Monday, 16 June 2008

Detecting Hydan

I submitted my SANS GCIH Gold paper (SANS Paper No. 6) on the weekend. This should be available soon (in a couple weeks on the SANS RR).

Hydan is not particularly difficult to detect statistically. The paper presented a preliminary method that could be further refined into a production level tool if the need to detect Hydan or a future variant was required. R was used to provide a statistical detection function. This could be compiled using an R code compiler rather than leaving it running in an interpreted mode as was done in the paper.

Statistical tools such as R provide an excellent tool for the analysis of data from computer systems and networks. These statistical tests could be expanded to uncover other forms of steganography. The methods in the paper have demonstrated that it is not necessary to analyze the entire binary executable as was supposed by the author of Hydan. The distribution of functionally equivalent but uncommon byte code instructions becomes statistically significant well before the entirety of these functions have been analyzed.

Future research efforts have started to detail the process to capture the encrypted header length and use this as both a means to Brute force the data and also to simply determine the message length will be expounded in a follow-up paper to the one sent to SANS for my GCIH Gold.

No comments: