Técnicas para Análise Dinâmica de Malware

Abstract

The Brazilian Symposium on Information and Computational Systems Security (SBSeg) is a scientific event promoted annually by the Brazilian Computer Society (SBC). SBSeg represents the country’s main forum for disseminating research results and relevant activities related to information and computational systems security. This book comprises the six chapters produced by the authors of the short courses selected for presentation at SBSeg 2011. Chapter 1, "Análise de Malware: Investigação de Códigos Maliciosos Através de uma Abordagem Prática" has two basic steps: a theoretical one and a real analysis. The goal of the authors is to provide to readers interested in malware analysis the knowledge necessary to develop skills intrinsic to an incident response and computer forensics group. The chapter introduces key concepts and discussions about new trends in malicious code developers and countermeasures. Some models of incident handling and malware analysis have been discussed as tools used in the process have been introduced. Chapter 2, "Aprendizagem de Máquina para Segurança de Computadores: Métodos e Aplicações" analyzes different systems for detecting fraudulent activities on web pages, proliferation of malicious codes, denial of service attacks, among others. Anomaly detection has advanced significantly with the use of machine learning and data mining techniques. With a theoretical focus, the chapter provides information on using machine learning techniques for data security, identifying techniques that are appropriate for the intrusion detection problem. Chapter 3, "Técnicas para Análise Dinâmica de Código Malicioso" presents the main techniques used to perform dynamic malware analysis, which can operate at the operating system or web level, verifying which are present in the main publicly available analysis systems. This chapter also cites tools used to capture information about the execution of malicious programs. Readers will be able to build a simple dynamic malware analysis system and follow a complete case study from the analysis of malware coming from the web to the compromise of the operating system. Chapter 4, "Introdução à Composibilidade Universal", presents a general, modular environment for representing cryptographic protocols and analyzing their security. The chapter allows the analysis of complex protocols from simpler blocks. This chapter also introduces the basics of Universal Composability security and its application in the design and analysis of a cryptographic protocol. Chapter 5, "Gerência de Identidades Federadas em Nuvens: Enfoque na Utilização de Soluções Abertas" introduces the idea of ​​moving most of the processing and storage of user applications to a remote cloud of services. The security issue of this approach is still an open problem and difficult to solve. This chapter explores this federated service offering from an Identity Management perspective. Several open solutions used in federated cloud environments will be presented, ending with a case study in which a tool that performs network robotics experiments is used. Chapter 6, "Live Forensics em Ambientes Windows" introduces live forensics procedures in Windows operating system environments. Live forensics is characterized by the examination of machines still in operation, allowing the collection of important traces, which can be lost when the machine is turned off. In this chapter, live forensics procedures will be discussed, such as recognition of running processes, ports and files in use, collection and preservation of volatile traces, using only freely available tools.