I have finally decided to release the paper I wrote last fall entitled "Survey of Rootkit Technologies and Their Impact on Digital Forensics". I was considering submitting the paper to a bunch of academic journals, but I just don't want to take the time right now. So I've just decided to make it available to anyone who is interested in downloading it. I've also included a slide deck that I used for a conference a month or so ago on the same topic. Here is the abstract:
A rootkit is code that is used by an attacker to keep the legitimate users and administrators of a system unaware of the code, and thus the attackers, presence on the compromised system. This paper will discuss the history of rootkits specifically focusing on the evolution of the rootkit from the basic modification of system binaries to the cutting edge research being conducted today. A discussion of each type of rootkit will be followed by an overview of rootkit detection techniques and how to know when a rootkit has been deployed. Finally we will analyze the impact that rootkits have on the digital forensics process. From live state evidence acquisition to using the rootkit data as a source of evidence itself, the impact on the digital forensic realm is important to understanding the potential pitfalls when conducting an incident response or presenting evidence in a court of law."Please give me feedback via email or in the comments section if you find any errors or have any thoughts on the content.
I will be graduating with a Masters Degree in Computer Science/Information Security from James Madison University this Saturday. It's been a long and difficult 2.5 years, but I'm finally done and very happy with the program. I highly recommend it to anyone who is serious about the information security field. And to think.. this is where it all started (notice the CODE that is on the screen).
The Race To Zero contest at this years Defcon conference is going to be very interesting. The public at large is generally not aware how easy it really is to obfuscate a piece of malware to the point that common anti-virus engines will not be able to detect it. The AV vendors are generally pissed off about this content, however I'm not sure they have a legal leg to stand on (I'm no lawyer so take this with a grain of salt)
One interesting comment in the PCWorld article above is:
"It will do more harm than good," said Paul Ferguson, a researcher with anti-virus vendor TrendMicro. "Responsible disclosure is one thing, but now actually encouraging people to do this as a contest is a little over the top."
If Paul is referring to the risk involved by demonstrating that AV solutions are not a panacea, I disagree with him completely. The real risk here isn't a contest that demonstrates how easy it is to bypass AV solution, we already know how to do that and we can do it VERY effectively. The real risk is the management of the new strains of virus that the contest is liable to produce. Working with malware in an unsafe environment is very dangerous and we could see a deluge of new variants being publicly released into the wild stemming from this event. I'm sure Paul meant to say that handling the new strains would be the hard part.. right Paul? *cough* *cough*.
Anyhow, I'm half tempted to create a new binary obfuscation algorithm just for this contents and pwn the whole thing. Somehow I think my current employer wouldn't be too happy with me. Anyone want to team up?
