Submitted by: Submitted by rockrrr
Views: 196
Words: 323
Pages: 2
Category: Science and Technology
Date Submitted: 04/22/2013 02:13 PM
Security often involves synthesizing tidbits of information from many disparate sources
in order to form an accurate picture of what has happened. My team once responded
to a report that desktop computers at a biomedical corporation were crashing, with
their hard drives erased, apparently, by a virus that circumvented the company’s anti-virus protections.
While examining an affected PC, we noticed that a few processes were still running—
thanks to the fact that the operating system generally won’t allow the deletion of files
that are in use. Among these processes were several instances of svchost.exe. Closer
examination revealed that one of these had the same name as the legitimate Windows
executable, but was in fact an impostor: a saboteur was at work.
Using a disassembler, we determined that, every minute, the Trojan checked a
folder on a server for the presence of a command file, whose contents it would exe-cute. We built a program to monitor that directory and archive copies of any files
that appeared; our program also recorded the user account that put the file there,
and the name of the system from which this was done.
The account had domain administrator privileges, and this led us to examine the
domain’s login scripts, where we found the code that installed the Trojan on users’
workstations. We wrote a second program to record the MAC address of the system
when it registered its name with the DHCP server, and inspect the ARP tables from
the network’s switches in order to find the physical port to which it was connected.
Then, with a building wiring diagram, we were able to track the culprit to a specific
cubicle.
Finding the source of this problem involved knowledge about network infra-structure, operating systems, administration techniques, programming, and reverse-engineering. This is an extreme example, to be sure, but real-world security problems
seldom confine themselves to a single technical area of specialization.