Lately myself and my team have been trying to solve some more difficult security problems with the detection of certain malware. It used to be that detection of malicious activity could be done effectively with minimal state.
Lately every time we discover a new piece of malware, and entertain possible detection mechanisms, we constantly end up dealing with the issue of resource requirements to detect the malware for many of our proposed solutions.
Anyone else having similar issues? Would love to hear your opinion.
A research paper / tutorial I wrote a few months back. It shows one of the many BotNets that was detected and tracked by my team. The goal of this paper was to show how a typical Dynamic BotNet communicates, the implications these BotNets can have to ISPs, why traditional detection and mitigation is not enough to stop them and why behavioural detection not just simple static signatures are needed to detect and mitigate this type of malicious software.
Remember the Million Dollar homepage and the DoS attack on it? This is a paper that is a result of the work done by my manager Don Bowman (VP, Consulting System Services), and myself based on our investigation when some of our customers contacted us, requesting assistance due to some anomalous outbound traffic emanating from their network.
