Cited By
View all- Ullah FEdwards MRamdhany RChitchyan RBabar MRashid A(2018)Data exfiltrationJournal of Network and Computer Applications10.1016/j.jnca.2017.10.016101:C(18-54)Online publication date: 1-Jan-2018
Spy vs. Spy: counter-intelligence methods for backtracking malicious intrusions
Pages 1 - 14
Abstract
Advanced malicious software threats have become commonplace in cyberspace, with large scale cyber threats exploiting consumer, corporate and government systems on a constant basis. Regardless of the target, upon successful infiltration into a target system an attacker will commonly deploy a backdoor to maintain persistent access as well as a rootkit to evade detection on the infected machine. If the attacked system has access to classified or sensitive material, virus eradication may not be the best response. Instead, a counter-intelligence operation may be initiated to track the infiltration back to its source. It is important that the counter-intelligence operations are not visible to the infiltrator.
Rootkits can not only hide the malware, they can also be used to hide the detection and analysis operations by the defenders from the malware. This paper surveys the rootkit literature for their applicability to counter-intelligence operations.
References
[1]
F. Adelstein. Live forensics: diagnosing your system without killing it first. Communications of the ACM, 49(2):63--66, 2006.
[2]
A. Almeida. Inside nt's asynchronous procedure calls. http://drdobbs.com/184416590, 2002. {Online; accessed 01-June-2011}.
[3]
AMD. Amd64 virtualization codenamed "pacifica" technology: Secure virtual machine architecture reference manual. 2005.
[4]
Aphex. Afx rootkit. http://www.megasecurity.org/trojans/a/aphex/Afx_win_rootkit2003.html, 2003. {Online; accessed 23-May-2011}.
[5]
B. Blunden. The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System. Wordware, 2009.
[6]
A. Bunten. Unix and linux based rootkits techniques and countermeasures. http://www.first.org/conference/2004/papers/c17.pdf, 2004. {Online; accessed 25-May-2011}.
[7]
J. Butler and P. Silberman. Raide: Rootkit analysis identification elimination. Black Hat USA, 2006.
[8]
J. Butler and S. Sparks. Windows rootkits of 2005, part one. Security Focus, 2005.
[9]
J. Butler and S. Sparks. Windows rootkits of 2005, part three. Retrieved November, 2:2006, 2005.
[10]
J. Butler and S. Sparks. Windows rootkits of 2005, part two. Security Focus, 2005.
[11]
P. M. Chen and B. D. Noble. When virtual is better than real. In hotos, page 0133. Published by the IEEE Computer Society, 2001.
[12]
J. Clark, S. Leblanc, and S. Knight. Compromise through usb-based hardware trojan horse device. Future Generation Computer Systems, 2010.
[13]
D. A. Dai Zovi. Hardware virtualization rootkits. BlackHat Briefings USA, 2006.
[14]
Devik and Sd. Linux on-the-fly kernel patching without 1km. Volume 0x0b, Issue 0x3a, Phile# 0x07 of 0x0e-Phrack Magazine, 2001.
[15]
L. Duflot, O. Levillain, B. Morin, and O. Grumelard. Getting into the smram: Smm reloaded. CanSecWest, Vancouver, Canada, 2009.
[16]
S. Embleton, S. Sparks, and C. Zou. Smm rootkits: a new breed of os independent malware. In Proceedings of the 4th international conference on Security and privacy in communication netowrks, page 11. ACM, 2008.
[17]
E. Florio. When malware meets rootkits. Virus Bulletin, 2005.
[18]
G. Hoglund. A *real* nt rootkit. Volume 0x09, Issue 0x55, Phile# 0x05 of 0x19-Phrack Magazine, 1999.
[19]
G. Hoglund and J. Butler. Rootkits: subverting the Windows kernel. Addison-Wesley Professional, 2006.
[20]
Holy_Father. Hacker defender readme. http://www.infosecinstitute.com/blog/readmeen.txt, 2004. {Online; accessed 03-June-2011}.
[21]
Intel. Basic execution environment. http://www.cse.unl.edu/~goddard/Courses/CSCE351/IntelArchitecture/IntelExecutionEnvironment.pdf, 2001. {Online; accessed 21-June-2011}.
[22]
Intel. Intel virtualization technology specification for the ia-32 intel architecture. 2005.
[23]
Intel. Intel 64 and ia-32 architectures software developer's manual: System programming guide, part 2. 3B, 2011.
[24]
I. Ivanov. Api hooking revealed. The Code Project, 2002.
[25]
S. T. King, P. M. Chen, Y. M. Wang, C. Verbowski, H. J. Wang, and J. R. Lorch. Subvirt: Implementing malware with virtual machines. 2006.
[26]
S. Knight and S. Leblanc. When not to pull the plug--the need for network counter-surveillance operations. Cryptology and information security series, 3:226--237, 2009.
[27]
B. Krekel. Capability of the people's republic of china to conduct cyber warfare and computer network exploitation. Technical report, Northrop Grumman Corp, 2009.
[28]
N. Kumar and V. Kumar. Vbootkit: Compromising windows vista security. Black Hat Europe, 2007, 2007.
[29]
L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor support for identifying covertly executing binaries. In Proceedings of the 17th conference on Security symposium, pages 243--258. USENIX Association, 2008.
[30]
D. J Major. Exploiting system call interfaces to observe attackers in virtual machines. 2008.
[31]
E. Martignetti. Windows vista apc internals. http://www.opening-windows.com/techart_windows_vista_apc_internals.htm, 2009. {Online; accessed 01-June-2011}.
[32]
M. Nanavati and B. Kothari. Hidden processes detection using the pspcidtable, 2006.
[33]
D. D. Nerenberg. A study of rootkit stealth techniques and associated detection methods. Technical report, DTIC Document, 2007.
[34]
Microsoft Developer Network. MSDN: Asynchronous Procedure Calls (APC). http://msdn.microsoft.com/en-us/library/ms681951(v=vs.85).aspx, 2011. {Online; accessed 05-June-2011}.
[35]
Microsoft Developer Network. MSDN: SeAccessCheck routine. http://msdn.microsoft.com/en-us/library/ff563674(v=vs.85).aspx, 2011. {Online; accessed 14-June-2011}.
[36]
+ORC. How to crack. http://www.woodmann.com/fravia/orc1.htm, 1997. {Online; accessed 16-June-2011}.
[37]
N. A. Quynh and K. Suzaki. Virt-ice: Next-generation debugger for malware analysis. BlackHat Briefings USA, 2010.
[38]
D. Ramsbrock. Mitigating the botnet problem: From victim to botmaster. 2008.
[39]
J. Richter. Load your 32 bit dll into another process's address space using injlib. Microsoft Systems Journal-US Edition, pages 13--40, 1994.
[40]
C. Ries. Inside windows rootkits. VigilantMinds Inc., 2006.
[41]
M. E. Russinovich and D. A. Solomon. Microsoft Windows Internals: Microsoft Windows Server 2003, Windows XP, and Windows 2000. Microsoft Press Redmond, WA, 2005.
[42]
J. Rutkowska. Subverting vista kernel for fun and profit. Black Hat Briefings, 2006.
[43]
A. Seshadri, M. Luk, A. Perrig, L. Doorn, and P. Khosla. Externally verifiable code execution. Communications of the ACM, 49(9):45--49, 2006.
[44]
T. Shields. Survey of rootkit technologies and their impact on digital forensics. 2007.
[45]
P. Silberman. Futo rootkit. https://www.openrce.org/articles/full_view/19, 2006. {Online; accessed 26-May-2011}.
[46]
D. Soeder and R. Permeh. eeye bootroot. BlackHat USA, 2005.
[47]
S. Sparks and J. Butler. Shadow walker release information. 2005.
[48]
S. Sparks and J. Butler. Shadow walker: Raising the bar for rootkit detection. Black Hat Japan, pages 504--533, 2005.
[49]
B. Stock, J. Gobel, M. Engelberth, F. C. Freiling, and T. Holz. Walowdac-analysis of a peer-to-peer botnet. In 2009 European Conference on Computer Network Defense, pages 13--20. IEEE, 2009.
[50]
Symantec. Windows rootkit overview. 2005.
[51]
PaX Team. Pax design and implementation. http://pax.grsecurity.net/docs/pax.txt, 2003. {Online; accessed 20-June-2011}.
[52]
A. Tereshkin and R. Wojtczuk. Introducing ring-3 rootkits. Black Hat USA, Jul, 2009.
[53]
XShadow. Vanquish v0.1 beta8. http://www.security-science.com/security-hacking-tools/SystemHacking/VanquishRootkit/VanquishRootkit-ReadMe.txt, 2003. {Online; accessed 31-May-2011}.
- Spy vs. Spy: counter-intelligence methods for backtracking malicious intrusions
Recommendations
Sneaky spy devices and defective detectors: the ecosystem of intimate partner surveillance with covert devices
SEC '23: Proceedings of the 32nd USENIX Conference on Security SymposiumRecent anecdotal evidence suggests that abusers have begun to use covert spy devices such as nanny cameras, item trackers, and audio recorders to spy on and stalk their partners. Currently, it is difficult to combat this type of intimate partner ...
WORM vs. WORM: preliminary study of an active counter-attack mechanism
WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcodeSelf-propagating computer worms have been terrorizing the Internet for the last several years. With the increasing density, inter-connectivity and bandwidth of the Internet combined with security measures that inadequately scale, worms will continue to ...
Spy-Sense: spyware tool for executing stealthy exploits against sensor networks
HotWiSec '13: Proceedings of the 2nd ACM workshop on Hot topics on wireless network security and privacyAs the domains of pervasive computing and sensor networking are expanding, a new era is emerging, enabling the design and proliferation of intelligent sensor-based applications. At the same time, it is important to maintain a high degree of ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
November 2011
422 pages
- Conference Chairs:
- Joanna Ng,
- Christian Couturier,
- Editors:
- Marin Litoiu,
- Eleni Stroulia,
- Stephen MacKay,
- Program Chairs:
- Marin Litoiu,
- Eleni Stroulia
Sponsors
- IBM Canada Ltd. Laboratory Centre for Advanced Studies
- IBM Canada: IBM Canada
Publisher
IBM Corp.
United States
Publication History
Published: 07 November 2011
Qualifiers
- Research-article
Conference
CASCON '11
Sponsor:
- IBM Canada
CASCON '11: Center for Advanced Studies on Collaborative Research
November 7 - 10, 2011
Ontario, Toronto, Canada
Acceptance Rates
Overall Acceptance Rate 24 of 90 submissions, 27%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 264Total Downloads
- Downloads (Last 12 months)8
- Downloads (Last 6 weeks)1
Reflects downloads up to 06 Jan 2025
Other Metrics
Citations
Cited By
View all- Ullah FEdwards MRamdhany RChitchyan RBabar MRashid A(2018)Data exfiltrationJournal of Network and Computer Applications10.1016/j.jnca.2017.10.016101:C(18-54)Online publication date: 1-Jan-2018
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in