funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The Rise of Anti-Forensics

From: Gadi Evron <ge () linuxbox org>
Date: Fri, 13 Jul 2007 20:54:54 -0500 (CDT)
On Fri, 13 Jul 2007, Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote:

Date sent:              Fri, 13 Jul 2007 02:54:55 +0000 (GMT)
From:                   Paul Ferguson <fergdawg () netzero net>


The
hacker’s focus has shifted too, from developing destructive payloads to
circumventing detection. Now, for every tool forensic investigators have
come to rely on to discover and prosecute electronic crimes, criminals have a
corresponding tool to baffle the investigation.

This is antiforensics. It is more than technology. It is an approach to
criminal hacking that can be summed up like this: Make it hard for them to
find you and impossible for them to prove they found you.


Sorry, can't get excited about it.  I've seen it: it's been around forever.  (It was a bit
of a theme of my presentation to ISOI 2.)  The first "stealth" virus was Brain, in
1986.  The first polymorphic virus was 1987.  In 1991 the code used to turn off
CPAV (and MSAV) was so prevalent that "the 14 bytes of code" was used as a kind
of generic virus signature.  We dealt with it then, and we'll deal with it now.

In fact, we eventually found that the extra code put into viruses for various forms
of antidetection made for larger programs and more opportunities for glitches (as
if there weren't enough in viruses anyway).  So let the blackhats knock themselves
out with antiforensics.  Makes the target bigger for us.
Words of wisdom. My first sentiment was: "so?" I mean, anyone remember back when the best effort would be deleting logs? :) 




======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
The drop of rain maketh a hole in the stone, not by violence, but
by oft falling.                                    - Hugh Latimer
Agua mole com pedra dura tanto da ate que fura.
Dictionary of Information Security  www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: