funsec mailing list archives

Re: The Rise of Anti-Forensics

From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rMslade () shaw ca>
Date: Fri, 13 Jul 2007 17:08:20 -0800

Date sent:              Fri, 13 Jul 2007 02:54:55 +0000 (GMT)
From:                   Paul Ferguson <fergdawg () netzero net>

The
hackers focus has shifted too, from developing destructive payloads to
circumventing detection. Now, for every tool forensic investigators have
come to rely on to discover and prosecute electronic crimes, criminals have a
corresponding tool to baffle the investigation.

This is antiforensics. It is more than technology. It is an approach to
criminal hacking that can be summed up like this: Make it hard for them to
find you and impossible for them to prove they found you.


Sorry, can't get excited about it.  I've seen it: it's been around forever.  (It was a bit 
of a theme of my presentation to ISOI 2.)  The first "stealth" virus was Brain, in 
1986.  The first polymorphic virus was 1987.  In 1991 the code used to turn off 
CPAV (and MSAV) was so prevalent that "the 14 bytes of code" was used as a kind 
of generic virus signature.  We dealt with it then, and we'll deal with it now.  

In fact, we eventually found that the extra code put into viruses for various forms 
of antidetection made for larger programs and more opportunities for glitches (as 
if there weren't enough in viruses anyway).  So let the blackhats knock themselves 
out with antiforensics.  Makes the target bigger for us.

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
The drop of rain maketh a hole in the stone, not by violence, but
by oft falling.                                    - Hugh Latimer
Agua mole com pedra dura tanto da ate que fura.
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

The Rise of Anti-Forensics Paul Ferguson (Jul 12)
- Re: The Rise of Anti-Forensics Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jul 13)
  - Re: The Rise of Anti-Forensics coderman (Jul 13)
  - Re: The Rise of Anti-Forensics Gadi Evron (Jul 13)
    - Re: The Rise of Anti-Forensics coderman (Jul 13)
    - Re: The Rise of Anti-Forensics Valdis . Kletnieks (Jul 13)
    - Re: The Rise of Anti-Forensics Dude VanWinkle (Jul 13)