|
|
|
|
|
|
| Search | ||||||||||||
| Vulnerabilities Alerts | ||||||||||||
|
||||||||||||
| IT Directory | ||||||||||||
|
||||||||||||
 | |
|
2010-03-01 12:49:39 | |
| Help-Net Security recently published an interview with Greg Hoglund, CEO and Founder of HBGary, in which he speaks of the challenges and implications of malware analysis. | |
|
Before HBGary, Greg Hoglung has founded rootkit.com after creating and documenting the first Windows NT-based rootkit, and also co-founded Cenzic. He shared his thoughts on malware analysis with Help-Net Security in an interview published today.
According to the SANS Institute, malware analysis can be done as static (code analysis) or dynamic (behavioral) analysis. The goal is to better understand the inner workings of malware to be able to find and counter them more efficiently. Hoglund maintains that beside understanding the malware, "one of the greatest challenges" of malware analysis is "figuring out not only who wrote the malware, but also who bought and paid for it, and who is operating it." Like conventional crimes, malware will not stop until their authors are found and their activities put to an end. Another issue is that malware authors are continuously "trying to hide from or completely subvert most analysis tools and security countermeasures", according to Hoglund. The result of this is that traditional signature-based anti-virus and anti-malware tools "are not well suited for combating the ever-exploding list of daily new malware variants." Modern malware call for modern techniques, so we need to develop ways to effectively analyse them in order to be able to protect our systems. Moreover, Hoglund talks about the popular "30-day free trials", which are somewhat necessary, but also unfortunately give hackers the opportunity to "tweak their malware until it’s completely undetectable" by those programs. About upcoming threats, Hoglund states the fact that a lot of money is involved in the making and distribution of malware. As newer computer technology emerges, new malware appear to take advantage of it. That is pretty much inevitable. He also notes the now widespread usage USB thumbdrive-infecting malware and "newer forms of BIOS-infecting malware [...] that can even survive 100% wipe and reinstallation of the operating system." Malware are expected to target any and all layers of computing technology. The interview then goes on to speak of virtualization and how it helps malware researchers. Hoglund explains that there were previously two ways to research malware: by looking at its code and see what it was made for, or by having it infect a machine and see what happened. With virtualization technology that allows for running a full, virtual Windows environment, researchers can now "collect data on a REAL, RUNNING copy of the suspected malware package" without the risks associated with infecting a machine with malware. Another question of the interview concerned targeted attacks and social networking Web sites. The founder of HBGary took the example of LinkedIn, where you can "find 375 nuclear physicists who have worked at Lawrence Livermore National Lab." Attackers can use these Web sites to mount targeted attacks against precise groups of people from which they know they can get important or valuable information. It is recommended to keep one's OS and browser updated and patched for preventing more effectively this kind of attacks. Finally, Hoglund of course recommends his firm's Responder product, which is used by a number of American governmental agencies, for malware analysis. He also notes budget and free tools such as VMWare's ESXi freeware, Microsoft's "windbg" debugger and others. | |
Reference 1: http://www.net-security.org/article.php?id=1391&p=1
No comment on this post.