SANS InfoSec Reading Room - Malicious Code

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 93 papers as of Jun 19, 2013

Using IOC (Indicators of Compromise) in Malware Forensics

By: Hun-Ya Lock (posted on April 22, 2013)

In the IT operations of an enterprise, malware forensics is often used to support the investigations of incidents.

Attributes of Malicious Files

By: Joel Yonts (posted on July 6, 2012)

One of the most challenging questions that an incident responder must answer is whether a particular file is malicious or benign.

Detailed Analysis Of Sykipot (Smartcard Proxy Variant)

By: Rong Hwa Chong (posted on April 16, 2012)

According to Symantec, Sykipot has been used in targeted attacks for the past few years since 2006 (Thakur, 2011).

The User Agent Field: Analyzing and Detecting the Abnormal or Malicious in your Organization

By: Darren Manners (posted on February 7, 2012)

In the early days of the Internet, users had to type in text commands to navigate. Tools were later developed, E.g. early browsers, to be the "user's agent" so that commands did not have to be typed in to navigate -­‐ the user could simply click to navigate.

A Detailed Analysis of an Advanced Persistent Threat Malware

By: Frankie Fu Kay Li (posted on October 14, 2011)

Spear-phishing emails were sent to a political figure at my place of residence. An email, including the attached sample was provided for forensics analysis. This email contained obviously well crafted message to lure the recipient to open the malicious attachment. It was predicted as an Advanced Persistent Threat attack (APT-attack).

Mitigating Browser Based Exploits through Behavior Based Defenses and Hardware Virtualization

By: Joseph Faust (posted on October 7, 2011)

There does not seem to be a day or week that goes by that one does not encounter a headline story about an organization being compromised and infiltrated by attackers.

Dissecting Andro Malware

By: Joel Varghese (posted on September 7, 2011)

Reverse Engineering on malware analysis is a process which is used on malware in order to understand its operation, code structure and its functionality. This project aims to understand the operation of a malware and investigate the parameters, code and structure which is created or modified by the malicious software. In response to this objective a virtual lab was created to analyse the malicious software. A new variant of "DroidKungFu" was analised named "DroidKungfu-2 A" which infected Android platform. After the Code analysis we understood the malicious piece of code which was embedded along with the original code. The services, activity that gets started and the mobile information which is sent to the remote servers. Once the malware gets the root access of the victim machine it can even damage the system.

Identifying Malicious Code Infections Out of Network

By: Ken Dunham (posted on August 29, 2011)

Forensics is a complex subject, where details matter greatly. Even more complicated are investigations where forensic methods are used to further understand, identify, capture, and mature and understanding of a malicious attack that may have taken place on a computer.

BYOB: Build Your Own Botnet

By: Francois Begin (posted on August 17, 2011)

A recent report on botnet threats (Dhamballa, 2010) provides a sobering read for any security professional. According to its authors, the number of computers that fell victim to botnets grew at the rate of 8%/week in 2010, which translates to more than a six-fold increase over the course of the year.

An Overview Of The Casper RFI Bot

By: Dan O'Connor (posted on June 20, 2011)

On July 8th 2010 Emerging Threats added signatures for a remote file inclusion scanner with a user agent containing either "MaMa CaSpEr" or "Casper Bot Search".

Mass SQL Injection for Malware Distribution

By: Larry Wichman (posted on April 28, 2011)

Cybercriminals have made alarming improvements to their infrastructure over the last few years. One reason for this expansion is thousands of websites vulnerable to SQL injection. Malicious code writers have exploited these vulnerabilities to distribute malware.

Malcode Context of API Abuse

By: Ken Dunham (posted on April 4, 2011)

Tracking Malware With Public Proxy Lists

By: James Powers (posted on January 27, 2011)

The Web was born on Christmas Day, 1990 when the CERN Web server (CERN httpd 1.0) went online. By version 2.0, released in 1993, CERN httpd, was also capable of performing as an application gateway. By 1994, content caching was added. With the publication of RFC 1945 two years later, proxy capabilities were forever embedded into the HTTP specification (Berners-Lee, Fielding, & Frystyk, 1996).

Malicious Android Applications: Risks and Exploitation

By: Joany Boutet (posted on December 22, 2010)

Android is an open-source mobile operating system, based upon a modified version of the Linux kernel, initially developed by Android Inc., a firm purchased by Google in 2005. A Gartner study released on November 2010 outlined that Android has become the second-most popular OS in the world (Gartner, 11/2010). The growth of Android has exceeded their previous study, released last year, in which they had predicted that Android will be the No.2 worldwide mobile operating system in 2012 (The H, 08/10/2009). According to another Gartner study (Gartner, 08/2010)., there will be only a slight difference between Symbian and Android market share in 2014: 30.2% for Symbian against 29.6% for Android.

Analysis of a Simple HTTP Bot

By: Daryl Ashley (posted on December 20, 2010)

The purpose of this paper is to describe how static code analysis was used to gain insight into the functionality of a simple HTTP Bot. Certain tools can be used to analyze what a piece of malware has done to an infected system. For example, Regshot can be used to determine what registry changes have been made after a malware specimen has been executed on a test system (Zeltser, 2009b). The tcpdump command can be used to detect network activity that occurs after the malware has been used to infect a host (Northcutt, 2001).

Building a Malware Zoo

By: Joel Yonts (posted on December 1, 2010)

In today’s highly connected Internet age, we have seen an overwhelming flood of new malware. According to a report published by McAfee (Marcus, Greve, Masiello, & Scharoun, 2009), over 12 million new pieces of malware were discovered in the first three quarters of 2009. This rate of thousands of new samples per day has exceeded our ability to manually analyze and catalog these threats. Additionally, maintaining a comprehensive library of samples and supporting analysis artifacts has created an information organization nightmare.

Getting Owned By Malicious PDF - Analysis

By: Mahmud Ab Rahman (posted on August 30, 2010)

The last two years was not so good for Adobe Acrobat Reader users especially for those using versions prior to version 9. Core Security had released the advisory to address about util.printf stack buffer overflow vulnerability on Adobe Acrobat Reader with CVE tag CVE-2008-2992 (CoreSecurity, 2008). An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crashing the application, denying service to the legitimate user. More information on this vulnerability can be obtained by reading a paper on the vulnerability and exploitation analysis written by a CoreSecurity researcher via this link http://www.coresecurity.com/content/adobe-reader-buffer-overflow.

Packer Analysis Report-Debugging and unpacking the NsPack 3.4 and 3.7 packer.

By: Craig Wright (posted on August 24, 2010)

Clash of the Titans: ZeuS v SpyEye

By: Harshit Nayyar (posted on June 16, 2010)

The stage, it seems, is set for an epic battle between two of the most dangerous fighters in the nefarious world of malware. In one corner: ZeuS, undoubtedly the reigning champion of Banking Trojans, so much so, that the distinction of “king” has often been used to describe it (Falliere & Chien, 2009). In the other corner: SpyEye, a relatively new, but at the same time worthy, challenger, posing to dethrone ZeuS. This paper documents a part of this budding and dynamic battle as it unfolds – so dynamic in fact, that within the time it took to write this paper, both crimeware kits had already moved on to their next releases, implementing some serious licensing and anti-reversing measures (Krebs, 2010).

Utilizing "AutoRuns" To Catch Malware

By: Jim McMillan (posted on June 3, 2010)

“Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do”. (Skoudis, 2004) It can perform a number of undesirable tasks on your computer. Malware is often referred to as malicious code because its programming intent is usually for something malicious. In his book, “Malware: Fighting Malicious Code”, Ed Skoudis writes, “The malicious code doesn’t have your best interests in mind.” (Skoudis, 2004).

Bypassing Malware Defenses

By: Morton Christiansen (posted on June 3, 2010)

Western societies increasingly rely upon information as the foundation for their social, political, financial and military success. Much of this information is transmitted through the Internet, or is handled in intranets using the Internet protocols. Often these internal networks even engage in some sort of (in)direct communication with the Internet itself. Examples of such mostly internal systems include Supervisory Control and Data Acquisition (SCADA) at times controlling nuclear reactors, civil defense sirens and air traffic control or the electricity/water/oil supply for entire nations. Other examples of sensitive internal systems include databases of large banks, of the police and of the military containing financial or intelligence information.

IOSTrojan: Who really owns your router?

By: Manuel Humberto Santander Pelaez (posted on March 16, 2010)

Malware programs have evolved in recent years from small programs capable of destroying information and making devices become unusable to highly sophisticated programs able to take over the user’s computer and collect personal information, with several impacts to the users like identity theft or money theft.

Comprehensive Blended Malware Threat Dissection Analyze Fake Anti-Virus Software and PDF Payloads

By: Anthony Cheuk Tung Lai (posted on March 2, 2010)

At the Malware Domain List web site (Malware Domain List, 2009) simply input “PDF” in the search box, and a number of malicious sites marked with “PDF Exploit” are listed. This reflects how popular malicious PDF files are as a malware carrier currently. It is difficult for end users to realize that popular sites and PDF files sent by friends may actually be infected with shellcode and exploits. Besides PDF malware, fake anti-virus software is also popular as a payload downloaded to victim machines luring end users to voluntary click to scan their computers, installing a malicious executable payload.

Inside a Phish

By: John Brozycki (posted on June 25, 2009)

This paper will document both sides of a phishing campaign, the phisher and the phished, providing a unique view as best as I’m able to recreate it from the phisher’s own emails and information from the phished financial institution.

Reverse Engineering a Windows “Screensaver” e-Postcard

By: Seth Hardy (posted on April 23, 2009)

In this paper, we will cover the reverse engineering of a Windows Portable Executable (PE) file, claiming to be an e- postcard in the form of a screensaver, that is suspected to be malicious.

Mining for Malware - There's Gold in Them Thar Proxy Logs!

By: Joe Griffin (posted on November 17, 2008)

This paper is about identifying sources of malware and lowering the threat by taking action.

Malware Analysis: An Introduction

By: Dennis Distler (posted on February 12, 2008)

I am submitting this abstract to fulfill the technical paper requirements for the GSEC Gold Certification. The paper will be a detailed introduction of malware analysis for security professionals. This paper would be an excellent fit to the Security Essentials track by providing information to assist in the gap that exists in the field, as malware issues are common in computer security today.

Analysis of a Browser Exploitation Attempt

By: Phil Wallisch (posted on January 4, 2008)

Exploitation Kits Revealed - Mpack

By: Andrew Martin (posted on January 4, 2008)

A Thesis Of The Nature Of Adware In Practice

By: Arthur Stephens (posted on April 3, 2006)

It can be as basic as a listing of Computer Commandments: Thou shalt not use P2P at work; Thou shalt not download and activate .wav or .mpg files at work; Thou shalt not bring and activate .wav or .mpg files from home; Thou shalt not download private email on corporate equipment.

Virus Writers 360

By: Julie Newberry (posted on January 18, 2005)

To comprehend the personal motivations of a virus writer investigating the technical angle presents only a small part of the puzzle. There is a significant gap between what is known about viruses/worms and our understanding of the virus writer.

Worm Propagation and Countermeasures

By: Glenn Gebhart (posted on June 9, 2004)

Recent history has amply demonstrated the threat that worms pose to the Internet and those who rely on its correct functioning. Most of the damage done by worms can be traced to the burden they place on networks due to their characteristic exponential growth as they seek to propagate themselves.

Bots &; Botnet: An Overview

By: Ramneek Puri (posted on December 31, 2003)

This paper provides an overview of malicious bot, a remotely controlled trojan which infects internet hosts and is remotely controlled by attacker via private IRC channels.

Malicious Code - What Should We Do?

By: Stacy Ballou (posted on December 14, 2003)

This paper will provide information and avenues for the developer of software products as well as the user of the software products to gain confidence that a software package is not likely to contain malicious code and have a minimal risk of potential vulnerabilities in a software package.

Virus Hoaxes - Are They Just a Nuisance?

By: Darren Grocott (posted on October 31, 2003)

Should information security professionals be concerned about virus hoaxes?

Cheese Worm: Pros and Cons of a Friendly Worm

By: Bryan Barber (posted on October 31, 2003)

Malware is infecting computers all over the world and are consdidered threats to data security; but, can a worm be "friendly"?

Overview of Code Red or What is this "NNNNNNNNNNNNNNNNNNNNNNN" thing?

By: Stephen T Kelly (posted on October 31, 2003)

A discussion of the Code Red worm, how it works, and buffer overflow vulnerabilities in general.

I Thought We Had Virus Protection: The Mistakes that Made Us Vulnerable to the W32 SirCam Virus

By: Bob Green (posted on October 31, 2003)

An examination of the elements of a well written security policy that may keep an organization out of a mess (i.e., experiencing a computer system virus infection), or once infected, can help lead the way out.

Issues with Keeping AntiVirus Software Up to Date

By: John Graham (posted on October 31, 2003)

it is vital for individual organizations to devise a plan for installing and updating virus protection to suit their particular environment.

Computer Virus Policy, Training, Software Protection and Incident Response for the Medium Sized Orga

By: Chris Gullett (posted on October 31, 2003)

This document outlines steps a medium-sized organization can take to create and implement a defense-in-depth strategy to protect resources against computer viruses.

A System Administrator's Guide to Implementing Various Anti-Virus Mechanisms: What to do When a Virus is Suspected On a Computer Network

By: Robert B. Fried (posted on October 31, 2003)

This paper, presented in the form of sample guidelines/procedures, will express in much detail the steps, techniques and methods of defense utilized/implemented in the detection, investigation and tracing of a suspected computer virus

What is Code Red Worm?

By: Adrian Tham (posted on October 31, 2003)

A discussion of the Code Red worm and its implications for an organization's computer network security plan.

QAZ

By: Charles R. Fagg (posted on October 31, 2003)

A review of QAZ and the lessons that can be learned from this virus/trojan.

Living with MalWare

By: Gary Wiggins (posted on October 31, 2003)

A discussion of malware, along with a plan to fight viruses and minimize damage, and then a look to the future of virus fighting technologies.

Code Red Worm - Importance of Swiftly Eliminating Vulnerability

By: Scotty Strunk (posted on October 31, 2003)

Over a seven-week period in the summer of 2001, a series of events unfolded that not only threatened over a quarter of a million computers but the infrastructure of the Internet itself.

A Virus and a Worm: Lessons Learned from SirCam and Code Red in a University Environment

By: Marc Mazuhelli (posted on October 31, 2003)

This text describes the impacts felt and lessons learned in the university environment when SirCam and Code Red were released.

July 2001: Indicative of the "Year of the Worm"

By: David A. Shaffer (posted on October 31, 2003)

This paper discusses: the rise in attacks from worms; two worms making security headlines throughout the month of July 2001, including the essence of their structure and how to neutralize the infections; and, preventative measures that can be taken by a company both at the perimeter and internal levels to help reduce the possible exposure to worms.

KLEZ.H: From Propagation to Prevention

By: Michael Bakes (posted on October 31, 2003)

This study reviews the properties of the Klez.H worm, key findings from a set of infection experiments, and some of the network security tools needed to detect Klez.H infection.

Code Red: The One to Not "Dew"

By: David Doyle (posted on October 31, 2003)

A look at the Code Red worm: how it attacked, how to determine your system's vulnerability to such a threat, and how to defend against such future threats.

A Practical Guide to Enterprise Antivirus and Malware Prevention

By: Jay Martin (posted on October 31, 2003)

A description of several common practices which, when implemented together, will greatly decrease, and perhaps almost stop, malware attacks.

Code Red and the Internet Today

By: Andres Chiriboga (posted on October 31, 2003)

What are Code Red and Code Red II, and how did they become so feared by Internet users?

Code Red: A New Threat

By: Tim Hughes (posted on October 31, 2003)

An in-depth discussion of the Code Red worms with implications for developing and maintaining computer security policy.

The Code Red Worm

By: John C. Dolak (posted on October 31, 2003)

An in-depth discussion of the Code Red worms with implications for developing and maintaining computer security policy.

Windows Remote Buffer Overflow Vulnerability and the Code Red Worm

By: Jeremy Baca (posted on October 31, 2003)

An in-depth discussion of the Code Red worms and buffer overflow vulnerabilities.

The Mechanisms and Effects of the Code Red Worm

By: ReneeC. Schauer (posted on October 31, 2003)

This paper addresses the vulnerability that was present in Microsoft Internet Information Services (IIS) web server software and the worm, Code Red, which exploited this vulnerability.

Code Red and Code Red II: Double Dragons

By: Kittipong Teeraruangchaisri (posted on October 31, 2003)

This paper describes the mechanisms of the Code Red and Code Red II worms and the software vulnerabilities that went unpatched allowing the worms to propagate.

Network and System Planning - How to Reduce Risk on a Comprimised System

By: Brent Maley (posted on October 31, 2003)

This paper highlights the Code Red Worm: how it attacked, how to reduce your system's vulnerability to such a threat, how to reduce exposure if successfully attacked, and how to defend against such future threats.

The Legend of Nimda

By: Kevin G. Frey (posted on October 31, 2003)

This paper describes the w32.nimda.a@mm virus (NIMDA), who is at risk for infection by this virus, the extent of possible damage if infected, the indications that your system has been compromised, corrective actions to take if infected, and, lastly, alternatives to Microsoft IIS.

Nimda Explained, and What You Can Do to Protect Your Sytem(s)

By: Greg Dzurinda (posted on October 31, 2003)

A look at how the Nimda worm infected systems and what protections can be instituted to prevent further attacks.

Overview of Nimda

By: John Phillips (posted on October 31, 2003)

A description of how Nimda attacked, why the system vulnerabilities existed and what could be done to prevent future infections.

Code Red Worm Invasion

By: Sharon Bristow (posted on October 31, 2003)

This paper describes the Code Red worm, how to clean up an infected system, and the security policy implications of attacks from malware.

The Code Red Message in a Bottle

By: Jeffrey A. Tricoli (posted on October 31, 2003)

This paper will focus on several important lessons to be learned from the Code Red worm: the need for faster identification; the need for more coordinated analysis; the need for more clear and timely warnings; and, identifying the contributing factors.

The Nimda Worm: An Overview

By: Eugene J. Aronne (posted on October 31, 2003)

The goal of this paper is to review how Nimda propagates, focus on the initial vulnerabilities it exploits to enter an organization, and what preparations could have been done to prevent exploitation in the first place.

Preventing Propagation of the NIMDA Worm with a Holistic Approach

By: David C. Petty (posted on October 31, 2003)

The purpose of this paper is to discuss the main methods by which Nimda spreads, to share effective ways to prevent the spread of Nimda, and to suggest that a holistic approach is needed to prevent the propagation and spread of recently developed worms.

Stopping Malicious Code at the Desktop

By: Anthony Tulio (posted on October 31, 2003)

This paper discusses how to stop malicious code at the desktop level by examining defensive malware detection software that fall into three categories; signature matching, behavior analysis, and CRC matching.

Nimda Worm - Why is it Different?

By: Keith Poore (posted on October 31, 2003)

This paper examines the Nimda worm to identify what makes it different from other types of malicious code, the current fixes available for the worm, and some recommendations for protecting against further infections by similar types of malicious code.

NetBus 2.1, Is It Still a Trojan Horse or an Actual Valid Remote Control Administration Tool?

By: Seth Kulakow (posted on October 31, 2003)

Educate your users on what they are allowed or not allowed to do within your network but keep them up to date on the latest attack attempts and what to look out for

Poly (morphic) Want a Server... or Runaway Worm

By: Michael Desrosiers (posted on October 31, 2003)

This paper examines the concept of worm propagation, and describes what the author sees the future worm to look like, out in the wild. Also addressed are what steps can be taken to limit its effectiveness.

Encrypted E-mail: Close One Door, Open Another

By: Veronica Cuello (posted on October 31, 2003)

The purpose of this paper is to propose a solution that allows protection of e-mail through content encryption without compromising server-based virus scanning.

Nimda - A Step Into Complexity

By: Matthew Rothschild (posted on October 31, 2003)

This paper takes a close-up look at how Nimda spreads and how it can damage a computer.

Psst... Hey Buddy, Wanna Create a Virus?

By: David Pearson (posted on October 31, 2003)

This paper describes how someone, anyone with the basic, necessary tools and intelligence could not only find, but also create and deliver havoc by the vehicle we know as a virus.

Protecting Against the Unexpected

By: Keith Seymour (posted on October 31, 2003)

This paper will look at applying the computger security tools we already have and some basic security principals to mitigate the threat of new viruses.

Cross-Site Tracing - Protecting Businesses from a Simple Attack

By: Cheryl Stephens (posted on October 31, 2003)

In this paper, I will discuss how easy cross-site tracing could effect an organization and how an organization can protect itself from this type of attack.

Raising the Stakes: How NIMDA Represents an Increased Threat to the Integrity of Enterprise Networks

By: Joseph Kidd (posted on October 31, 2003)

In this paper, the author demonstrates that solid and vigilant network security architecture has become an essential element of systems management by reviewing just how dangerous and effective the NIMDA virus is, and how it represents a significant threat to the integrity of enterprise networks.

It's Time to Rethink your Corporate Malware Strategy

By: Nick Del Grosso (posted on October 31, 2003)

The purpose of this paper is to make a case for evaluating behavior-based policy enforcement middleware products and technologies, and to incorporate them into a corporate security strategy.

Mass-Mailing Worms: Prevention, Detection and Response (A Case Study)

By: Richard Gadsden (posted on October 31, 2003)

In this paper I describe the approaches to mass-mailing worm prevention, detection, and incident response that I have developed and used on a large university network.

Plain English: Risks of Java Applets and Microsoft ActiveX Controls

By: Jennifer M. Marek (posted on October 31, 2003)

This paper discusses the differences between two types of mobile code, Microsoft ActiveX controls and Java Applets, and the security risks of both. Finally, the paper will gives alternative suggestions on what a can be done to allow some users to use mobile code, while not putting a secure intranet at risk.

Understanding the Virus Threat and Developing Effective Anti-Virus Policy

By: Frank Zipfel (posted on October 31, 2003)

This paper focuses on providing the reader with an overview of the current virus landscape and aids in developing best practice anti-virus policies. After presenting the threat, we'll introduce you to today's most popular anti-virus tools.

Detecting and Recovering from a Virus Incident

By: John Stone (posted on October 31, 2003)

This document lays out what information to gather and the steps to take in the event malicious code enters your environment.

Implementing A Norton AntiVirus Managed Infrastructure

By: Rodney Lynxwiler (posted on October 31, 2003)

This paper concentrates on some of the practical aspects of rolling out a managed antivirus solution to a large company, specifically for workstations and servers.

Worms don't care if you're "not a bank"

By: Matt Yackley (posted on October 31, 2003)

This paper illustrates four major worms: Code Red, Code Red II, Nimda and SQLSnake, and discusses the scope of the problem, its effect on your systems and some steps to prevent you from becoming yet another statistic.

How Spyware fits into Defense in Depth

By: Michael McCardle (posted on October 31, 2003)

New spyware programs crop up everyday, and the attackers are ever evolving in the ways that they try to attack system vulnerabilities, and this paper addresses why our network defenses and corporate policies have to be ever evolving to be effective.

Security Management View of Implementing Enterprise Antivirus Protection

By: Mike Stowe (posted on October 31, 2003)

This paper provides practical information to consider when planning the deployment, upgrade, design, or engineering of an enterprise antivirus solution.

About Heuristics

By: Stephen M. Sladaritz (posted on October 31, 2003)

This paper will discuss what heuristics is, why we should use it, warts and all, and some ideas for how to use it best. Finally we'll talk about how to be a good neighbor while using it, and wrap it up with a discussion on including heuristics in our antivirus policies.

Virii Generators: Understanding the Threat

By: James Tarala (posted on October 31, 2003)

The most common generators are the virii script generators, polymorphic, and encryption generation engines; each of these precepts needs to be thought through more, however, to really understand the threat against the enterprise, caused by such virii generators.

Securing the Symantec LiveUpdate Administrative Utility on Windows 2000

By: Cedric d' Albis (posted on October 31, 2003)

This paper describes in detail the steps required to implement and harden a Symantec LiveUpdate server on a Microsoft Windows 2000 platform. In addition to being a cookbook to build a LiveUpdate FTP server, this paper describes methods and concepts that can be used to secure any vendor application on the Windows 2000 platform

Beating the Superbug: Recent Developments in Worms and Viruses

By: Michael Clarkson (posted on October 31, 2003)

This paper will examine the differences between worms and viruses, and then discuss recent developments in virus and worm technology. Some defensive techniques will be examined, and an attempt will be made to predict future possible techniques that may emerge in viruses or worms.

Into the Darkness: Dissection and Explanation of Proven Attack Source Code

By: Shane W. Clancy (posted on October 31, 2003)

The intent of this paper is to show the reader how an RPC attack works at the source code level.

Slapper

By: Paul Elwell (posted on October 31, 2003)

It is the intent of this paper to look at not only what Slapper does, but why and how (with special emphasis on the buffer overflow employed).

Deconstructing SubSeven, the Trojan Horse of Choice

By: Jamie Crapanzano (posted on October 31, 2003)

This paper discusses the popularity of the SubSeven Trojan and the general vulnerability of many systems on the Internet, particularly those of home users, and providdes an awareness of the dangers of being infected with this malicious program.

SubSeven 2.2: New Flavor of an Old Favorite

By: Aaron Greenlee (posted on October 31, 2003)

This paper presents a case study in which the author tested SubSeven 2.2 in a lab environment on both, a typical Windows 2000 machine as well as a typical Windows 98SE machine.

Bridging the gap between Red-alert virus situation and quality file-signature release

By: Ken Millard (posted on October 31, 2003)

Recently, antivirus vendors have come under increasing criticism about the time they take to react to a red-alert virus situation1.

Internet Worms: Walking on Unstable Ground

By: Jon Maurer (posted on October 31, 2003)

By practicing defense in depth, we can hope to reduce the threat of future super worms.