for processing with Snort. During the work I needed to figure out the pros and cons of using Security Onion with Snort as a security system for network. I compared it with alternatives and briefly describe it. As result I installed Security Onion, work with the environment, configured different features, created and modified rules and so on. I think this thesis will be helpful for people who want to use IDS/IPS for their network, it should help them to choose IDS/IPS vendor, make Security Onion and Snort installation, make comparison with another one and just get familiar with the network security tools. Also, this thesis can be a part of big research of network security tools, because now is impossible to find such detailed guides and literatures about any IDS/IPS tools. It is a good idea to combine many researches about it and make a good library. This thesis can be used for further development of Snort and Security Onion as it only on the development phase now, it will provide base for new researching with new versions.
    [Show full text]
  • Implementation of a Distributed Intrusion Detection and Reaction System
    Mestrado em Engenharia Inform´atica Disserta¸c~ao Relat´orioFinal Implementation of a distributed intrusion detection and reaction system Jo~aoPedro dos Santos Soares [email protected] Orientador: Prof. Dr. Jorge Granjal Co-Orientador: Eng. Ricardo Ruivo Data: 1 de Setembro de 2016 1 Mestrado em Engenharia Inform´atica Disserta¸c~ao Relat´orioFinal Implementation of a distributed intrusion detection and reaction system Jo~aoPedro dos Santos Soares [email protected] Orientador: Prof. Dr. Jorge Granjal Co-Orientador: Eng. Ricardo Ruivo J´uriArguente: Prof. Dr. M´arioRela J´uriVogal: Prof. Dr. Paulo Sim~oes Data: 1 de Setembro de 2016 3 Abstract Security was not always an important aspect in terms of networking and hosts. Nowa- days, it is absolutely mandatory. Security measures must make an effort to evolve at the same rate, or even at a higher rate, than threats, which is proving to be the most difficult of tasks. In this report we will detail the process of the implementation of a real distributed intrusion detection and reaction system, that will be responsible for securing a core set of networks already in production, comprising of thousands of servers, users and their respec- tive confidential information. Keywords: intrusion detection, intrusion prevention, host, network, security, threat, vul- nerability, hacking 5 Acknowledgments As we step into the most important project of my student life, there's a couple of people to whom I am extremely grateful, without them, this project and my life in general wouldn't be the same. I want to start by thanking my supervisor: Professor Jorge Granjal, who I quickly grew to admire for his dedication to this project.
    [Show full text]
  • Toolsmith Suricata
    toolsmith ISSA Journal | August 2010 Suricata: An Introduction By Russ McRee – ISSA member, Puget Sound (Seattle), USA Chapter mentations.2 I’ll include a bit more on the HTP Library cour- Prerequisites tesy of Ivan below. *nix operating system (Windows binaries Matt Jonkman, the OISF president and board member, of- pending) fered a features table that helps further exemplify Suricata’s capabilities. s I prepare this month’s column for your reading Existing IDS/IPS Engines Suricata pleasure, I also contemplate how to pack every- Features (Open and Commercial) (by the OISF) A thing I want to share with you at the ISSA Interna- Multi-Threaded Processing No Yes tional Conference (September 15-17, 2010 in Atlanta) into a Complete IPv6 Support Some Complete 50-minute session. That challenge is not unlike how I might IP Reputation Cisco Only Yes (soon) share everything I want you to know about Suricata in 1500 +/- words; pretty tough, but I’ll give it a shot. Automated Protocol Detection No Yes GPU Acceleration No Yes Suricata is the primary offering from the Open Information Multi-Platform Native Hard- No Yes Security Foundation (OISF), a non-profit foundation orga- ware Acceleration Support nized to build a next generation IDS/IPS engine, with funded Global Variables/Flowbits No Yes (soon) support from the Department of Homeland Security’s Direc- torate for Science and Technology HOST program (Home- Full Windows Support Some Yes land Open Security Technology) and the Navy’s Space and Inline Windows Support No Yes Naval Warfare Systems Command (SPAWAR). GeoIP Lookups No Yes (soon) To that end, Suricata is an open source, next generation in- Advanced HTTP Parsing No Yes trusion detection and prevention engine.
    [Show full text]
  • Suricata: Caso Di Studio Di Intrusion Detection and Prevention System
    Università degli Studi di Camerino SCUOLA DI SCIENZE E TECNOLOGIE Corso di Laurea in Informatica (Classe L-31) Suricata: caso di studio di Intrusion Detection and Prevention System Laureando Relatore Mirco Pazzaglia Prof. Fausto Marcantoni Matricola 081190 A.A. 2011/2012 «Learn the rules so you know how to break them properly.» Dalai Lama «The quieter you become, the more you can hear.» Ram Dass Ringraziamenti «Ringrazio tutti e tutto, niente e nessuno» I miei più sentiti ringraziamenti vanno a tutti coloro che hanno fatto e fanno parte della mia vita. Ringrazio la mia famiglia per il supporto e l'aiuto che mi ha fornito, e che da sempre mi segue in ogni mio passo verso il futuro. Ringrazio Noemi, mia sorella, che da sempre crede in me e mi sprona a dare il meglio dandomi la fiducia di cui ho bisogno. Non posso mancare di ringraziare tutti i miei amici, da coloro che mi seguono dalla mia infanzia a quelli che si sono aggiunti nel corso degli eventi della mia vita. Compagni d'ogni momento, dal più triste al più felice, hanno tutti contribuito ad arricchire il mio essere e sono loro infinitamente grato per le esperienze che abbiamo condiviso. Un ringraziamento anche ai miei colleghi di studio con i quali c'è sempre stato aiuto e supporto reciproco. Nello specifico vorrei ringraziare i miei due, oltre che amici, colleghi Moschettieri Giacomo e Giacomo con i quali ho condiviso i momenti migliori di questo percorso universitario, siano stati di studio, di svago o di brainstorming. Ringrazio il corpo docenti del corso di laurea in Informatica dell'Università di Camerino e nello specifico il Prof.
    [Show full text]
  • Tiago Filipe Mesquita Da Cunha Deteção De Falsos Alertas De Intrusão Em Redes De Computadores
    Tiago Filipe Mesquita da Cunha Deteção de Falsos Alertas de Intrusão em Redes de Computadores Dissertação de Mestrado Mestrado Integrado em Engenharia Eletrónica Industrial e Computadores Trabalho efetuado sob a orientação do Professor Doutor Henrique Santos Professor Doutor Sérgio Lopes janeiro de 2019 DIREITOS DE AUTOR E CONDIÇÕES DE UTILIZAÇÃO DO TRABALHO POR TERCEIROS Este é um trabalho académico que pode ser utilizado por terceiros desde que respeitadas as regras e boas práticas internacionalmente aceites, no que concerne aos direitos de autor e direitos conexos. Assim, o presente trabalho pode ser utilizado nos termos previstos na licença abaixo indicada. Caso o utilizador necessite de permissão para poder fazer um uso do trabalho em condições não previstas no licenciamento indicado, deverá contactar o autor, através do RepositóriUM da Universidade do Minho. Licença concedida aos utilizadores deste trabalho Atribuição-NãoComercial-CompartilhaIgual CC BY-NC-SA https://creativecommons.org/licenses/by-nc-sa/4.0/ ii AGRADECIMENTOS Este trabalho de dissertação representa o término de uma importante etapa de formação na minha vida, com as mais variadas aprendizagens, tanto a nível pessoal como académico. Para tal, devo e quero expressar, neste pequeno texto, a minha gratidão a todos os intervenientes, que direta ou indiretamente contribuíram para este caminho efetuado. Em primeiro lugar, agradeço aos meus pais, pela oportunidade que me foi concedida de continuar a formação académica e enveredar no ensino superior, assim como pelo acompanhamento, paciência e apoio. De igual modo, um especial agradecimento à minha namorada, pelo carinho, conforto e incentivo, nestas e noutras circunstâncias de maior pressão, que tanto ajudaram a enfrentar as adversidades.
    [Show full text]
  • Analysis of a Suspect Program: Linux
    Chapter 10 Analysis of a Suspect Program: Linux Solutions in this chapter: ■ Analysis Goals ■ Guidelines for Examining a Malicious Executable Program ■ Establishing the Environment Baseline ■ Pre-Execution Preparation: System and Network Monitoring ■ Defeating Obfuscation: Removing the Specimen from its Armor ■ Exploring and Verifying Attack Functionality ■ Assessing Additional Functionality and Scope of Threat ■ Other Considerations ˛ Summary 575 576 Chapter 10 • Analysis of a Suspect Program: Linux Introduction In Chapter 8 we conducted a preliminary analysis of a suspicious file, sysfile, in the case study “James and the Flickering Green Light.” Through the file profiling methodology, tools and techniques discussed in the chapter, we gained substantial insight into the dependencies, symbols and strings associated with the file, and in turn, a predictive assessment as to program’s nature and functionality. In particular, the information we collected from sysfile thus far has revealed that it is an ELF executable file that has not been obfuscated with packing or encryption, and is identified by numerous anti-virus engines as being a backdoor or DDoS agent. Further, the file dependencies discovered in sysfile suggest network capability. Lastly, symbol files referenced a file, kaiten.c, which we learned through research is code relating to known IRC bot program with denial of service capabilities. Building on this information, in this chapter, we will further explore nature, purpose and function- ality of sysfile by conducting a dynamic and static analysis of the binary. Recall that dynamic or behavioral analysis involves executing the code and monitoring its behavior, interaction and effect on the host system, whereas, static analysis is process of analyzing executable binary code without actually executing the file.
    [Show full text]