The Malware Analysis Body of Knowledge (MABOK)

The ability to forensically analyse malicious software (malware) is becoming an increasingly important discipline in the field of Digital Forensics. This is because malware is becoming stealthier, targeted, profit driven, managed by criminal organizations, harder to detect and much harder to analyse. Malware analysis requires a considerable skill set to delve deep into malware internals when it is designed specifically to detect and hinder such attempts. This paper presents a foundation for a Malware Analysis Body of Knowledge (MABOK) that is required to successfully forensically analyse malware. This body of knowledge has been the result of several years of research into malware dissection

A Threat to Cyber Resilience : A Malware Rebirthing Botnet

This paper presents a threat to cyber resilience in the form of a conceptual model of a malware rebirthing botnet which can be used in a variety of scenarios. It can be used to collect existing malware and rebirth it with new functionality and signatures that will avoid detection by AV software and hinder analysis. The botnet can then use the customized malware to target an organization with an orchestrated attack from the member machines in the botnet for a variety of malicious purposes, including information warfare applications. Alternatively, it can also be used to inject known malware signatures into otherwise non malicious code and traffic to overloading the sensors and processing systems employed by intrusion detection and prevention systems to create a denial of confidence of the sensors and detection systems. This could be used as a force multiplier in asymmetric warfare applications to create confusion and distraction whilst attacks are made on other defensive fronts

Analysis avoidance techniques of malicious software

Anti Virus (AV) software generally employs signature matching and heuristics to detect the presence of malicious software (malware). The generation of signatures and determination of heuristics is dependent upon an AV analyst having successfully determined the nature of the malware, not only for recognition purposes, but also for the determination of infected files and startup mechanisms that need to be removed as part of the disinfection process. If a specimen of malware has not been previously extensively analyzed, it is unlikely to be detected by AV software. In addition, malware is becoming increasingly profit driven and more likely to incorporate stealth and deception techniques to avoid detection and analysis to remain on infected systems for a myriad of nefarious purposes. Malware extends beyond the commonly thought of virus or worm, to customized malware that has been developed for specific and targeted miscreant purposes. Such customized malware is highly unlikely to be detected by AV software because it will not have been previously analyzed and a signature will not exist. Analysis in such a case will have to be conducted by a digital forensics analyst to determine the functionality of the malware. Malware can employ a plethora of techniques to hinder the analysis process conducted by AV and digital forensics analysts. The purpose of this research has been to answer three research questions directly related to the employment of these techniques as: 1. What techniques can malware use to avoid being analyzed? 2. How can the use of these techniques be detected? 3. How can the use of these techniques be mitigated

A Comprehensive Firewall Testing Methodology

This paper proposes an all encompassing test methodology for firewalls. It extends the life cycle model to revisit the major phases of the life cycle after a firewall is in service as foundations for the tests. The focus of the tests is to show that the firewall is, or isn’t, still fit for purpose. It also focuses on the traceability between business requirements through to policy, rule sets, physical design, implementation, egress and ingress testing, monitoring and auditing. The guidelines are provided by a Test and Evaluation Master Plan (TEMP). The methodology is very much process driven and in keeping with the Security Systems Engineering Capability Maturity Model (SSECMM). This provides multiple advantages, including the capture of configuration errors, results are measurable and repeatable, assurance is developed and it can be used as a roadmap for process improvement. Sample tests are provided in the paper, but act merely as a guideline. It would be expected that the test and evaluation master plan be tailored for any specific organisation

Managing Information Security Complexity

This paper examines using a requirements management tool as a common thread to managing the complexity of information security systems. Requirements management provides a mechanism to trace requirements through to design, implementation, operating, monitoring, reviewing, testing, and reporting by creating links to associated, critical artefacts. This is instrumental in managing complex and dynamic systems where change can impact other subsystems and associated documentation. It helps to identify the affected artefacts through many layers. Benefits to this approach would include better project planning and management, improved risk management, superior change management, ease of reuse, enhanced quality control and more effective acceptance testing. It would also improve the ability to audit, especially at a time when outsourcing of security functions is occurring throughout the world. ISO 27001:2006 provides a model for the implementation of an Information Security Management System (ISMS) that can be tailored by an organization. It is proposed that employment of a requirements management tool could manage the traceability aspects of an ISMS

Malware Detection and Removal: An Examination of Personal Anti-Virus Software

SoHo users are increasingly faced with the dilemma of applying appropriate security mechanisms to their computer with little or no knowledge of which countermeasure will deal with which potential threat. As problematic as it may seem for individuals to apply appropriate safeguards, individuals with malicious intent are advancing methods by which malicious software may operate undetected on a target host. Previous research has identified that there are numerous ways in which malware may go undetected on a target workstation. This paper examines the quality of malware removal programs currently available on the market, which consumers may use whilst utilising the Internet. The research suggests that current anti-virus products, whilst able to detect most recently released malware, still fall short of eliminating the malware and returning the system to its original state. The paper does not compare or disclose potential flaws within each product; rather it depicts the current state of anti-virus products

Mobile Device Management for Personally Controlled Electronic Health Records: Effective Selection of Evaluation Criteria

Enterprises are faced with the task of managing a plethora of mobile computing devices in the workplace that are employed for both business purposes and private use. This integration can contribute to the demands of security protection and add significant threats to the enterprise. The introduction of the Personally Controlled Electronic Health Record (PCEHR) system is a significant step in e-health for Australia and will likely result in sensitive information being accessed from mobile computing devices. Mobile Device Management (MDM) offers a potential solution to manage these devices, however there is a variety of vendors with a range of solutions. This paper presents preliminary research into a generic methodology that could be used to assist the enterprise in the MDM selection process particularly when mobile devices will eventually integrate with the Australia’s PCEHR

Mobile Device Management for Personally Controlled Electronic Health Records: Effective Selection of Evaluation Criteria

Enterprises are faced with the task of managing a plethora of mobile computing devices in the workplace that are employed for both business purposes and private use. This integration can contribute to the demands of security protection and add significant threats to the enterprise. The introduction of the Personally Controlled Electronic Health Record (PCEHR) system is a significant step in e-health for Australia and will likely result in sensitive information being accessed from mobile computing devices. Mobile Device Management (MDM) offers a potential solution to manage these devices, however there is a variety of vendors with a range of solutions. This paper presents preliminary research into a generic methodology that could be used to assist the enterprise in the MDM selection process particularly when mobile devices will eventually integrate with the Australia’s PCEHR

An Investigation into the Wi-Fi protected setup pin of the Linksys WRT160N v2

Wi-Fi Protected Setup (WPS) is a method of allowing a consumer to set up a secure wireless network in a user friendly way. However, in December 2011 it was discovered that a brute force attack exists that reduces the WPS key space from 108 to 104+103. This resulted in a proof of concept tool that was able to search all possible combinations of PINs within a few days.This research presents a methodology to test wireless devices to determine their susceptibility to the external registrar PIN authentication design vulnerability. A number of devices were audited, and the Linksys WRT160N v2 router was selected to be examined in detail. The results demonstrate that the router is highly susceptible to having its WPN PIN brute forced. It also details that even with WPS disabled in the router configuration, WPS was still active and the PIN was equally vulnerable

Lessons Learned from an Investigation into the Analysis Avoidance Techniques of Malicious Software

This paper outlines a number of key lessons learned from an investigation into the techniques malicious executable software can employ to hinder digital forensic examination. Malware signature detection has been recognised by researchers to be far less than ideal. Thus, the forensic analyst may be required to manually analyse suspicious files. However, in order to hinder the forensic analyst, hide its true intent and to avoid detection, modern malware can be wrapped with packers or protectors, and layered with a plethora of antianalysis techniques. This necessitates the forensic analyst to develop static and dynamic analysis skills tailored to navigate a hostile environment. To this end, the analyst must understand the anti-analysis techniques that can be employed and how to mitigate them, the limitations of existing tools and how to extend them, and how to employ an appropriate analysis methodology to uncover the intent of the malware