DOCSLIB.ORG

Analysis Avoidance Techniques of Malicious Software

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Edith Cowan University Research Online Theses: Doctorates and Masters Theses 2010 Analysis avoidance techniques of malicious software Murray Brand Edith Cowan University Follow this and additional works at: https://ro.ecu.edu.au/theses Part of the Computer Sciences Commons Recommended Citation Brand, M. (2010). Analysis avoidance techniques of malicious software. https://ro.ecu.edu.au/theses/138 This Thesis is posted at Research Online. https://ro.ecu.edu.au/theses/138 Edith Cowan University Copyright Warning You may print or download ONE copy of this document for the purpose of your own research or study. The University does not authorize you to copy, communicate or otherwise make available electronically to any other person any copyright material contained on this site. You are reminded of the following: Copyright owners are entitled to take legal action against persons who infringe their copyright. A reproduction of material that is protected by copyright may be a copyright infringement. Where the reproduction of such material is done without attribution of authorship, with false attribution of authorship or the authorship is treated in a derogatory manner, this may be a breach of the author’s moral rights contained in Part IX of the Copyright Act 1968 (Cth). Courts have the power to impose a wide range of civil and criminal sanctions for infringement of copyright, infringement of moral rights and other offences under the Copyright Act 1968 (Cth). Higher penalties may apply, and higher damages may be awarded, for offences and infringements involving the conversion of material into digital or electronic form. Analysis Avoidance Techniques of Malicious Software Analysis Avoidance Techniques of Malicious Software Murray Brand BEng (Hons) (Electronics and Communications) MEngSc (Electrical Engineering) GradCert (Computer Security) A thesis submitted for the Award of Doctor of Philosophy At the Faculty of Computing, Health and Science Edith Cowan University, Mount Lawley Campus Principal Supervisor Professor Craig Valli Associate Supervisor Doctor Andrew Woodward Submitted 30 November 2010 USE OF THESIS The Use of Thesis statement is not included in this version of the thesis. Analysis Avoidance Techniques of Malicious Software PUBLICATIONS ARISING FROM THIS RESEARCH Brand, M. (2007). Forensic Analysis Avoidance Techniques of Malware. Paper presented at the 5th Australian Digital Forensics Conference, Edith Cowan University, Mount Lawley Campus, Western Australia. Szewczyk, P., Brand, M. (2008). Malware Detection and Removal: An Examination of Personal Anti-Virus Software. Paper presented at the 6th Australian Digital Forensics Conference, Edith Cowan University, Mount Lawley Campus, Western Australia. Valli, C., Brand, M. (2008). Malware Analysis Body of Knowledge. Paper presented at the 6th Australian Digital Forensics Conference, Edith Cowan University, Mount Lawley Campus, Western Australia. Brand, M., Valli, C., Woodward, A. (2010). Lessons Learned from an Investigation into the Analysis Avoidance Techniques of Malicious Software. Paper presented at the 8th Australian Digital Forensics Conference, Duxton Hotel, Perth Western Australia. Brand, M., Valli, C., Woodward, A. (2010). Malware Forensics: Discovery of the intent of Deception. Paper presented at the 8th Australian Digital Forensics Conference, Duxton Hotel, Perth Western Australia. Brand, M., Valli, C., Woodward, A. (2010). Malware Forensics: Discovery of the intent of Deception. The Journal of Digital Forensics, Security and Law, 5(4), 31-42. iii Analysis Avoidance Techniques of Malicious Software ABSTRACT Anti Virus (AV) software generally employs signature matching and heuristics to detect the presence of malicious software (malware). The generation of signatures and determination of heuristics is dependent upon an AV analyst having successfully determined the nature of the malware, not only for recognition purposes, but also for the determination of infected files and startup mechanisms that need to be removed as part of the disinfection process. If a specimen of malware has not been previously extensively analyzed, it is unlikely to be detected by AV software. In addition, malware is becoming increasingly profit driven and more likely to incorporate stealth and deception techniques to avoid detection and analysis to remain on infected systems for a myriad of nefarious purposes. Malware extends beyond the commonly thought of virus or worm, to customized malware that has been developed for specific and targeted miscreant purposes. Such customized malware is highly unlikely to be detected by AV software because it will not have been previously analyzed and a signature will not exist. Analysis in such a case will have to be conducted by a digital forensics analyst to determine the functionality of the malware. Malware can employ a plethora of techniques to hinder the analysis process conducted by AV and digital forensics analysts. The purpose of this research has been to answer three research questions directly related to the employment of these techniques as: 1. What techniques can malware use to avoid being analyzed? 2. How can the use of these techniques be detected? 3. How can the use of these techniques be mitigated? These questions were effectively answered by validating anti-analysis techniques, showing how the techniques can be effectively detected and mitigated as well as by analyzing malware collected from the internet. This research contributes to the knowledge of malware analysis and digital forensics by: iv Analysis Avoidance Techniques of Malicious Software • Demonstrating that anti-analysis techniques can be very effective at hindering analysis by the tools typically used by analysts. • Showing that the use of anti-analysis techniques can be effectively detected and mitigated by the use of appropriate analysis techniques, scripts and plugins. • Support of claims virus signature based detection by anti-virus software can be far less than ideal. • Showing that extensive use of packers and protectors are employed by network based malware collected from the internet to obstruct signature based detection and to hinder analysis. • Support of an alternate paradigm of malware detection that could use detection of deception and anti-analysis techniques to detect malicious software instead of using virus signatures and heuristics. • Identification of a Malware Analysis Body of Knowledge (MABOK) that incorporates anti-analysis techniques as a core component. • Identification of deficiencies in analysis tools given the extent of available anti-analysis techniques. • Determination of an appropriate analysis methodology tailored for dealing with anti-analysis techniques. • Development of a taxonomy of analysis avoidance techniques. v Analysis Avoidance Techniques of Malicious Software DECLARATION I certify that this thesis does not, to the best of my knowledge and belief: (i) incorporate without acknowledgement any material previously submitted for a degree or diploma in any institution of higher education; (ii) contain any material previously published or written by another person except where due reference is made in the text; or (iii) contain any defamatory material. I also grant permission for the Library at Edith Cowan University to make duplicate copies of my thesis as required. Signature ……………………………………………………………………. Date ……………………………………………………………………………. vi Analysis Avoidance Techniques of Malicious Software ACKNOWLEDGEMENTS This thesis would not have been possible without the guidance and encouragement provided by my Principal Supervisor Professor Craig Valli and Associate Supervior Doctor Andrew Woodward. vii Analysis Avoidance Techniques of Malicious Software TABLE OF CONTENTS PUBLICATIONS ARISING FROM THIS RESEARCH .................................................................... III ABSTRACT ............................................................................................................................................. IV DECLARATION ..................................................................................................................................... VI ACKNOWLEDGEMENTS ................................................................................................................... VII LIST OF FIGURES ............................................................................................................................. XVII LIST OF TABLES .................................................................................................................................. XX CHAPTER 1 INTRODUCTION .......................................................................................................... 1 1.1. OVERVIEW .............................................................................................................................. 1 1.2. A STATEMENT OF THE PROBLEM ...................................................................................... 2 1.3. RESEARCH QUESTIONS ....................................................................................................... 6 1.4. SIGNIFICANCE OF RESEARCH ............................................................................................ 6 1.5. STRUCTURE OF THIS THESIS .............................................................................................. 8 CHAPTER 2 LITERATURE REVIEW ............................................................................................ 10 2.1. CHARACTERISATION OF NETWORK BASED MALWARE ..........................................
Recommended publications
  • Classification of Malware Persistence Mechanisms Using Low-Artifact Disk

    Classification of Malware Persistence Mechanisms Using Low-Artifact Disk

    CLASSIFICATION OF MALWARE PERSISTENCE MECHANISMS USING LOW-ARTIFACT DISK INSTRUMENTATION A Dissertation Presented by Jennifer Mankin to The Department of Electrical and Computer Engineering in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Electrical and Computer Engineering in the field of Computer Engineering Northeastern University Boston, Massachusetts September 2013 Abstract The proliferation of malware in recent years has motivated the need for tools to an- alyze, classify, and understand intrusions. Current research in analyzing malware focuses either on labeling malware by its maliciousness (e.g., malicious or benign) or classifying it by the variant it belongs to. We argue that, in addition to provid- ing coarse family labels, it is useful to label malware by the capabilities they em- ploy. Capabilities can include keystroke logging, downloading a file from the internet, modifying the Master Boot Record, and trojanizing a system binary. Unfortunately, labeling malware by capability requires a descriptive, high-integrity trace of malware behavior, which is challenging given the complex stealth techniques that malware employ in order to evade analysis and detection. In this thesis, we present Dione, a flexible rule-based disk I/O monitoring and analysis infrastructure. Dione interposes between a system-under-analysis and its hard disk, intercepting disk accesses and re- constructing high-level file system and registry changes as they occur. We evaluate the accuracy and performance of Dione, and show that it can achieve 100% accuracy in reconstructing file system operations, with a performance penalty less than 2% in many cases. ii Given the trustworthy behavioral traces obtained by Dione, we convert file system- level events to high-level capabilities.
  • MODELING the PROPAGATION of WORMS in NETWORKS: a SURVEY 943 in Section 2, Which Set the Stage for Later Sections

    MODELING the PROPAGATION of WORMS in NETWORKS: a SURVEY 943 in Section 2, Which Set the Stage for Later Sections

    942 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 16, NO. 2, SECOND QUARTER 2014 Modeling the Propagation of Worms in Networks: ASurvey Yini Wang, Sheng Wen, Yang Xiang, Senior Member, IEEE, and Wanlei Zhou, Senior Member, IEEE, Abstract—There are the two common means for propagating attacks account for 1/4 of the total threats in 2009 and nearly worms: scanning vulnerable computers in the network and 1/5 of the total threats in 2010. In order to prevent worms from spreading through topological neighbors. Modeling the propa- spreading into a large scale, researchers focus on modeling gation of worms can help us understand how worms spread and devise effective defense strategies. However, most previous their propagation and then, on the basis of it, investigate the researches either focus on their proposed work or pay attention optimized countermeasures. Similar to the research of some to exploring detection and defense system. Few of them gives a nature disasters, like earthquake and tsunami, the modeling comprehensive analysis in modeling the propagation of worms can help us understand and characterize the key properties of which is helpful for developing defense mechanism against their spreading. In this field, it is mandatory to guarantee the worms’ spreading. This paper presents a survey and comparison of worms’ propagation models according to two different spread- accuracy of the modeling before the derived countermeasures ing methods of worms. We first identify worms characteristics can be considered credible. In recent years, although a variety through their spreading behavior, and then classify various of models and algorithms have been proposed for modeling target discover techniques employed by them.
  • Common Threats to Cyber Security Part 1 of 2

    Common Threats to Cyber Security Part 1 of 2

    Common Threats to Cyber Security Part 1 of 2 Table of Contents Malware .......................................................................................................................................... 2 Viruses ............................................................................................................................................. 3 Worms ............................................................................................................................................. 4 Downloaders ................................................................................................................................... 6 Attack Scripts .................................................................................................................................. 8 Botnet ........................................................................................................................................... 10 IRCBotnet Example ....................................................................................................................... 12 Trojans (Backdoor) ........................................................................................................................ 14 Denial of Service ........................................................................................................................... 18 Rootkits ......................................................................................................................................... 20 Notices .........................................................................................................................................
  • BEGIN README.TXT-- PC Media Antivirus (PCMAV)

    BEGIN README.TXT-- PC Media Antivirus (PCMAV)

    --BEGIN README.TXT-- PC Media Antivirus (PCMAV) 9.9.1 Copyright (c) 2006-2014 Majalah PC Media Pinpoint Publications Group ************************************************************************ MEMANFAATKAN/MENGGUNAKAN PCMAV BERARTI ANDA MENGERTI DAN SETUJU DENGAN SELURUH KETENTUAN YANG ADA DI BAGIAN "KETENTUAN PENGGUNAAN (END-USER LICENSE)" YANG TERDAPAT PADA FILE README.TXT INI. PCMAV INI DIBUAT KHUSUS DAN DIPERSEMBAHKAN BAGI "PEMBACA SETIA" PC MEDIA DAN YANG KAMI CINTAI. MAKA DARI ITU, JIKA ANDA ADALAH PENGGUNA PEMULA DAN ATAU MERASA KESULITAN MEMAHAMI ISI README.TXT INI, BAIK SEBAGIAN MAUPUN SECARA KESELURUHAN, MAKA KAMI SANGAT MENYARANKAN ANDA UNTUK BERKONSULTASI TERLEBIH DULU DENGAN REKAN ANDA YANG LEBIH BERPENGALAMAN DALAM BERKOMPUTER. ATAU DEMI KENYAMANAN ANDA, MAKA KAMI SARANKAN UNTUK TIDAK MENGGUNAKAN PCMAV SAMA SEKALI. ************************************************************************ ------------------------------ ANTIVIRUS KEBANGGAAN INDONESIA ------------------------------ Tidak ada antivirus lain yang mampu mengatasi secara tuntas virus komputer, baik lokal maupun asing, yang banyak menyebar di Indonesia sebaik dan seaman PCMAV. Umumnya antivirus yang ada hanya mampu mengenali dan menghapus file yang dideteksi bervirus. PCMAV menyempurnakannya dengan tingkat akurasi pendeteksian yang lebih tinggi, sehingga lebih handal dalam mengembalikan file, dokumen dan sistem yang menjadi sasaran serangan virus hingga pulih 100%. Dengan PCMAV, Anda akan mendapatkan antivirus yang bukan hanya sekadar mendeteksi namun daya basminya
  • Effective Malicious Features Extraction and Classification for Incident Handling Systems

    Effective Malicious Features Extraction and Classification for Incident Handling Systems

    EFFECTIVE MALICIOUS FEATURES EXTRACTION AND CLASSIFICATION FOR INCIDENT HANDLING SYSTEMS CHO CHO SAN UNIVERSITY OF COMPUTER STUDIES, YANGON OCTOBER, 2019 Effective Malicious Features Extraction and Classification for Incident Handling Systems Cho Cho San University of Computer Studies, Yangon A thesis submitted to the University of Computer Studies, Yangon in partial fulfillment of the requirements for the degree of Doctor of Philosophy October, 2019 Statement of Originality I hereby certify that the work embodied in this thesis is the result of original research and has not been submitted for a higher degree to any other University or Institution. …..…………………………… .…………........………………………… Date Cho Cho San ACKNOWLEDGEMENTS First of all, I would like to thank Hist Excellency, the Minister for the Ministry of Education, for providing full facilities support during the Ph.D. course at the University of Computer Studies, Yangon. Secondly, my profound gratitude goes to Dr. Mie Mie Thet Thwin, Rector of the University of Computer Studies, Yangon, for allowing me to develop this research and giving me general guidance during the period of my study. I would like to express my greatest pleasure and the deepest appreciation to my supervisor, Dr. Mie Mie Su Thwin, Professor, the University of Computer Studies, Yangon, for her excellent guidance, caring, patient supervision, and providing me with excellent ideas throughout the study of this thesis. I would also like to extend my special appreciation to Dr. Khine Moe Nwe, Professor and Course-coordinator of the Ph.D. 9th Batch, the University of Computer Studies, Yangon, for her useful comments, advice, and insight which are invaluable through the process of researching and writing this dissertation.
  • Malware Behavior Comportamento De Programas Maliciosos

    Malware Behavior Comportamento De Programas Maliciosos

    Andr´eRicardo Abed Gr´egio Malware Behavior Comportamento de Programas Maliciosos Campinas 2012 i ii Universidade Estadual de Campinas Faculdade de Engenharia El´etrica e de Computa¸c~ao Andr´eRicardo Abed Gr´egio Malware Behavior Comportamento de Programas Maliciosos Doctorate thesis presented to the School of Electrical and Computer Engineering in partial fulfillment of the requirements for the degree of Doctor in Electrical Engineering. Concentration area: Computer Engineering. Tese de doutorado apresentada `aFaculdade de Engenharia El´etrica e de Computa¸c~ao como parte dos requisitos exigidos para a obten¸c~aodo t´ıtulo de Doutor em Engenharia El´etrica. Area´ de concentra¸c~ao: Engenharia de Computa¸c~ao. Orientador (Tutor): Prof. Dr. Mario Jino Co-orientador (Co-Tutor): Prof. Dr. Paulo Licio de Geus Este exemplar corresponde `avers~aofinal da tese defendida pelo aluno, e orientada pelo Prof. Dr. Mario Jino. Campinas 2012 iii FICHA CATALOGRÁFICA ELABORADA PELA BIBLIOTECA DA ÁREA DE ENGENHARIA E ARQUITETURA - BAE - UNICAMP Grégio, André Ricardo Abed G861c Comportamento de programas maliciosos / André Ricardo Abed Grégio. --Campinas, SP: [s.n.], 2012. Orientador: Mario Jino. Coorientador: Paulo Licio de Geus. Tese de Doutorado - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de Computação. 1. Redes de computadores - Medidas de segurança. 2. Tecnologia da informação - Segurança. 3. Software - Segurança. 4. Virus de computador. 5. Taxonomia. I. Jino, Mario, 1943-. II. Geus, Paulo Licio de, 1956-. III. Universidade
  • Containing Conficker to Tame a Malware

    Containing Conficker to Tame a Malware

    &#4#5###4#(#%#5#6#%#5#&###,#'#(#7#5#+#&#8##9##:65#,-;/< Know Your Enemy: Containing Conficker To Tame A Malware The Honeynet Project http://honeynet.org Felix Leder, Tillmann Werner Last Modified: 30th March 2009 (rev1) The Conficker worm has infected several million computers since it first started spreading in late 2008 but attempts to mitigate Conficker have not yet proved very successful. In this paper we present several potential methods to repel Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotely detect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented. Finally, the domain name generation mechanism for all three Conficker variants is discussed in detail and an overview of the potential for upcoming domain collisions in version .C is provided. Tools for all the ideas presented here are freely available for download from [9], including source code. !"#$%&'()*+&$(% The big years of wide-area network spreading worms were 2003 and 2004, the years of Blaster [1] and Sasser [2]. About four years later, in late 2008, we witnessed a similar worm that exploits the MS08-067 server service vulnerability in Windows [3]: Conficker. Like its forerunners, Conficker exploits a stack corruption vulnerability to introduce and execute shellcode on affected Windows systems, download a copy of itself, infect the host and continue spreading. SRI has published an excellent and detailed analysis of the malware [4]. The scope of this paper is different: we propose ideas on how to identify, mitigate and remove Conficker bots.
  • Ethical Hacking

    Ethical Hacking

    Official Certified Ethical Hacker Review Guide Steven DeFino Intense School, Senior Security Instructor and Consultant Contributing Authors Barry Kaufman, Director of Intense School Nick Valenteen, Intense School, Senior Security Instructor Larry Greenblatt, Intense School, Senior Security Instructor Australia • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United States Official Certified Ethical Hacker © 2010 Course Technology, Cengage Learning Review Guide ALL RIGHTS RESERVED. No part of this work covered by the copyright herein Steven DeFino may be reproduced, transmitted, stored or used in any form or by any means Barry Kaufman graphic, electronic, or mechanical, including but not limited to photocopying, Nick Valenteen recording, scanning, digitizing, taping, Web distribution, information networks, Larry Greenblatt or information storage and retrieval systems, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without the prior Vice President, Career and written permission of the publisher. Professional Editorial: Dave Garza Executive Editor: Stephen Helba For product information and technology assistance, contact us at Managing Editor: Marah Bellegarde Cengage Learning Customer & Sales Support, 1-800-354-9706 For permission to use material from this text or product, Senior Product Manager: submit all requests online at www.cengage.com/permissions Michelle Ruelos Cannistraci Further permissions questions can be e-mailed to Editorial Assistant: Meghan Orvis [email protected]
  • THE CONFICKER MYSTERY Mikko Hypponen Chief Research Officer F-Secure Corporation Network Worms Were Supposed to Be Dead. Turns O

    THE CONFICKER MYSTERY Mikko Hypponen Chief Research Officer F-Secure Corporation Network Worms Were Supposed to Be Dead. Turns O

    THE CONFICKER MYSTERY Mikko Hypponen Chief Research Officer F-Secure Corporation Network worms were supposed to be dead. Turns out they aren't. In 2009 we saw the largest outbreak in years: The Conficker aka Downadup worm, infecting Windows workstations and servers around the world. This worm infected several million computers worldwide - most of them in corporate networks. Overnight, it became as large an infection as the historical outbreaks of worms such as the Loveletter, Melissa, Blaster or Sasser. Conficker is clever. In fact, it uses several new techniques that have never been seen before. One of these techniques is using Windows ACLs to make disinfection hard or impossible. Another is infecting USB drives with a technique that works *even* if you have USB Autorun disabled. Yet another is using Windows domain rights to create a remote jobs to infect machines over corporate networks. Possibly to most clever part is the communication structure Conficker uses. It has an algorithm to create a unique list of 250 random domain names every day. By precalcuting one of these domain names and registering it, the gang behind Conficker could take over any or all of the millions of computers they had infected. Case Conficker The sustained growth of malicious software (malware) during the last few years has been driven by crime. Theft – whether it is of personal information or of computing resources – is obviously more successful when it is silent and therefore the majority of today's computer threats are designed to be stealthy. Network worms are relatively "noisy" in comparison to other threats, and they consume considerable amounts of bandwidth and other networking resources.
  • G Data Malwarereport Half-Yearly Report July

    G Data Malwarereport Half-Yearly Report July

    G Data MalwareReport Half-yearly report July - December 2010 Ralf Benzmüller & Sabrina Berkenkopf G Data SecurityLabs 2010 - MalwareReport_2 Go safe. Go safer. G Data. G Data MalwareReport 2/2010 Contents At a Glance ............................................................................................................................................ 2 Malware: Facts and Figures ................................................................................................................. 3 The end of the growth? ........................................................................................................................................... 3 Malware categories ................................................................................................................................................... 4 Malware families ........................................................................................................................................................ 4 Platforms: Windows and Web ............................................................................................................................... 6 Trends for 2011 ........................................................................................................................................................... 7 Top subjects for the second half of 2010 ............................................................................................ 7 WikiLeaks brings 'Hacktivists' into the arena ..................................................................................................
  • Modeling of Computer Virus Spread and Its Application to Defense

    Modeling of Computer Virus Spread and Its Application to Defense

    University of Aizu, Graduation Thesis. March, 2005 s1090109 1 Modeling of Computer Virus Spread and Its Application to Defense Jun Shitozawa s1090109 Supervised by Hiroshi Toyoizumi Abstract 2 Two Systems The purpose of this paper is to model a computer virus 2.1 Content Filtering spread and evaluate content filtering and IP address blacklisting with a key parameter of the reaction time R. Content filtering is a containment system that has a We model the Sasser worm by using the Pure Birth pro- database of content signatures known to represent par- cess in this paper. Although our results require a short ticular worms. Packets containing one of these signa- reaction time, this paper is useful to obviate the outbreak tures are dropped when a containment system member of the new worms having high reproduction rate λ. receives the packets. This containment system is able to stop computer worm outbreaks immediately when the systems obtain information of content signatures. How- 1 Introduction ever, it takes too much time to create content signatures, and this system has no effect on polymorphic worms In recent years, new computer worms are being created at a rapid pace with around 5 new computer worms per a [10]. A polymorphic worm is one whose code is trans- day. Furthermore, the speed at which the new computer formed regularly, so no single signature identifies it. worms spread is amazing. For example, Symantec [5] 2.2 The IP Address Blacklisting received 12041 notifications of an infection by Sasser.B in 7 days. IP address blacklisting is a containment system that has Computer worms are a kind of computer virus.
  • CONTENTS in THIS ISSUE Fighting Malware and Spam

    CONTENTS in THIS ISSUE Fighting Malware and Spam

    APRIL 2010 Fighting malware and spam CONTENTS IN THIS ISSUE 2 COMMENT A FUTILE BATTLE? Are takedowns an exercise in futility? Mary Landesman evaluates recent botnet takedown efforts. 3 NEWS page 2 VB2010 programme announced CYBER WARFARE All star superstars Terry Zink looks at the increasingly common Dangerous places to be online phenomenon of hacktivism and details three recent cyber warfare attacks. 3 VIRUS PREVALENCE TABLE page 11 FEATURES EXPLOIT KIT EXPLOSION 4 Evasions in Intrusion Prevention/ In the fi rst of a two-part series introducing exploit Detection Systems kits Mark Davis outlines the basic details of the dime-a-dozen kits used in drive-by browser-based 11 Botnets, politics and hacktivism – an interesting partnership attacks. page 21 15 ‘Signatures are dead.’ ‘Really? And what about pattern matching?’ RECORD VB100 ON XP In VB’s largest ever VB100 21 TUTORIAL comparative review, a total of 60 Exploit kit explosion – part one products are put to the test on April 2010 Windows XP. John Hawes has all 23 COMPARATIVE REVIEW the details. page 23 VB100 – Windows XP SP3 68 END NOTES & NEWS ISSN 1749-7027 COMMENT ‘There is often little Troyak-AS resumed service under a new upstream provider, and this pattern was repeated numerous times. incentive for domain These less than dramatic results beg the registrars or hosting (multi)-million-dollar question: are such takedown providers to make efforts an exercise in futility? it more diffi cult for Certainly if one focuses only on short-term statistics, the answer would appear to be ‘yes’. However, if one criminals to obtain focuses on some of the precedents set during the fi rst services.’ quarter, tangible long-term impact may become a reality.