Spy vs. Spy: counter-intelligence methods for backtracking malicious intrusions

Authors:
Jason S. Alexander;Thomas Dean;Scott Knight
Affiliations:
Queen's University;Queen's University;Royal Military College
Venue:
Proceedings of the 2011 Conference of the Center for Advanced Studies on Collaborative Research
Year:
2011

Citing 10
Cited 0

When Virtual Is Better Than Real

HOTOS '01 Proceedings of the Eighth Workshop on Hot Topics in Operating Systems
Rootkits: Subverting the Windows Kernel

Rootkits: Subverting the Windows Kernel
Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer)

Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer)
Live forensics: diagnosing your system without killing it first

Communications of the ACM - Next-generation cyber forensics
Externally verifiable code execution

Communications of the ACM - Privacy and security in highly dynamic systems
SMM rootkits: a new breed of OS independent malware

Proceedings of the 4th international conference on Security and privacy in communication netowrks
Hypervisor support for identifying covertly executing binaries

SS'08 Proceedings of the 17th conference on Security symposium
The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System

The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System
Walowdac - Analysis of a Peer-to-Peer Botnet

EC2ND '09 Proceedings of the 2009 European Conference on Computer Network Defense
Compromise through USB-based Hardware Trojan Horse device

Future Generation Computer Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Advanced malicious software threats have become commonplace in cyberspace, with large scale cyber threats exploiting consumer, corporate and government systems on a constant basis. Regardless of the target, upon successful infiltration into a target system an attacker will commonly deploy a backdoor to maintain persistent access as well as a rootkit to evade detection on the infected machine. If the attacked system has access to classified or sensitive material, virus eradication may not be the best response. Instead, a counter-intelligence operation may be initiated to track the infiltration back to its source. It is important that the counter-intelligence operations are not visible to the infiltrator. Rootkits can not only hide the malware, they can also be used to hide the detection and analysis operations by the defenders from the malware. This paper surveys the rootkit literature for their applicability to counter-intelligence operations.