Utilizing rootkits to address the vulnerabilities exploited by malware

Corregedor, Manuel Rodrigues

20 August 2012

M.Sc. / Anyone who uses a computer for work or recreational purposes has come across one or all of the following problems directly or indirectly (knowingly or not): viruses, worms, trojans, rootkits and botnets. This is especially the case if the computer is connected to the Internet. Looking at the statistics in [1] we can see that although malware detection techniques are detecting and preventing malware, they do not guarantee a 100% detection and or prevention of malware. Furthermore the statistics in [2] show that malware infection rates are increasing around the world at an alarming rate. The statistics also show that there are a high number of new malware samples being discovered every month and that 31% of malware attacks resulted in data loss [3], with 10% of companies reporting the loss of sensitive business data [4][5]. The reason for not being able to achieve a 100% detection and / or prevention of malware is because malware authors make use of sophisticated techniques such as code obfuscation in order to prevent malware from being detected. This has resulted in the emergence of malware known as polymorphic and metamorphic malware. The aforementioned malware poses serious challenges for anti-malware software specifically signature based techniques. However a more serious threat that needs to be addressed is that of rootkits. Rootkits can execute at the same privilege level as the Operating System (OS) itself. At this level the rootkit can manipulate the OS such that it can distribute other malware, hide existing malware, steal information, hide itself, disable anti-malware software etc all without the knowledge of the user. It is clear from the statistics that anti-malware products are not working because infection rates continue to rise and companies and end users continue to fall victims of these attacks. Therefore this dissertation will address the problem that current anti-malware techniques are not working. The main objective of this dissertation is to create a framework called ATE (Anti-malware Technique Evaluator) that can be used to critically evaluate current commercial anti-malware products. The framework will achieve this by identifying the current vulnerabilities that exist in commercial anti-malware products and the operating system. The prior will be achieved by making use of two rootkits, the Evader rootkit and the Sabotager rootkit, which were specifically developed to support the anti-malware product evaluation. Finally an anti-malware architecture we called External Malware Scanner (EMS), will be proposed to address the identified vulnerabilities.

Malware (Computer software)

Rootkits (Computer software)

Computer networks - Security measures

Computer security

Computer crimes - Prevention

The interface between application controls and integrity controls in modern computer systems

Boshoff, Willem Hendrik

23 September 2014

M.Com. (Accounting & Auditing) / External and Internal auditors have to deal with computer systems which are becoming increasingly complex. An auditor's interest in such an environment is primarily an understanding of the controls over the computer system and the risk of error and fraud. When dealing with controls two issues are important. The first deals with the ability to control a complex computer system. Unless the control issues are understood and the impact of various alternatives appreciated it would be impossible to control a computer system. Under such circumstances there is a high risk of error and fraud and the information present in a business could be very unreliable. Secondly the auditor needs to evaluate controls for purposes of his audit. Usually the objective is to assure himself that they adequately safeguard the business assets and prevent or detect errors present in the accounting records of the concern...

Auditing - South Africa

Computer literacy - South Africa

Computer crimes - South Africa

Critical information infrastructure protection for developing countries

Ellefsen, Ian David

16 August 2012

D.Phil.(Computer Science) / In this thesis we will investigate the development of Critical Information Infrastructure Protection (CIIP) structures in the developing world. Developing regions are experiencing fast-paced development of information infrastructures, and improvements in related technologies such as Internet connectivity and wireless technologies. The use of these new technologies and the number of new users that are introduced to the Internet can allow cyber threats to flourish. In many cases, Computer Security Incident Response Teams (CSIRTs) can be used to provide CIIP. However, the development of traditional CSIRT-like structures can be problematic in developing regions where technological challenges, legal frameworks, and limited capacity can reduce its overall effectiveness. In this thesis we will introduce the Community-oriented Security, Advisory and Warning (C-SAW) Team. This model is designed to address the challenges to CIIP faced by developing regions by defining a structure that is loosely-coupled and flexible in nature. Furthermore, the aspect of community-orientation is used to allow a C-SAW Team to operate within a designated community of members. This thesis is divided into three primary parts. In Part 1 we will discuss the background research undertaken during this study. The background chapters will lay the foundation for the later chapters in this thesis. In Part 2 we will introduce the C-SAW Team model and elaborate on the construction, relationships, positioning, services, and framework in which it can be deployed. Finally, in Part 3 we present our conclusions to this thesis.

Computer crimes prevention

Computer security

Computer networks - Access control

Computer networks - Security measures

An exploration into the use of webinjects by financial malware

Forrester, Jock Ingram

January 2014

As the number of computing devices connected to the Internet increases and the Internet itself becomes more pervasive, so does the opportunity for criminals to use these devices in cybercrimes. Supporting the increase in cybercrime is the growth and maturity of the digital underground economy with strong links to its more visible and physical counterpart. The digital underground economy provides software and related services to equip the entrepreneurial cybercriminal with the appropriate skills and required tools. Financial malware, particularly the capability for injection of code into web browsers, has become one of the more profitable cybercrime tool sets due to its versatility and adaptability when targeting clients of institutions with an online presence, both in and outside of the financial industry. There are numerous families of financial malware available for use, with perhaps the most prevalent being Zeus and SpyEye. Criminals create (or purchase) and grow botnets of computing devices infected with financial malware that has been configured to attack clients of certain websites. In the research data set there are 483 configuration files containing approximately 40 000 webinjects that were captured from various financial malware botnets between October 2010 and June 2012. They were processed and analysed to determine the methods used by criminals to defraud either the user of the computing device, or the institution of which the user is a client. The configuration files contain the injection code that is executed in the web browser to create a surrogate interface, which is then used by the criminal to interact with the user and institution in order to commit fraud. Demographics on the captured data set are presented and case studies are documented based on the various methods used to defraud and bypass financial security controls across multiple industries. The case studies cover techniques used in social engineering, bypassing security controls and automated transfers.

Malware (Computer software) -- Analysis

Internet fraud

Computer crimes

Computer security

Electronic commerce

Global response to cyberterrorism and cybercrime: A matrix for international cooperation and vulnerability assessment.

Ozeren, Suleyman

08 1900

Cyberterrorism and cybercrime present new challenges for law enforcement and policy makers. Due to its transnational nature, a real and sound response to such a threat requires international cooperation involving participation of all concerned parties in the international community. However, vulnerability emerges from increased reliance on technology, lack of legal measures, and lack of cooperation at the national and international level represents real obstacle toward effective response to these threats. In sum, lack of global consensus in terms of responding to cyberterrorism and cybercrime is the general problem. Terrorists and cyber criminals will exploit vulnerabilities, including technical, legal, political, and cultural. Such a broad range of vulnerabilities can be dealt with by comprehensive cooperation which requires efforts both at the national and international level. "Vulnerability-Comprehensive Cooperation-Freedom Scale" or "Ozeren Scale" identified variables that constructed the scale based on the expert opinions. Also, the study presented typology of cyberterrorism, which involves three general classifications of cyberterrorism; Disruptive and destructive information attacks, Facilitation of technology to support the ideology, and Communication, Fund raising, Recruitment, Propaganda (C-F-R-P). Such a typology is expected to help those who are in a position of decision-making and investigating activities as well as academicians in the area of terrorism. The matrix for international cooperation and vulnerability assessment is expected to be used as a model for global response to cyberterrorism and cybercrime.

cyberterrorism

cyber crime

vulnerability

international

cooperation

The Effects of Computer Crimes on the Management of Disaster Recovery

Proffitt, Tim Gene

01 January 2018

The effects of a technology disaster on an organization can include a prolonged disruption, loss of reputation, monetary damages, and the inability to remain in business. Although much is known about disaster recovery and business continuance, not much research has been produced on how businesses can leverage other technology frameworks to assist information technology disaster recovery. The problem was the lack of organizational knowledge to recover from computer crime interruptions given the maturity level of existing disaster recovery programs. The purpose of this Delphi study was to understand how disaster recovery controls and processes can be modified to improve response to a computer crime caused business interruption. The overarching research question in this study was to understand what factors emerge relative to the ability of disaster recovery programs to respond to disasters caused by computer crimes. The conceptual framework included a maturity model to look at how programs might be improved to respond to the computer crimes threat. Research data were collected from a 3 round Delphi study of 22 disaster recovery experts in the fields of disaster recovery and information security. Results from the Delphi encompass a consensus by the panel. Key findings included the need for planning for cyber security, aligning disaster recovery with cyber security, providing cyber security training for managers and staff, and applying lessons learned from experience. Implications for positive social change include the ability for organizations to return to an acceptable level of operation and continue their service benefiting employees, customers, and other stakeholders.

computer crimes

disaster

emergency management

information technology disaster recovery

Databases and Information Systems

'This Would Be Much Funner in Person': A Qualitative Grounded Theory Analysis of Cybergrooming

Gauz, Maurice Jason

01 May 2014

The rather novel phenomenon of cybergrooming, or the solicitation of minors for sex via the Internet, has yet to be fully explored. This is a problem because such predatory behavior can lead to psychological and/or physical abuse of minors. The present study seeks to fill this knowledge by performing a qualitative, grounded theory analysis of naturally-occurring cybergrooming discourse. Data were drawn from the website of the online watchdog group, Perverted Justice. The first 20 lines of talk transmitted by the adults in these chat conversations were sampled from 100 transcripts published by Perverted Justice.Multi-step coding, facilitated by the qualitative analysis software Atlas.ti, revealed 11 themes of social action that discursively emerged in at least 25% of said transcripts: (1) conversational openings; (2) initial solicitation of age, sex and/or location; (3) specific questions regarding 'child's' life; (4) follow-up topicalization of 'child's' location; (5) seeking visual images of 'child;' (6) complimenting 'child's' appearance; (7) soliciting topic for discussion; (8) explicitly sexual statements; (9) soliciting 'child's' age preference for sex/romance; (10) arranging further contact; and (11) disclosing personal activities. These themes are then explored in their own context, in relation to each other, and as elements of the broad behavioral framework of cybergrooming.

Discourse analysis

Internet and children

Computer crimes

Criminal methods

Discourse and Text Linguistics

Social Control, Law, Crime, and Deviance

The Response Of American Police Agencies To Digital Evidence

Yesilyurt, Hamdi

01 January 2011

Little is known about the variation in digital forensics practice in the United States as adopted by large local police agencies. This study investigated how environmental constraints, contextual factors, organizational complexity, and organizational control relate to the adoption of digital forensics practice. This study integrated 3 theoretical perspectives in organizational studies to guide the analysis of the relations: institutional theory, contingency theory, and adoption-of-innovation theory. Institutional theory was used to analyze the impact of environmental constraints on the adoption of innovation, and contingency theory was used to examine the impacts of organizational control on the adoption of innovation. Adoption of innovation theory was employed to describe the degree to which digital forensics practice has been adopted by large municipal police agencies having 100 or more sworn police officers. The data set was assembled primarily by using Law Enforcement Management and Administrative Statistics (LEMAS) 2003 and 1999. Dr. Edward Maguire`s survey was used to obtain 1 variable. The joining up of the data set to construct the sample resulted in 345 large local police agencies. The descriptive results on the degree of adoption of digital forensics practice indicate that 37.7% of large local police agencies have dedicated personnel to address digital evidence, 32.8% of police agencies address digital evidence but do not have dedicated personnel, and only 24.3% of police agencies have a specialized unit with full-time personnel to address digital evidence. About 5% of local police agencies do nothing to address digital evidence in any circumstance. These descriptive statistics indicate that digital evidence is a matter of concern for most large local police agencies and that they respond to varying degrees to digital evidence at iv the organizational level. Agencies that have not adopted digital forensics practice are in the minority. The structural equation model was used to test the hypothesized relations, easing the rigorous analysis of relations between latent constructs and several indicator variables. Environmental constraints have the largest impact on the adoption of innovation, exerting a positive influence. No statistically significant relation was found between organizational control and adoption of digital forensic practice. Contextual factors (task scope and personnel size) positively influence the adoption of digital forensics. Structural control factors, including administrative weight and formalization, have no significant influence on the adoption of innovation. The conclusions of the study are as follows. Police agencies adopt digital forensics practice primarily by relying on environmental constraints. Police agencies exposed to higher environmental constraints are more frequently expected to adopt digital forensics practice. Because organizational control of police agencies is not significantly related to digital forensics practice adoption, police agencies do not take their organizational control extensively into consideration when they consider adopting digital forensics practice. The positive influence of task scope and size on digital forensics practice adoption was expected. The extent of task scope and the number of personnel indicate a higher capacity for police agencies to adopt digital forensics practice. Administrative weight and formalization do not influence the adoption of digital forensics practice. Therefore, structural control and coordination are not important for large local police agencies to adopt digital forensics practice. v The results of the study indicate that the adoption of digital forensics practice is based primarily on environmental constraints. Therefore, more drastic impacts on digital forensics practice should be expected from local police agencies’ environments than from internal organizational factors. Researchers investigating the influence of various factors on the adoption of digital forensics practice should further examine environmental variables. The unexpected results concerning the impact of administrative weight and formalization should be researched with broader considerations.

The Implications Of Virtual Environments In Digital Forensic Investigations

Patterson, Farrah M

01 January 2011

This research paper discusses the role of virtual environments in digital forensic investigations. With virtual environments becoming more prevalent as an analysis tool in digital forensic investigations, it’s becoming more important for digital forensic investigators to understand the limitation and strengths of virtual machines. The study aims to expose limitations within commercial closed source virtual machines and open source virtual machines. The study provides a brief overview of history digital forensic investigations and virtual environments, and concludes with an experiment with four common open and closed source virtual machines; the effects of the virtual machines on the host machine as well as the performance of the virtual machine itself. My findings discovered that while the open source tools provided more control and freedom to the operator, the closed source tools were more stable and consistent in their operation. The significance of these findings can be further researched by applying them in the context of exemplifying reliability of forensic techniques when presented as analysis tool used in litigation.

Computer crimes -- Investigation

Forensic sciences

Virtual computer systems

Computer Sciences

Engineering

Forensic Science and Technology

A Novel Distributed Denial-of-Service Detection Algorithm

Tsudama, Brett

01 June 2004

The applicability of implementing Ratio-based SYN Flood Detection (RSD) on a network processor is explored, and initial results are presented.

computer networks

computer security

computer crimes

prevention

Computer Sciences

Information Security

OS and Networks