Victim Machine Research Articles

A program behavior matching architecture for probabilistic file system forensics

Even the most secure computing system can be successfully attacked by a sufficiently motivated entity. To investigate the means of entry, the victim machine will come under the scrutiny of forensic analysis tools. In this era where system compromises occur on a regular basis, the design and implementation of operating systems should consider the necessity of computer forensics. Additionally, forensics techniques should take advantage of existing system capabilities such as the journaling feature of the Ext3 file system. With our forensics enabling architecture, we provide a means of using the metadata inherent in the Ext3 file system to reconstruct probable sequences of events that occurred during the journaling process. The reconstruction procedure is achieved by generating program behavior signatures. These signatures allow forensic investigators to perform probabilistic analysis by using information theory models to extract a more significant set of data.

Catching Remote Administration Trojans (RATs)

AbstractA Remote Administration Trojan (RAT ) allows an attacker to remotely control a computing system and typically consists of a server invisibly running and listening to specific TCP /UDP ports on a victim machine as well as a client acting as the interface between the server and the attacker. The accuracy of host and/or network‐based methods often employed to identify RATs highly depends on the quality of Trojan signatures derived from static patterns appearing in RAT programs and/or their communications. Attackers may also obfuscate such patterns by having RATs use dynamic ports, encrypted messages, and even changing Trojan banners. In this paper, we propose a comprehensive framework termed RAT Catcher, which reliably detects and ultimately blocks RAT malicious activities even when Trojans use multiple evasion techniques. Employing network‐based methods and functioning in inline mode to inspect passing packets in real time, our RAT Catcher collects and maintains status information for every connection and conducts session correlation to greatly improve detection accuracy. The RAT Catcher re‐assembles packets in each data stream and dissects the resulting aggregation according to known Trojan communication protocols, further enhancing its traffic classification. By scanning not only protocol headers but also payloads, RAT Catcher is a truly application‐layer inspector that performs a range of corrective actions on identified traffic including alerting, packet dropping, and connection termination. We show the effectiveness and efficiency of RAT Catcher with experimentation in both laboratory and real‐world settings. Copyright © 2007 John Wiley & Sons, Ltd.

Focus on trojans – holding data to ransom

The ancient Greeks have a lot to answer for. Three thousand years after the wooden horse idea entered their heads (and Troy), three quarters of malware threats today are trojan programs based on the same idea. Cyber-blackmail is now one of the key criminal motives. The first three months of 2006 saw a significant increase in the incidence of cyber-blackmail whereby virus writers use malicious programs such as trojans to penetrate victims' machines and encrypt their data. The victim is then informed that the data will only be decrypted once payment has been received – usually between $50 and $2,500. The most striking examples of this type of cyber-blackmail, carried out in the second half of 2005, are the trojans, GpCode and Krotten. The latest variant of GpCode which appeared in January 2006 differed radically from its predecessors in that it used one of the best known and most secure public encryption algorithms, RSA. It has raised the game, as we hear from a malware tracking specialist. Currently 75% of malware threats are trojans. Typically, trojans are dropped onto a victim machine by a virus or worm, or downloaded from a remote site. Trojans don't have their own on-board replication capability. For this reason, they are sometimes mistakenly perceived as being less dangerous than viruses or worms. Not so.