Archive for the ‘Research’ Category

Tools of the trade

June 16th, 2008

Security researchers have different backgrounds, some of them are very technical while others have more of an abstract knowledge of things. I’m kind of in between. Actually I graduated with a Masters in Business Administration with a specialisation in Information Technology. Let me tell you that there were certain courses I hated (accounting, law…) but overall when I look back at it, I’m glad to have that background because I am familiar with many things, not just one, such as programming.

There is one thing that I really like about doing malware research, other than the fact of seeing cool or scary stuff. I like the search and research aspect of it. More and more we are in a world where it’s all about information and of course technology. The thing is, technology has made information so much more accessible than ever before: in actuality we are swamped with data. That’s where the strength of Information Systems lies, which brings us back to malware research.

A year ago or so, I got interested in aggregating malware in an automated way. I had a basic understanding of the current threats and it seemed clear that most of them come from the web. Around the same time I had heard about the Google Stopbadware project which listed infected websites. I spent hours browsing those infected URLs, looking at their content… The result was simple: browsing with an unpatched browser was a sure way to get infected.

I started from scratch by building some batch scripts to do very simple things. I sure got some laughs when I showed I was writing 80’s technlogy batch scripts. But like I said earlier, the technical aspect doesn’t interest me as much as finding a concept that works.

The results were successful. It got me into reading more technical documentation and it’s at that point I realized I had built what experts call a Honeypot: an information systems (or more simply a trap) that attracts unauthorized attempts to exploit a system. Honeypots are a fascinating study. There is so much you can do with them, whether it may be to protect your company or be more pro active and capture malware.

After many different versions of my earlier work I deciced to get some skilled programmer’s help and make a robust program. Today, the Honeypot has the following features:

• Real end-user environment (no Virtual Machine)
• Scalable system to process large volumes of URLs
• Detection of infected web-sites in real time
• Identification of malware hosts
• Active shield for system integrity

There is not one recipe to collect malware. People use different tools, technologies and allocate the ressources they have. That’s the exciting thing: you can always come up with an idea that will definitely make a difference.

 

 

 

 

 

 

JSegura

Location

You are currently browsing the archives for the Research category.




Pages




Archives




Categories
 
 
 

© 2008 ParetoLogic Inc.