Cyber forensics “robots” clean up infected code

(page 2 of 3)

After those initial successes, Miller and Hollingsworth, now a professor of computer science at the University of Maryland and co-director of the Paradyn project, were sought after for their expertise in tracing code that had “gone bad.” It could be defective at the programming level, but it also could be infected with malicious commands.  Combating malicious code, or malware as it’s called, has become a full-time profession for many programmers.  Miller consults with such groups working in security studies and cyber forensics.

“Cyber forensics, like any form of forensics, is saying, ‘What happened and how did it happen?’ and ‘Who done it?’” Miller says.  “If you get infected with a piece of malicious code and you catch it, your big question is ‘What did it do to me?’

You need to be able to go in and do a fairly detailed analysis.  You may need to let it run again, but in a carefully controlled way and watching what it does, blocking it if it tries to do something dangerous and studying it under these controlled conditions.”

Dyninst tools make it possible to burrow down into the binary code of a program and report back on what it’s doing.  Such tools are invaluable to cyber-sleuths trying to stay on top of malicious code builders.

“The virus writers don’t want you to know what their code is doing,” Miller says.  “They try to build code that is tamper-proof, so the code tries to detect when it’s being monitored and it shuts itself down.  It really is kind of like a ‘Spy vs. Spy’ game.  They build a defense, and we try to take it apart.”

One such area of active research is analyzing code that has been stripped of its auxiliary information.  These data structures, called symbol tables, contain the kinds of information that helps program analysts understand how programs are put together.

« Previous       1   |   2   |   3   |   Print       Next »