Final days to save $150 off practical cyber security training during SANSFIRE 2021 in Washington, DC! Register now.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Sorry! The requested paper could not be found.

Malicious Code

Featuring 114 Papers as of May 13, 2019

  • Hunting for Ghosts in Fileless Attacks by Buddy Tancio - May 13, 2019 

    Hunting for a fileless threat can be a tedious and labor-intensive task for any analyst. It is, most often than not, extremely time-consuming and requires a significant amount of data gathering. On top of that, the traditional tools, methods, and defenses seem to be less effective when dealing with these almost invisible threats. Threat actors are frequently using attack techniques that work directly from the memory or using legitimate tools or services pre-installed in the system to achieve their goals (Trend Micro, 2017). It is a popular technique among targeted attacks and advanced persistent threats (APT), and now it has been adopted by conventional malware such as trojans, ransomwares, and even the most recent emerging threat – cryptocurrency miners. In some incidents, searching for a malicious file that resides in the hard drive seems to be insufficient. This study explores the different variations of fileless attacks that targeted the Windows operating system and what kind of artifacts or tools can provide clues for forensic investigation.

  • Finding the Human Side of Malware: A SANS Review of Intezer Analyze by Matt Bromiley - November 29, 2018 

    We tested Intezer Analyze, a revolutionary malware analysis tool that may change how you handle and assess malware. We found Analyze to be an impactful, immediate-result malware analysis platform.

  • Reverse Engineering of WannaCry Worm and Anti Exploit Snort Rules by Hirokazu Murakami - May 27, 2018 

    Today, a lot of malware is being created and utilized. To solve this problem, many researchers study technologies that can quickly respond automatically to detected malware. Using artificial intelligence (AI) is such an example. However, modern AI has difficulty responding to new attack methods. On the other hand, malware consists of variants, and the root (core) part often uses the same technology. Therefore, I think that if we can identify that core part of malware through analysis, we can identify many variants as well. Consider the possibility of reverse engineering to identify countermeasures from malware analysis results.

  • Do Random IP Lookups Mean Anything? by Jay Yaneza - May 2, 2018 

    Being able to identify the external IP address of a network is usually a benign activity. Applications may opt to use online services via an HTTP request or API call. Currently, there are some web-based applications that provide this kind of service openly, and some with possibly malicious uses. In fact, malware threats have been using these services to map out and identify their targets for quite some time to already – an acknowledged fact hidden in technical write-ups but which hold little recognition for an active defender. The goal of looking into these web services is to isolate threats that had abused the network service and identify this kind of network activity. If we can associate an external IP lookup to a suspicious activity, then we would be able to assume that an endpoint requires some form of investigation. Endpoint identification through IP addresses may pose a challenge, but the correct placement of the identification methods proposed in this paper may be considered. This paper will also look into the associated malicious activity that had used online services, the use of such services over time, differentiate the threats that use them, and finally how to detect them using open source tools, if applicable.

  • Automating Static File Analysis and Metadata Collection Using Laika BOSS by Charles DiRaimondi - February 19, 2018 

    Laika BOSS is a file-centric recursive object scanning framework developed by Lockheed Martin that provides automation of common analysis tasks, generation of rich file object metadata and the ability to easily apply file-based signature detections to identify malicious files through static analysis. While performing triage and analysis of malware, analysts typically perform repeatable tasks using a variety of standalone utilities and use these tools to gather information that will be useful in understanding adversary tools and in developing future detections. This paper will provide guidance to analysts by reviewing concepts core to the Laika BOSS framework, integrating custom Yara rules for file-based detections, searching and filtering scan object metadata, and describing how to develop, test and implement new Laika BOSS modules to extend and automate new functionality and capabilities into the framework. As part of performing this research, new modules and tools will be released to the security community that will enhance the capabilities and value obtained by using the Laika BOSS framework to perform static malware analysis and metadata collection.

  • Loki-Bot: Information Stealer, Keylogger, & More! by Rob Pantazopoulos - June 28, 2017 

    Loki-Bot is advertised as a Password and CryptoCoin Wallet Stealer on several hacker forums (carter, 2015) (Anonymous, 2016) (lokistov, 2015) but aside from cheap sales pitches on the black market, not much has been published regarding the details of its characteristics and capabilities. This poses a problem to information security analysts who require such details in order to accurately prevent and/or defend against incidents involving this malware. The primary goal of this paper is to provide a comprehensive resource on Loki-Bot for those looking to better understand its inner workings and to provide contextual knowledge in support of incident response efforts. Contents of this paper will focus solely on characteristics identified during code-level analysis within a debugger. Basic static and dynamic analysis of Loki-Bot will be left as an exercise for the reader.

  • Next Generation Endpoint Protection – CIS Control 8, Malware Defense Effectiveness, Performance Metrics and False Positive Rates Graduate Student Research
    by Dean Sapp - June 20, 2017 

    The Center for Internet Security (CIS) Critical Security Controls v6.1 is comprised of battle tested and prioritized security controls that significantly reduce the risk to businesses from cyber breach. Endpoint security is the primary objective of Control eight, Malware Defenses which will be analyzed in this study. (Manage Cybersecurity Risk with the CIS Controls). This paper details a handful of real-world testing scenarios to determine which Next Generation Endpoint Security (NGES) products have the greatest effectiveness in blocking file based malware from executing, including freshly minted zero-day variants that have been repacked so they have unique hashes. In addition to measuring efficacy in blocking malware, this paper includes a secondary scope to examine the system resource consumption introduced by these products to give the reader a better understanding of the business impact these products have on the overall end-user experience. A tertiary scope analyzes the false positive rate of NGES with respect to common administrative tools used regularly by IT practitioners on the Microsoft Windows 10 Enterprise and Windows 2012 R2 Server platforms.

  • Obfuscation and Polymorphism in Interpreted Code by Kristopher L. Russo - February 10, 2017 

    Malware research has operated primarily in a reactive state to date but will need to become more proactive to bring malware time to detection rates down to acceptable levels. Challenging researchers to begin creating their own code that defeats traditional malware detection will help bring about this change. This paper demonstrates a sample code framework that is easily and dynamically expanded on. It shows that it is possible for malware researchers to proactively mock up new threats and analyze them to test and improve malware mitigation systems. The code sample documented within demonstrates that modern malware mitigation systems are not robust enough to prevent even the most basic of threats. A significant amount of difficult to detect malware that is in circulation today is evidence of this deficiency. This paper is designed to demonstrate how malware researchers can approach this problem in a way that partners researchers with vendors in a way that follows code development from ideation through design to implementation and ultimately on to identification and mitigation.

  • Arming SMB's Against Ransomware Attacks by TIm Ashford - August 31, 2016 

    Ransomware has become one of the most serious cyber threats to small and medium businesses today. A recent variant permanently deletes files within one hour of infection. The situation grows increasingly dire: the FBI even encourages victims to make payment, though there is still no guarantee that owners will recover their data (ICIT Fellows, 2016). Despite such threats, small and medium enterprises can follow recommended best practices to mitigate this risk. Businesses with tighter budgets and fewer security team members can adopt many of the protections available to the largest enterprises. The most important recommendation is the use of application whitelisting. In Windows environments, this can be accomplished through free tools within Active Directory. Other options will also be discussed, as well as a brief discussion of the future of ransomware.

  • Demystifying Malware Traffic by Sourabh Saxena - August 29, 2016 

    In today's world, adversaries use established techniques, innovative and intricate methods for cyber-crimes and to infiltrate firms or an individual's system. Usage of Malware is one of those approaches. Malware not only creates an inlet for attacks, but it also turns systems into "zombies" and "bots" forcing them to obey commands and perform activities as per the whims and fancies of the adversary. Thus, attacks like data theft, mail relay, access to confidential/restricted area, Distributed Denial-of-Service (DDoS) can easily be launched against not just the infected system but against other systems and environments as well by utilizing these zombies, bots, and botnets. Attackers not only obfuscate the code but can encrypt payloads as well as malware's traffic simultaneously, using approaches like mutation and polymorphism making their detection difficult not just for antiviruses, but even for firewalls, IDS and IPS, Incident Handlers, and Forensic teams. Organizations, having learned from past mistakes, have also shifted their approach from simple defense mechanisms such as antiviruses, IDS and IPS to aggressive strategies like DNS Sinkhole and Live Traffic Analysis. These strategies not only help in the identification and removal of malware but also in understanding the actual impact, blocking of malicious activities and identification of adversaries.

  • Using Splunk to Detect DNS Tunneling Graduate Student Research
    by Steve Jaworski - June 1, 2016 

    DNS tunneling is a method to bypass security controls and exfiltrate data from a targeted organization. Choose any endpoint on your organization's network, using nslookup, perform an A record lookup for If it resolves with the site's IP address, that endpoint is susceptible to DNS Tunneling. Logging DNS transactions from different sources such as network taps and the DNS servers themselves can generate large volumes of data to investigate. Using Splunk can help ingest the large volume of log data and mine the information to determine what malicious actors may be using DNS tunneling techniques on the target organizations network. This paper will guide the reader in building a lab network to test and understand different DNS tunneling tools. Then use Splunk and Splunk Stream to collect the data and detect the DNS tunneling techniques. The reader will be able apply to what they learn to any enterprise network.

  • Basic Reverse Engineering with Immunity Debugger Graduate Student Research
    by Roberto Nardella - May 9, 2016 

    Reverse Engineering is an intriguing art, but also one of the most difficult topics in Security and Malware Analysis. Skilled reverse engineers have an in-depth knowledge of Assembly language, of processor architectures and a great familiarity with the most important debuggers. However, there is a lot of information that can be gathered with an even essential knowledge of debuggers and Assembler. This paper shows some very basic, but very useful, reverse engineering steps carried out with a great debugger, Immunity Debugger.

  • Case Study: How CIS Controls Can Limit the Cascading Failures During an Attack Graduate Student Research
    by Bill Knaffl - May 3, 2016 

    Every day it seems that new information becomes public about the latest data breach.

  • Enterprise Survival Guide for Ransomware Attacks by Shafqat Mehmoon - May 3, 2016 

    Ransomware or cryptolocker is a type of malware that can be covertly installed on a computer without knowledge or intention of the user.

  • Neutrino Exploit Kit Analysis and Threat Indicators by Luis Rocha - April 13, 2016 

    Exploit Kits are powerful and modular digital weapons that deliver malware in an automated fashion to the endpoint. Exploit Kits take advantage of client side vulnerabilities. These threats are not new and have been around for the past 10 years at least. Nonetheless, they evolved and are now more sophisticated than ever. The malware authors behind them enforce sophisticated capabilities that evade detection, thwart analysis and deliver reliable exploits. These properties make detection and analysis difficult. This paper demonstrates a set of tools and techniques to perform analysis of the Neutrino Exploit Kit. The primary goal is to grow security expertise and awareness about these types of threats. Those empowered to defend users and corporations should not only study these threats, they must also be deeply involved in their analysis.

  • Exploits of Yesteryear Are Never Truly Gone Graduate Student Research
    by Marsha Miller - December 23, 2015 

    Once, mentioning the name of certain viruses and worms put fear into the hearts of millions. Blaster, Sasser, and even ILoveYou, a seemingly innocuous phrase used every day, became household names that led to loss of money and productivity.

  • On the x86 Representation of Object Oriented Programming Concepts for Reverse Engineers by Jason Batchelor - November 24, 2015 

    While object oriented programming is generally understood by developers using higher level languages, such as C++, the reverse engineer is required to understand how these concepts manifest themselves within a compiled binary.

  • An Introduction to Linux-based malware Graduate Student Research
    by Matthew Koch - July 23, 2015 

    Abstract Although rarely making news headlines Linux malware is a growing problem. As a result, Linux systems are left in an insecure state with minimal defenses against malware. This becomes increasingly problematic with the growth of networkable embedded devices often referred to as the “Internet of Things” (IoT). This paper will discuss attack vectors for Linux malware, analyze several pieces of malware and describe defensive capabilities.

  • Analyzing a Backdoor/Bot for the MIPS Platform by Muhammad Junaid Bohio - April 13, 2015 

    Malware functionalities have been evolving and so are their target platforms and architectures.

  • XtremeRAT - When Unicode Breaks by Harri Sylvander - April 9, 2015 

    XtremeRAT is a commonly abused remote administration tool that is prevalent in the Middle East; prevalent to the degree that it is not uncommon to find at least one active RAT in a network on any given incident response engagement.

  • Sleeping Your Way out of the Sandbox Graduate Student Research
    by Hassan Mourad - March 3, 2015 

    The term Advanced Persistence Threat is widely cited as originating in 2006 from the US Air force in reference to advanced cyber-attacks against specific targets (Fortinet, 2013, p2).

  • Case Study: 2012 DC3 Digital Forensic Challenge Basic Malware Analysis Exercise by Kenneth Zahn - September 9, 2013 

    The Department of Defense (DoD) Cyber Crime Center (DC3) provides digital forensic process standardization, analysis, and investigation support to the various agencies and military commands within the US DoD (DC3, 2013).

  • Using IOC (Indicators of Compromise) in Malware Forensics by Hun-Ya Lock - April 17, 2013 

    In the IT operations of an enterprise, malware forensics is often used to support the investigations of incidents.

  • Attributes of Malicious Files by Joel Yonts - July 6, 2012 

    One of the most challenging questions that an incident responder must answer is whether a particular file is malicious or benign.

  • Detailed Analysis Of Sykipot (Smartcard Proxy Variant) by Rong Hwa Chong - April 16, 2012 

    According to Symantec, Sykipot has been used in targeted attacks for the past few years since 2006 (Thakur, 2011).

  • The User Agent Field: Analyzing and Detecting the Abnormal or Malicious in your Organization by Darren Manners - February 7, 2012 

    In the early days of the Internet, users had to type in text commands to navigate. Tools were later developed, E.g. early browsers, to be the "user's agent" so that commands did not have to be typed in to navigate -­‐ the user could simply click to navigate.

  • A Detailed Analysis of an Advanced Persistent Threat Malware by Frankie Fu Kay Li - October 14, 2011 

    Spear-phishing emails were sent to a political figure at my place of residence. An email, including the attached sample was provided for forensics analysis. This email contained obviously well crafted message to lure the recipient to open the malicious attachment. It was predicted as an Advanced Persistent Threat attack (APT-attack).

  • Mitigating Browser Based Exploits through Behavior Based Defenses and Hardware Virtualization by Joseph Faust - October 7, 2011 

    There does not seem to be a day or week that goes by that one does not encounter a headline story about an organization being compromised and infiltrated by attackers.

  • Dissecting Andro Malware by Joel Varghese - September 7, 2011 

    Reverse Engineering on malware analysis is a process which is used on malware in order to understand its operation, code structure and its functionality. This project aims to understand the operation of a malware and investigate the parameters, code and structure which is created or modified by the malicious software. In response to this objective a virtual lab was created to analyse the malicious software. A new variant of "DroidKungFu" was analised named "DroidKungfu-2 A" which infected Android platform. After the Code analysis we understood the malicious piece of code which was embedded along with the original code. The services, activity that gets started and the mobile information which is sent to the remote servers. Once the malware gets the root access of the victim machine it can even damage the system.

  • Identifying Malicious Code Infections Out of Network by Ken Dunham - August 29, 2011 

    Forensics is a complex subject, where details matter greatly. Even more complicated are investigations where forensic methods are used to further understand, identify, capture, and mature and understanding of a malicious attack that may have taken place on a computer.

  • BYOB: Build Your Own Botnet by Francois Begin - August 17, 2011 

    A recent report on botnet threats (Dhamballa, 2010) provides a sobering read for any security professional. According to its authors, the number of computers that fell victim to botnets grew at the rate of 8%/week in 2010, which translates to more than a six-fold increase over the course of the year.

  • An Overview Of The Casper RFI Bot by Dan O'Connor - June 20, 2011 

    On July 8th 2010 Emerging Threats added signatures for a remote file inclusion scanner with a user agent containing either "MaMa CaSpEr" or "Casper Bot Search".

  • Mass SQL Injection for Malware Distribution by Larry Wichman - April 20, 2011 

    Cybercriminals have made alarming improvements to their infrastructure over the last few years. One reason for this expansion is thousands of websites vulnerable to SQL injection. Malicious code writers have exploited these vulnerabilities to distribute malware.

  • Malcode Context of API Abuse by Ken Dunham - April 4, 2011 

    Individuals performing a manual or deep research effort into understanding malicious code need to establish and understand the malcode context for success. For example, downloading by a program can be a normal function, such as locating updates for an application.

  • Tracking Malware With Public Proxy Lists by James Powers - January 27, 2011 

    The Web was born on Christmas Day, 1990 when the CERN Web server (CERN httpd 1.0) went online. By version 2.0, released in 1993, CERN httpd, was also capable of performing as an application gateway. By 1994, content caching was added. With the publication of RFC 1945 two years later, proxy capabilities were forever embedded into the HTTP specification (Berners-Lee, Fielding, & Frystyk, 1996).

  • Malicious Android Applications: Risks and Exploitation by Joany Boutet - December 22, 2010 

    Android is an open-source mobile operating system, based upon a modified version of the Linux kernel, initially developed by Android Inc., a firm purchased by Google in 2005. A Gartner study released on November 2010 outlined that Android has become the second-most popular OS in the world (Gartner, 11/2010). The growth of Android has exceeded their previous study, released last year, in which they had predicted that Android will be the No.2 worldwide mobile operating system in 2012 (The H, 08/10/2009). According to another Gartner study (Gartner, 08/2010)., there will be only a slight difference between Symbian and Android market share in 2014: 30.2% for Symbian against 29.6% for Android.

  • Analysis of a Simple HTTP Bot by Daryl Ashley - December 20, 2010 

    The purpose of this paper is to describe how static code analysis was used to gain insight into the functionality of a simple HTTP Bot. Certain tools can be used to analyze what a piece of malware has done to an infected system. For example, Regshot can be used to determine what registry changes have been made after a malware specimen has been executed on a test system (Zeltser, 2009b). The tcpdump command can be used to detect network activity that occurs after the malware has been used to infect a host (Northcutt, 2001).

  • Building a Malware Zoo by Joel Yonts - December 1, 2010 

    In today’s highly connected Internet age, we have seen an overwhelming flood of new malware. According to a report published by McAfee (Marcus, Greve, Masiello, & Scharoun, 2009), over 12 million new pieces of malware were discovered in the first three quarters of 2009. This rate of thousands of new samples per day has exceeded our ability to manually analyze and catalog these threats. Additionally, maintaining a comprehensive library of samples and supporting analysis artifacts has created an information organization nightmare.

  • Getting Owned By Malicious PDF - Analysis by Mahmud Ab Rahman - August 30, 2010 

    The last two years was not so good for Adobe Acrobat Reader users especially for those using versions prior to version 9. Core Security had released the advisory to address about util.printf stack buffer overflow vulnerability on Adobe Acrobat Reader with CVE tag CVE-2008-2992 (CoreSecurity, 2008). An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crashing the application, denying service to the legitimate user. More information on this vulnerability can be obtained by reading a paper on the vulnerability and exploitation analysis written by a CoreSecurity researcher via this link

  • Packer Analysis Report-Debugging and unpacking the NsPack 3.4 and 3.7 packer. by Craig Wright - August 24, 2010 

    This document provides instructions on how to unpack NsPack 3.4 and 3.7 using the OllyDbg debugger. The OllyScripts used in this process are included in the appendixes. The custom plug-ins that are used to automate the procedure are provided with the source code. This paper also includes instructions on how to fully restore the import table so the file can be restored to its original state and executed. This is continued further with instructions on how to convert the machine code (assembly language) into a higher level language (in this paper we will use C) so that an analyst can better understand the workings and purpose of the packer.

  • Clash of the Titans: ZeuS v SpyEye by Harshit Nayyar - June 15, 2010 

    The stage, it seems, is set for an epic battle between two of the most dangerous fighters in the nefarious world of malware. In one corner: ZeuS, undoubtedly the reigning champion of Banking Trojans, so much so, that the distinction of “king” has often been used to describe it (Falliere & Chien, 2009). In the other corner: SpyEye, a relatively new, but at the same time worthy, challenger, posing to dethrone ZeuS. This paper documents a part of this budding and dynamic battle as it unfolds – so dynamic in fact, that within the time it took to write this paper, both crimeware kits had already moved on to their next releases, implementing some serious licensing and anti-reversing measures (Krebs, 2010).

  • Bypassing Malware Defenses by Morton Christiansen - June 3, 2010 

    Western societies increasingly rely upon information as the foundation for their social, political, financial and military success. Much of this information is transmitted through the Internet, or is handled in intranets using the Internet protocols. Often these internal networks even engage in some sort of (in)direct communication with the Internet itself. Examples of such mostly internal systems include Supervisory Control and Data Acquisition (SCADA) at times controlling nuclear reactors, civil defense sirens and air traffic control or the electricity/water/oil supply for entire nations. Other examples of sensitive internal systems include databases of large banks, of the police and of the military containing financial or intelligence information.

  • Utilizing "AutoRuns" To Catch Malware by Jim McMillan - June 3, 2010 

    “Malware is a set of instructions that run on your computer and make your system do something that an attacker wants it to do”. (Skoudis, 2004) It can perform a number of undesirable tasks on your computer. Malware is often referred to as malicious code because its programming intent is usually for something malicious. In his book, “Malware: Fighting Malicious Code”, Ed Skoudis writes, “The malicious code doesn’t have your best interests in mind.” (Skoudis, 2004).

  • IOSTrojan: Who really owns your router? Graduate Student Research
    by Manuel Humberto Santander Pelaez - March 15, 2010 

    Malware programs have evolved in recent years from small programs capable of destroying information and making devices become unusable to highly sophisticated programs able to take over the user’s computer and collect personal information, with several impacts to the users like identity theft or money theft.

  • Comprehensive Blended Malware Threat Dissection Analyze Fake Anti-Virus Software and PDF Payloads by Anthony Cheuk Tung Lai - March 1, 2010 

    At the Malware Domain List web site (Malware Domain List, 2009) simply input “PDF” in the search box, and a number of malicious sites marked with “PDF Exploit” are listed. This reflects how popular malicious PDF files are as a malware carrier currently. It is difficult for end users to realize that popular sites and PDF files sent by friends may actually be infected with shellcode and exploits. Besides PDF malware, fake anti-virus software is also popular as a payload downloaded to victim machines luring end users to voluntary click to scan their computers, installing a malicious executable payload.

  • Inside a Phish Graduate Student Research
    by John Brozycki - June 25, 2009 

    This paper will document both sides of a phishing campaign, the phisher and the phished, providing a unique view as best as I’m able to recreate it from the phisher’s own emails and information from the phished financial institution.

  • Reverse Engineering a Windows “Screensaver” e-Postcard by Seth Hardy - April 23, 2009 

    In this paper, we will cover the reverse engineering of a Windows Portable Executable (PE) file, claiming to be an e- postcard in the form of a screensaver, that is suspected to be malicious.

  • Mining for Malware - There's Gold in Them Thar Proxy Logs! by Joe Griffin - November 17, 2008 

    This paper is about identifying sources of malware and lowering the threat by taking action.

  • Malware Analysis: An Introduction by Dennis Distler - February 12, 2008 

    I am submitting this abstract to fulfill the technical paper requirements for the GSEC Gold Certification. The paper will be a detailed introduction of malware analysis for security professionals. This paper would be an excellent fit to the Security Essentials track by providing information to assist in the gap that exists in the field, as malware issues are common in computer security today.

  • Exploitation Kits Revealed - Mpack by Andrew Martin - January 4, 2008 

    This research paper is divided into two basic sections. Section 1 describes the MPack exploitation kit which has made a big splash in the security world recently. This involves an analysis of how MPack works including how it infects a user's PC, the look and feel of its payload and the evasion techniques it uses to hide its presence from Intrusion Detection Systems. Following this, the author sets out how to respond to a sample MPack attack by using the incident response process. This covers how to identify, counter, and eliminate the threat using a variety of approaches & techniques. The analysis is performed without access to the MPack source code to reflect real world circumstances. The second section steps back from the specific technical aspects of MPack to set out a basic primer for IT staff to handle an MPack attack. By extension, techniques discussed here may be used to investigate other similar attacks. The analysis is structured using the SANS PICERL methodology and covers: Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned.

  • Analysis of a Browser Exploitation Attempt by Phil Wallisch - January 4, 2008 

    This paper analyzes an attempt by an attacker to compromise a system by exploiting the web browser. It describes the attacker’s motivations and techniques. It also describes how a security administrator can analyze the incident using an array of tools. An example found in the wild is analyzed stage by stage. Finally methods used to prevent the attack from succeeding are discussed.

  • Virus Writers 360 by Julie Newberry - January 18, 2005 

    To comprehend the personal motivations of a virus writer investigating the technical angle presents only a small part of the puzzle. There is a significant gap between what is known about viruses/worms and our understanding of the virus writer.

  • Worm Propagation and Countermeasures by Glenn Gebhart - June 9, 2004 

    Recent history has amply demonstrated the threat that worms pose to the Internet and those who rely on its correct functioning. Most of the damage done by worms can be traced to the burden they place on networks due to their characteristic exponential growth as they seek to propagate themselves.

  • Bots &; Botnet: An Overview by Ramneek Puri - December 21, 2003 

    This paper provides an overview of malicious bot, a remotely controlled trojan which infects internet hosts and is remotely controlled by attacker via private IRC channels.

  • Malicious Code - What Should We Do? by Stacy Ballou - December 14, 2003 

    This paper will provide information and avenues for the developer of software products as well as the user of the software products to gain confidence that a software package is not likely to contain malicious code and have a minimal risk of potential vulnerabilities in a software package.

  • Internet Worms: Walking on Unstable Ground by Jon Maurer - October 10, 2003 

    By practicing defense in depth, we can hope to reduce the threat of future super worms.

  • Cross-Site Tracing - Protecting Businesses from a Simple Attack by Cheryl Stephens - August 8, 2003 

    In this paper, I will discuss how easy cross-site tracing could effect an organization and how an organization can protect itself from this type of attack.

  • Mass-Mailing Worms: Prevention, Detection and Response (A Case Study) by Richard Gadsden - August 8, 2003 

    In this paper I describe the approaches to mass-mailing worm prevention, detection, and incident response that I have developed and used on a large university network.

  • KLEZ.H: From Propagation to Prevention by Michael Bakes - June 19, 2003 

    This study reviews the properties of the Klez.H worm, key findings from a set of infection experiments, and some of the network security tools needed to detect Klez.H infection.

  • Slapper by Paul Elwell - March 12, 2003 

    It is the intent of this paper to look at not only what Slapper does, but why and how (with special emphasis on the buffer overflow employed).

  • Bridging the gap between Red-alert virus situation and quality file-signature release by Ken Millard - February 24, 2003 

    Recently, antivirus vendors have come under increasing criticism about the time they take to react to a red-alert virus situation1.

  • Worms don't care if you're "not a bank" by Matt Yackley - February 23, 2003 

    This paper illustrates four major worms: Code Red, Code Red II, Nimda and SQLSnake, and discusses the scope of the problem, its effect on your systems and some steps to prevent you from becoming yet another statistic.

  • How Spyware fits into Defense in Depth by Michael McCardle - February 7, 2003 

    New spyware programs crop up everyday, and the attackers are ever evolving in the ways that they try to attack system vulnerabilities, and this paper addresses why our network defenses and corporate policies have to be ever evolving to be effective.

  • Security Management View of Implementing Enterprise Antivirus Protection by Mike Stowe - December 23, 2002 

    This paper provides practical information to consider when planning the deployment, upgrade, design, or engineering of an enterprise antivirus solution.

  • Detecting and Recovering from a Virus Incident by John Stone - December 14, 2002 

    This document lays out what information to gather and the steps to take in the event malicious code enters your environment.

  • Into the Darkness: Dissection and Explanation of Proven Attack Source Code by Shane Clancy - November 25, 2002 

    The intent of this paper is to show the reader how an RPC attack works at the source code level.

  • Beating the Superbug: Recent Developments in Worms and Viruses by Michael Clarkson - November 7, 2002 

    This paper will examine the differences between worms and viruses, and then discuss recent developments in virus and worm technology. Some defensive techniques will be examined, and an attempt will be made to predict future possible techniques that may emerge in viruses or worms.

  • Securing the Symantec LiveUpdate Administrative Utility on Windows 2000 by Cedric Albis - August 9, 2002 

    This paper describes in detail the steps required to implement and harden a Symantec LiveUpdate server on a Microsoft Windows 2000 platform. In addition to being a cookbook to build a LiveUpdate FTP server, this paper describes methods and concepts that can be used to secure any vendor application on the Windows 2000 platform

  • A System Administrator's Guide to Implementing Various Anti-Virus Mechanisms: What to do When a Virus is Suspected On a Computer Network by Robert Fried - June 6, 2002 

    This paper, presented in the form of sample guidelines/procedures, will express in much detail the steps, techniques and methods of defense utilized/implemented in the detection, investigation and tracing of a suspected computer virus

  • Virii Generators: Understanding the Threat by James Tarala - May 12, 2002 

    The most common generators are the virii script generators, polymorphic, and encryption generation engines; each of these precepts needs to be thought through more, however, to really understand the threat against the enterprise, caused by such virii generators.

  • Plain English: Risks of Java Applets and Microsoft ActiveX Controls by Jennifer Marek - March 24, 2002 

    This paper discusses the differences between two types of mobile code, Microsoft ActiveX controls and Java Applets, and the security risks of both. Finally, the paper will gives alternative suggestions on what a can be done to allow some users to use mobile code, while not putting a secure intranet at risk.

  • About Heuristics by Stephen Sladaritz - March 24, 2002 

    This paper will discuss what heuristics is, why we should use it, warts and all, and some ideas for how to use it best. Finally we'll talk about how to be a good neighbor while using it, and wrap it up with a discussion on including heuristics in our antivirus policies.

  • Implementing A Norton AntiVirus Managed Infrastructure by Rodney Lynxwiler - March 21, 2002 

    This paper concentrates on some of the practical aspects of rolling out a managed antivirus solution to a large company, specifically for workstations and servers.

  • Understanding the Virus Threat and Developing Effective Anti-Virus Policy by Frank Zipfel - March 11, 2002 

    This paper focuses on providing the reader with an overview of the current virus landscape and aids in developing best practice anti-virus policies. After presenting the threat, we'll introduce you to today's most popular anti-virus tools.

  • It's Time to Rethink your Corporate Malware Strategy by Nick Grosso - February 24, 2002 

    The purpose of this paper is to make a case for evaluating behavior-based policy enforcement middleware products and technologies, and to incorporate them into a corporate security strategy.

  • Raising the Stakes: How NIMDA Represents an Increased Threat to the Integrity of Enterprise Networks by Joseph Kidd - February 1, 2002 

    In this paper, the author demonstrates that solid and vigilant network security architecture has become an essential element of systems management by reviewing just how dangerous and effective the NIMDA virus is, and how it represents a significant threat to the integrity of enterprise networks.

  • Protecting Against the Unexpected by Keith Seymour - January 28, 2002 

    This paper will look at applying the computger security tools we already have and some basic security principals to mitigate the threat of new viruses.

  • Psst... Hey Buddy, Wanna Create a Virus? by David Pearson - December 5, 2001 

    This paper describes how someone, anyone with the basic, necessary tools and intelligence could not only find, but also create and deliver havoc by the vehicle we know as a virus.

  • Nimda - A Step Into Complexity by Matthew Rothschild - November 27, 2001 

    This paper takes a close-up look at how Nimda spreads and how it can damage a computer.

  • Encrypted E-mail: Close One Door, Open Another by Veronica Cuello - November 21, 2001 

    The purpose of this paper is to propose a solution that allows protection of e-mail through content encryption without compromising server-based virus scanning.

  • Poly (morphic) Want a Server... or Runaway Worm by Michael Desrosiers - November 15, 2001 

    This paper examines the concept of worm propagation, and describes what the author sees the future worm to look like, out in the wild. Also addressed are what steps can be taken to limit its effectiveness.

  • Nimda Worm - Why is it Different? by Keith Poore - November 11, 2001 

    This paper examines the Nimda worm to identify what makes it different from other types of malicious code, the current fixes available for the worm, and some recommendations for protecting against further infections by similar types of malicious code.

  • Stopping Malicious Code at the Desktop by Anthony Tulio - November 6, 2001 

    This paper discusses how to stop malicious code at the desktop level by examining defensive malware detection software that fall into three categories; signature matching, behavior analysis, and CRC matching.

  • Preventing Propagation of the NIMDA Worm with a Holistic Approach by David Petty - October 31, 2001 

    The purpose of this paper is to discuss the main methods by which Nimda spreads, to share effective ways to prevent the spread of Nimda, and to suggest that a holistic approach is needed to prevent the propagation and spread of recently developed worms.

  • The Code Red Message in a Bottle by Jeffrey Tricoli - October 8, 2001 

    This paper will focus on several important lessons to be learned from the Code Red worm: the need for faster identification; the need for more coordinated analysis; the need for more clear and timely warnings; and, identifying the contributing factors.

  • The Nimda Worm: An Overview by Eugene Aronne - October 8, 2001 

    The goal of this paper is to review how Nimda propagates, focus on the initial vulnerabilities it exploits to enter an organization, and what preparations could have been done to prevent exploitation in the first place.

  • Code Red Worm Invasion by Sharon Bristow - October 2, 2001 

    This paper describes the Code Red worm, how to clean up an infected system, and the security policy implications of attacks from malware.

  • Overview of Nimda by John Phillips - October 1, 2001 

    A description of how Nimda attacked, why the system vulnerabilities existed and what could be done to prevent future infections.

  • Nimda Explained, and What You Can Do to Protect Your Sytem(s) by Greg Dzurinda - September 26, 2001 

    A look at how the Nimda worm infected systems and what protections can be instituted to prevent further attacks.

  • The Legend of Nimda by Kevin Frey - September 25, 2001 

    This paper describes the w32.nimda.a@mm virus (NIMDA), who is at risk for infection by this virus, the extent of possible damage if infected, the indications that your system has been compromised, corrective actions to take if infected, and, lastly, alternatives to Microsoft IIS.

  • Network and System Planning - How to Reduce Risk on a Comprimised System by Brent Maley - September 18, 2001 

    This paper highlights the Code Red Worm: how it attacked, how to reduce your system's vulnerability to such a threat, how to reduce exposure if successfully attacked, and how to defend against such future threats.

  • Code Red and Code Red II: Double Dragons by Kittipong Teeraruangchaisri - September 15, 2001 

    This paper describes the mechanisms of the Code Red and Code Red II worms and the software vulnerabilities that went unpatched allowing the worms to propagate.

  • The Mechanisms and Effects of the Code Red Worm by Renee Schauer - September 12, 2001 

    This paper addresses the vulnerability that was present in Microsoft Internet Information Services (IIS) web server software and the worm, Code Red, which exploited this vulnerability.

  • Windows Remote Buffer Overflow Vulnerability and the Code Red Worm by Jeremy Baca - September 10, 2001 

    An in-depth discussion of the Code Red worms and buffer overflow vulnerabilities.

  • Code Red: A New Threat by Tim Hughes - August 28, 2001 

    An in-depth discussion of the Code Red worms with implications for developing and maintaining computer security policy.

  • The Code Red Worm by John Dolak - August 28, 2001 

    An in-depth discussion of the Code Red worms with implications for developing and maintaining computer security policy.

  • NetBus 2.1, Is It Still a Trojan Horse or an Actual Valid Remote Control Administration Tool? by Seth Kulakow - August 21, 2001 

    Educate your users on what they are allowed or not allowed to do within your network but keep them up to date on the latest attack attempts and what to look out for

  • Code Red: The One to Not "Dew" by David Doyle - August 17, 2001 

    A look at the Code Red worm: how it attacked, how to determine your system's vulnerability to such a threat, and how to defend against such future threats.

  • A Practical Guide to Enterprise Antivirus and Malware Prevention by Jay Martin - August 17, 2001 

    A description of several common practices which, when implemented together, will greatly decrease, and perhaps almost stop, malware attacks.

  • Code Red and the Internet Today by Andres Chiriboga - August 17, 2001 

    What are Code Red and Code Red II, and how did they become so feared by Internet users?

  • I Thought We Had Virus Protection: The Mistakes that Made Us Vulnerable to the W32 SirCam Virus by Bob Green - August 16, 2001 

    An examination of the elements of a well written security policy that may keep an organization out of a mess (i.e., experiencing a computer system virus infection), or once infected, can help lead the way out.

  • July 2001: Indicative of the "Year of the Worm" by David Shaffer - August 16, 2001 

    This paper discusses: the rise in attacks from worms; two worms making security headlines throughout the month of July 2001, including the essence of their structure and how to neutralize the infections; and, preventative measures that can be taken by a company both at the perimeter and internal levels to help reduce the possible exposure to worms.

  • A Virus and a Worm: Lessons Learned from SirCam and Code Red in a University Environment by Marc Mazuhelli - August 15, 2001 

    This text describes the impacts felt and lessons learned in the university environment when SirCam and Code Red were released.

  • Overview of Code Red or What is this "NNNNNNNNNNNNNNNNNNNNNNN" thing? by Stephen Kelly - August 14, 2001 

    A discussion of the Code Red worm, how it works, and buffer overflow vulnerabilities in general.

  • Code Red Worm - Importance of Swiftly Eliminating Vulnerability by Scotty Strunk - August 13, 2001 

    Over a seven-week period in the summer of 2001, a series of events unfolded that not only threatened over a quarter of a million computers but the infrastructure of the Internet itself.

  • Living with MalWare by Gary Wiggins - August 10, 2001 

    A discussion of malware, along with a plan to fight viruses and minimize damage, and then a look to the future of virus fighting technologies.

  • QAZ by Charles Fagg - August 6, 2001 

    A review of QAZ and the lessons that can be learned from this virus/trojan.

  • What is Code Red Worm? by Adrian Tham - August 4, 2001 

    A discussion of the Code Red worm and its implications for an organization's computer network security plan.

  • Computer Virus Policy, Training, Software Protection and Incident Response for the Medium Sized Orga by Chris Gullett - July 30, 2001 

    This document outlines steps a medium-sized organization can take to create and implement a defense-in-depth strategy to protect resources against computer viruses.

  • Cheese Worm: Pros and Cons of a Friendly Worm by Bryan Barber - July 26, 2001 

    Malware is infecting computers all over the world and are consdidered threats to data security; but, can a worm be "friendly"?

  • Issues with Keeping AntiVirus Software Up to Date by John Graham - July 25, 2001 

    it is vital for individual organizations to devise a plan for installing and updating virus protection to suit their particular environment.

  • Virus Hoaxes - Are They Just a Nuisance? by Darren Grocott - July 18, 2001 

    Should information security professionals be concerned about virus hoaxes?

  • SubSeven 2.2: New Flavor of an Old Favorite by Aaron Greenlee - May 29, 2001 

    This paper presents a case study in which the author tested SubSeven 2.2 in a lab environment on both, a typical Windows 2000 machine as well as a typical Windows 98SE machine.

  • Deconstructing SubSeven, the Trojan Horse of Choice by Jamie Crapanzano - January 8, 2001 

    This paper discusses the popularity of the SubSeven Trojan and the general vulnerability of many systems on the Internet, particularly those of home users, and providdes an awareness of the dangers of being infected with this malicious program.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.