'Suicidal' malware threatens corporate secrets: Cybertrust

The latest threat to intellectual property comes in the shape of malicious software (malware) that is capable of infecting a computer, hiding itself until the user accesses specific files or Web sites -- in order to steal files or passwords -- and then deleting any trace of itself.

Speaking at the IT Security in Government Conference in Canberra on Friday, Brian Denehy, security assurance engineer at CyberTrust, told delegates that the vast majority of new malware uses "some type of stealth" or anti-forensic technology in an attempt to remain undetected before, during and after an attack.

According to Denehy, techniques used not only include 'the obvious ones' such as encryption and rootkits but also "compression bombs" -- which are compressed files that try to make life difficult for forensic tools by attempting to expand to an infinite size when executed.

"Generally these techniques are seen in about 65 percent of all forensic investigation these days.

"Some just do a complete wipe on the disk -- equivalent to a low level format -- to make sure that some of the remnant magnetisation is not left behind. Most of you may well appreciate that just writing on a hard disk still leaves evidence there that can be recovered with the right tools.

"People also use the slack space at the end of files or introduce extras in the bad sectors list to hide their data ... it makes life more difficult," said Denehey.

When conducting investigations, it's always Deheney's hope that these techniques haven't been used by hackers."It is pleasing to find an inexperienced hacker that has not used these things and has made it easy to analyse," he said.

Advertisement

Talkback 1 comments

    Read more, talk lessTamas Rudnai -- 28/07/06 (in reply to #120139165)

    All these techniques were widely used in the early '90s. The reason is why they do not use badsector technique anymore is varing from the more complex filesystem (FAT is far more easy to follow and hack than NTFS) to the fact that an antivirus software deals with such a technique very easy and is not even challange to get it detected by a simpe heuristic trick. A behaviour blocking also could prevent such a parasite to infect the protected system, so the lifetime of a modern reincarnation of such badware would have been very short.

    Finally: researchers never talk out what would be the best technique for spreading or beeing undetected as it is a kind of advise to the bad guys, so I just do not know what to say about this article.


Latest Videos

Blogs

  • David Braue Will Rudd's bush backhaul bonanza deliver?
    Rural areas will be welcoming the government's decision to put its money where its politicising is, funnelling $250m into a regional fibre upgrade to six rural centres. Remedying over a decade of near-neglect at the hands of telecoms privatisation, the investment could be the firmest step yet for Labor's NBN dream — but with inevitable political questions and a looming election, Rudd and Conroy need to deliver, and quickly, to preserve the NBN's credibility.
  • Array Doing for AV what VoIP did for telephony
    Sydney-based start-up Audinate is making traditional analog cabling obsolete in favour of TCP/IP-based networking technology. And it's doing a pretty good job so far, with its technology used by World Youth Day and the Sydney Opera House.
  • Array WiMax in Australia: Part two
    WiMax could be the standard that drives the next phase of mobile broadband, it provides an opportunity for players wanting to establish a pure IP network to carry voice and data effectively — but is this what operators want?
  • More blogs »

Tags

Back to top

Featured