DocumentCode
2524204
Title
Burn Before Reading: A stealthy framework for combating live forensics examinations
Author
Guirguis, Mina ; Valdez, Justin ; El Lababedi, B. ; Valdez, Justin
Author_Institution
Comput. Sci. Dept., Texas State Univ., San Marcos, TX, USA
fYear
2009
fDate
Sept. 20 2009-Oct. 21 2009
Firstpage
1
Lastpage
10
Abstract
Malicious Software/programs (malware) have grown to be quite sophisticated in their design causing significant levels of damage and for prolonged periods of time. Their capabilities encompass a wide range of activities; from simple monitoring/spying programs to more complex, highly destructive tools. Moreover, they typically aim to hide their own existence through a large number of techniques. To that end, this paper demonstrates that the full malicious potentials of malware have not been realized yet. In particular, we present a novel framework - which we term Burn Before Reading (BBR) - that actively aims to detect potential live forensics investigations and adapts the behavior of the malware online. In a nutshell, the BBR framework registers for a set of triggers that typically occur in live forensics investigations. Once a trigger fires, BBR executes actions as dictated by the malware to destroy any evidence. To remain stealthy during the execution of those actions, BBR utilizes control-theoretic actuators that dynamically adjust the timing information for the executing modules, at a very fine time scale (in the order of micro seconds). We study the stability regions for those actuators under different parameters. We believe that this framework can be used by malware to destroy incriminating evidence, their own signatures and their own existence and thus its capabilities should be brought to the attention of the forensics and security communities. We also discuss potential defense mechanisms against BBR.
Keywords
invasive software; burn before reading; control-theoretic actuators; live forensics examinations; malicious program; malicious software; malware; potential defense mechanisms; Australia; Business; Counting circuits; Electronic mail; Forensics; Internet; Laboratories; Protocols; Psychology; Security;
fLanguage
English
Publisher
ieee
Conference_Titel
eCrime Researchers Summit, 2009. eCRIME '09.
Conference_Location
Tacoma, WA
Print_ISBN
978-1-4244-4625-4
Type
conf
DOI
10.1109/ECRIME.2009.5342613
Filename
5342613
Link To Document