OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IDS: Malicious Behaviour Analysis
From: Grace Reyes (gracereyespacific.net.ph)
Date: Tue Jan 08 1980 - 00:44:28 CST


Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
Dear Mr. Schultz,

Thank you for responding.

>can you describe what is in particular that you are interested in?

Actually, am really great that you have the research on malicious binaries
which correlates with my research too because my theses deals with the
analysis of malicious behaviour (trojan horse) that would
analyse and test the program (i.e. executable application say "file.exe")
against security
flaws. Given as follows:

Phase 1: Analysis for programs
                   - this gonna be a tool that will analyze a programs
running
                      in say UNIX or WinNT environment
                   - the tool will test the program (file.exe) and
enumerate what it would do
                            (i.e. update , delete, copy, send mail, update
registry... etc. etc.)

Phase 2: Analyze the Malicious Behaviour

                2.1 Analyze Trojan Horse (How to detect?)
                        - this portion will have to analyze the program
whether it responded in
                            normal or malicious behavior (say... the
file.exe is 80% trojan horse).

                       - Also it would analyze if the program has violated
the documented specs as far
                            as the user knowledge on the internal process
versus the author (vendor) specification
                             is concern.

                2.2 Testing possible Virus (checking/probability)
                        - this will test and analyze the program for
possible virus threat for instance (the file.exe is
                            75% suspected virus).

                (INCORPORATE INTRUSION DETECTION IN ANALYSIS TOOL - for
futher work)
                2.3 intrusion
                        - integrate this feature soon but this is optional
at the moment

I would be great if you could send your technical links, references,
algorithms on the above mention. Also, if you dont mind, actually dont know
where to start on how to achieve the solution (algorithm/implementation) on
PHASE 2.1 TROJAN HORSE , i had a bit idea but thats purely guessing, if you
could give me some help on this i would surely be thankful to you. I guess
thousands of complement would not be enough.

Thank you and hope to hear from you soon.

Sincerely,

Grace Reyes

Note:

I'd like to thank you guys out there for possible comment, help,
ideas,..criticism, .etc..etc... very much welcome!

> hey -

>i do research in malicious binaries, et al. we are more in the machine
>learning aspect. i found that

>http://www.av.ibm.com

>is a great source for commercial stuff. it'll help you get started to
>read their stuff. it's somewhat obfuscated b/c it's commercial but you
>can start to get a grip on it there.

>there are a couple of things that i can link you to but that's as good
>of a place to start as any. i am going to do some work today to
>consolidate some links and i'll send them your way. can you
>describe what is in particular that you are interested in?

>thanks
>M