Daily Archives: May 5, 2005

Detecting Stealth Software

My blog content mole pointed me to this report which has just been released .

Detecting Stealth Software with Strider GhostBuster
Yi-Min Wang; Doug Beck; Binh Vo; Roussi Roussev; Chad Verbowski
February 2005

Stealth malware programs that silently infect enterprise and consumer machines are becoming a major threat to the future of the Internet. Resource hiding is a powerful stealth technique commonly used by malware to evade detection by computer users and anti-malware scanners. In this paper, we focus on a subclass of malware, termed “ghostware”, which hide files, configuration settings, processes, and loaded modules from the operating system’s query and enumeration Application Programming Interfaces (APIs). Instead of targeting individual stealth implementations, we describe a systematic framework for detecting multiple types of hidden resources by leveraging the hiding behavior as a detection mechanism. Specifically, we adopt a cross-view diff-based approach to ghostware detection by comparing a high-level infected scan with a low-level clean scan and alternatively comparing an inside-the-box infected scan with an outside-the-box clean scan. We describe the design and implementation of the Strider GhostBuster tool and demonstrate its efficiency and effectiveness in detecting resources hidden by real-world malware such as rootkits, Trojans, and key-loggers.

There are some evocative ghostware names arent there? Urbin, Mersting, Vanquish, Hacker (original eh?) Aphex, Defender and ProbotSE, Darkside and Synapsis (for UNIX and Linux) but it’s nice that AskStrider can sort out these guys hiding inside your machine.  Mind you, I’ve always known that there were scary things hiding in here, moving my files when I wanted them and making the PC misbehave.  I always thought that they were just gremlins – but GhostBuster (who ya gonna call?) gets rid of those too.

Have a read of the document – it’s interesting although a little bit intimidating, and it makes you realize how scarily clever these guys at Microsoft research are…


Restricting mail to a distribution group in exchange 2003

We recently created an email alias for the Industry Insiders forum and we were talking about whether to restrict inbound emails to the alias as we wanted to minimise any potential influx of spam.  The email alias is for Insiders to submit articles and biographies for inclusion on the forum and the TechNet web site.  So we had a look at how we could do this.  There’s a kb article detailing how to restrict the users who can send inbound internet mail to another user or distributon group in Exchange 2003.

We’ve left the setting empty of course so you can send us your articles for publishing.  If you’re interested in becoming an Insider have a look here, and find out what the Insiders do.   David and Jeremy have also included their pictures.  So I now know how to get images hosted somewhere in cyberspace, so send me your photo with your biography and article.  I’ve even managed to get a picture of me on my own blog so my fan can see my picture (thanks Dad…) 

Outlook command lines

Ewan sent me a mail the other day about all of the hidden stuff thats in Outlook that can be exposed using command lines. I had a browse around the site and found the crabby office lady, and the wonderful bit of Office Triva which will stay in my mind for ever now.

  • The Calendar ends on August 31, 4500.

From the “Why would you want this many” department:

  • The Places bar in Office 2003 can hold at least 150 places.
  • Each folder can have 128 views.
  • You can add 50 additional mailboxes to an Exchange profile.

Some people have too much time on their hands…