Victimware: The Missing Part of the Equation

13
Victimware Dmitry Vostokov Software Diagnostics Services Version 1.0

Transcript of Victimware: The Missing Part of the Equation

Page 1: Victimware: The Missing Part of the Equation

Victimware

Dmitry Vostokov Software Diagnostics Services

Version 1.0

Page 2: Victimware: The Missing Part of the Equation

Prerequisites

Interest in software diagnostics and malware

© 2012 Software Diagnostics Services

Page 3: Victimware: The Missing Part of the Equation

Goal

Make malware research and analysis community aware of pattern-driven software diagnostics

© 2012 Software Diagnostics Services

Page 4: Victimware: The Missing Part of the Equation

What is Victimware?

Definition: Software affected by execution behavior of other components.

© 2012 Software Diagnostics Services

Victimware

Malware

Page 5: Victimware: The Missing Part of the Equation

Why Victimware?

© 2012 Software Diagnostics Services

Victimology Software Victimology Victim thread in Mac OS X

Page 6: Victimware: The Missing Part of the Equation

Typology of Victimware

Modified Schafer’s functional typology:

Targeted Unrelated Self-Victimized Provocative (Impelementation- and design-

weak) Precipitative (inappropriate data communication) Political (empires of code)

© 2012 Software Diagnostics Services

Page 7: Victimware: The Missing Part of the Equation

Approach Use patterns of abnormal software behavior in victimware to discover malware

© 2012 Software Diagnostics Services

Page 8: Victimware: The Missing Part of the Equation

Behavioral Patterns … Heap Corruption Wild Code Hooked Functions Activity Resonance Deviant Module …

http://www.dumpanalysis.org/blog/index.php/crash-dump-analysis-patterns/

© 2012 Software Diagnostics Services

http://www.dumpanalysis.org/blog/index.php/crash-dump-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/crash-dump-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/crash-dump-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/crash-dump-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/crash-dump-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/crash-dump-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/crash-dump-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/crash-dump-analysis-patterns/
Page 9: Victimware: The Missing Part of the Equation

Structural Patterns … Memory Region Region Boundary Module Stack …

http://www.dumpanalysis.org/blog/index.php/structural-memory-analysis-patterns/

© 2012 Software Diagnostics Services

http://www.dumpanalysis.org/blog/index.php/structural-memory-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/structural-memory-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/structural-memory-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/structural-memory-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/structural-memory-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/structural-memory-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/structural-memory-analysis-patterns/
http://www.dumpanalysis.org/blog/index.php/structural-memory-analysis-patterns/
Page 10: Victimware: The Missing Part of the Equation

Crash Dump Analysis Example

© 2012 Software Diagnostics Services

Practice

Page 11: Victimware: The Missing Part of the Equation

Further Reading Victimology

Criminology: The Basics by S. Walklate The Praeger Handbook of Victimology by J. K. Wilson

Software Victimology

Software Diagnostics

Software Diagnostics Institute Memory Dump Analysis Anthology: Volumes 1, 2, 3, 4, 5, 6, 7, … Volume 6 to be released in July / Volume 7 is planned for the end of 2012

Software Trace and Memory Dump Analysis: Patterns, Tools, Processes and Best Practices

Introduction to Pattern-Driven Software Problem Solving Fundamentals of Complete Crash and Hang Memory Dump Analysis Introduction to Pattern-Driven Software Diagnostics

© 2012 Software Diagnostics Services

http://www.dumpanalysis.org/blog/index.php/category/victimware/
http://www.dumpanalysis.org/blog/index.php/category/victimware/
http://www.dumpanalysis.org/blog/index.php/category/victimware/
http://www.dumpanalysis.org
http://www.SoftwareNarratology.com
http://www.dumpanalysis.com/index.php?q=ultimate-memory-analysis-reference
http://www.dumpanalysis.com/STMDA-materials
http://www.dumpanalysis.com/STMDA-materials
http://www.dumpanalysis.com/STMDA-materials
http://www.dumpanalysis.com/PDSPSI-materials
http://www.dumpanalysis.com/PDSPSI-materials
http://www.dumpanalysis.com/PDSPSI-materials
http://www.dumpanalysis.com/FCMDA-materials-Rev2
http://www.dumpanalysis.com/FCMDA-materials-Rev2
http://www.dumpanalysis.com/FCMDA-materials-Rev2
http://www.dumpanalysis.com/Introduction-Software-Diagnostics-materials
http://www.dumpanalysis.com/Introduction-Software-Diagnostics-materials
http://www.dumpanalysis.com/Introduction-Software-Diagnostics-materials
Page 12: Victimware: The Missing Part of the Equation

Q&A

Please send your feedback using the contact form on DumpAnalysis.com

© 2012 Software Diagnostics Services

Page 13: Victimware: The Missing Part of the Equation

Thank you for attendance!

© 2012 Software Diagnostics Services

In a few minutes Debugging TV Frames Episode 0x11 starts to show Windows and Mac OS X examples for stack memory region boundaries:

www.debugging.tv

http://www.debugging.tv
http://www.debugging.tv

Chapter 13 Part 1 Inflation Equation of exchange.

Chapter 13 Part 1 Inflation Equation of exchange.

Simultaneous Equation Econometrics: The Missing Example · Simultaneous Equation Econometrics: The Missing Example ... an example with actual data has been provided by Schmidt ...

Simultaneous Equation Econometrics: The Missing Example · Simultaneous Equation Econometrics: The Missing Example ... an example with actual data has been provided by Schmidt ...

SAMSON: PART IV—Missing the Train

SAMSON: PART IV—Missing the Train

The Missing Part of Seed Dispersal Networks: Structure and ...

The Missing Part of Seed Dispersal Networks: Structure and ...

Slides for Part III-F Outline The New Classical view of the business cycle The Phillips curve as solution to the mystery of the missing equation Friedman’s.

Slides for Part III-F Outline The New Classical view of the business cycle The Phillips curve as solution to the mystery of the missing equation Friedman’s.

Structural Equation Modelling (SEM) Part 2 of 3

Structural Equation Modelling (SEM) Part 2 of 3

GRACE is God’s side of the equation FAITH is the human part of the equation REVIEW.

GRACE is God’s side of the equation FAITH is the human part of the equation REVIEW.

Efficient Methods for Dealing with Missing Data in ... · number of randomly chosen missing inputs is shown. The continuous line shows the performance using Equation 2 where we used

Efficient Methods for Dealing with Missing Data in ... · number of randomly chosen missing inputs is shown. The continuous line shows the performance using Equation 2 where we used

Structural Equation Modeling: Part I

Structural Equation Modeling: Part I

Missing Square Puzzle Printable kirstieedieimages.kiwicrate.com/diy_ad/KiwiCo-Missing-Square... · MISSING SQUARE PUZZLE PART 1 STEP 1 Cut the colored shapes along the dotted lines.

Missing Square Puzzle Printable kirstieedieimages.kiwicrate.com/diy_ad/KiwiCo-Missing-Square... · MISSING SQUARE PUZZLE PART 1 STEP 1 Cut the colored shapes along the dotted lines.

Handling Missing Data in Structural Equation …investigacion-psicopedagogica.org/.../41/english/Art_41_16125.pdf · Handling Missing Data in Structural Equation Models in R. A Replication

Handling Missing Data in Structural Equation …investigacion-psicopedagogica.org/.../41/english/Art_41_16125.pdf · Handling Missing Data in Structural Equation Models in R. A Replication

Tilismati dunya april 2012 middle part missing pages

Tilismati dunya april 2012 middle part missing pages

Missing 4,000 World Trade Center Jews Found - Part One

Missing 4,000 World Trade Center Jews Found - Part One

Is Your Brand Missing Out On Reddit? (Part 2)

Is Your Brand Missing Out On Reddit? (Part 2)

Become Part of the Earth's Equation

Become Part of the Earth's Equation

Video: The Missing Part of Your Marketing Strategy

Video: The Missing Part of Your Marketing Strategy

Pancake math Find the Missing Part

Pancake math Find the Missing Part

Mobile: The Missing Link - Part 3

Mobile: The Missing Link - Part 3

GRACE is God’s side of the equation FAITH is the human part of the equation

GRACE is God’s side of the equation FAITH is the human part of the equation

Wave-equation seismic tomography -- Part 1: Method

Wave-equation seismic tomography -- Part 1: Method