Tweet
Tweet

Slide 1

Slide 1 text

myGOSSCON 2009, Malaysia Welcome Malware Avoidance with Open Source Software Muhammad Najmi bin Ahmad Zabidi Department of Computer Science Kulliyyah of Information & Communication Technology International Islamic University Malaysia 6th November 2009 [email protected] Created with L A T EX Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 2

Slide 2 text

myGOSSCON 2009, Malaysia Agenda Agenda I 1 What this presentation covers. . . 2 Intro 3 Malware origin 4 Malware infection method 5 Malware behavior 6 Malware Communication Robot network botnet Vicious circle of evils Logging communications Logs Graphviz diagram Logs Logs in a table Some math stuffs Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 3

Slide 3 text

myGOSSCON 2009, Malaysia Agenda Agenda II Capabilities Issues in malware containment 7 Tools 8 Selection of solutions IDS Antivirus and friends Reporting sensors 9 Nepenthes Honeypot Setup Setup Malware flow illustrated 10 Amun Honeypot List of open connections Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 4

Slide 4 text

myGOSSCON 2009, Malaysia Agenda Agenda III 11 SurfIDS 12 New honeypot Dionaea 13 Toying with binaries Analyst tools Emulation IDS Nebula 14 Conclusion Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 5

Slide 5 text

myGOSSCON 2009, Malaysia What this presentation covers. . . What this presentation covers. . . User’s perspective Host level IT admin perspective Network level, policy level Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 6

Slide 6 text

myGOSSCON 2009, Malaysia What this presentation covers. . . Focus. . . We’ll go on the malware origin Later the problem they cause Finally the containment/threat prevention method I use the word avoidance since it is broad . . . Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 7

Slide 7 text

myGOSSCON 2009, Malaysia Intro Intro to Malware Malware is a shortform for Malicious Software Motives : Identity theft (privacy breach) Financial loss (which may caused by above) Denial of service Information espionage Underground economics Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 8

Slide 8 text

myGOSSCON 2009, Malaysia Malware origin What is malware It is a program, doing malicious activity Also known as a binary, since it is in a compiled nature Some actions that it can do after infection are: Delete files Lock command from user, say Ctrl+Alt+Del Prevent connection to antivirus(AV) websites - e.g Conficker did this Remotely activate webcam - espionage purpose .. or perhaps peeping Remember ghostnet? Affect mainly Windows, there’s existence on Linux too Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 9

Slide 9 text

myGOSSCON 2009, Malaysia Malware infection method How malware infect machines It can infect a machine by. . . Drive by downloads Email attachments File shares Decoy (warez movies, free wallpaper and stuffs) Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 10

Slide 10 text

myGOSSCON 2009, Malaysia Malware behavior The behavior of malware Pretend to be a normal system process Current method - packing - more sophisticated, since it can minimize its size while being an executable file If it is a botnet, it starts to create communication to external machines Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 11

Slide 11 text

myGOSSCON 2009, Malaysia Malware Communication Robot network botnet Botnets Botnet, a robot network communicates to its herder Known as C & C Communication can be viewed by looking at open ports used Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 12

Slide 12 text

myGOSSCON 2009, Malaysia Malware Communication Vicious circle of evils Decieved malware 1 9 2 . 1 6 8 . 2 . 8 2 − > 192 .168 .1.245 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 8 2 : 8 5 1 9 / setup 42278 . exe 192.168.2. 131 − > 192 .168 .1.251 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 1 3 1 : 1 3 5 5 2 / setup 51182 . exe 1 9 2 . 1 6 8 . 2 . 8 2 − > 192 .168 .1.234 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 8 2 : 8 5 1 9 / setup 60058 . exe 1 9 2 . 1 6 8 . 2 . 5 8 − > 192 .168 .1.248 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 5 8 : 5 3 9 9 / setup 15538 . exe 192.168.2. 131 − > 192 .168 .1.243 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 1 3 1 : 1 3 5 5 2 / setup 14445 . exe 1 9 2 . 1 6 8 . 2 . 8 2 − > 192 .168 .1.231 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 8 2 : 8 5 1 9 / setup 13836 . exe 192.168.2. 131 − > 192 .168 .1.242 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 1 3 1 : 1 3 5 5 2 / eraseme 22402 . exe 192.168.2. 131 − > 192 .168 .1.242 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 1 3 1 : 1 3 5 5 2 / setup 75276 . exe 1 9 2 . 1 6 8 . 2 . 8 8 − > 192 .168 .1.248 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 8 8 : 2 6 6 5 5 / setup 17788 . exe 192.168.2. 131 − > 192 .168 .1.231 f t p : / / 1 : 1 @192 . 1 6 8 . 2 . 1 3 1 : 1 3 5 5 2 / setup 24346 . exe Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 13

Slide 13 text

myGOSSCON 2009, Malaysia Malware Communication Logs Visualization program Visualization can helps in term of data analyzing Tools available - graphviz for example Or you may just read log file. . . but don’t that hurts you in any way? Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 14

Slide 14 text

myGOSSCON 2009, Malaysia Malware Communication Logs Look at this illustrated sensor logs Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 15

Slide 15 text

myGOSSCON 2009, Malaysia Malware Communication Logs Zoom in! Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 16

Slide 16 text

myGOSSCON 2009, Malaysia Malware Communication Logs Zoom in! Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 17

Slide 17 text

myGOSSCON 2009, Malaysia Malware Communication Logs Malware’s Name Originated IPs Submission attempt Trojan.Kolabc.BFY 192.168.2.141 210 192.168.2.131 107 192.168.2.214 35 192.168.2.82 14 192.168.2.52 8 192.168.2.37 2 Trojan.SdBot-8638 192.168.2.100 92 Worm.Kolab-284 192.168.2.153 4 192.168.2.58 34 192.168.2.214 21 192.168.2.55 60 192.168.2.155 1 Trojan.DsBot-15 192.168.2.51 271 Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 18

Slide 18 text

myGOSSCON 2009, Malaysia Malware Communication Some math stuffs Malware propagation rate da dt = Ka(1a) where a = eK(t−T) 1 + eK(t−T) The number of infected hosts at time t if K is known. (Nazario) Explanation by (Goranin et. al,2008) K is the constant average compromise rate, which is de- pendant on worm processor speed, network bandwidth and location of the infected host a(t) is the proportion of vulnerable machines which have been compromised at the instant t, Na(t) is the number of infected hosts, each of which scans other vulnerable machines at a rate K per unit of time. Since a portion a(t) of the vulnerable machines is already infected, only K(1-a(t)) new infections will be generated by each infected host, per unit of time. The number n of machines that will be compromised in the interval of time dt (in which a is assumed to be constant) Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 19

Slide 19 text

myGOSSCON 2009, Malaysia Malware Communication Some math stuffs Malware and ports Malware’s Name Origin IP FTP ports No of time used Trojan.DsBot-15 192.168.2.51 15807 2 19735 2 23154 2 30487 2 10040 3 Trojan.SdBot-8638 192.168.2.100 4471 44 17747 44 Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 20

Slide 20 text

myGOSSCON 2009, Malaysia Malware Communication Capabilities What it does Mass scanning Find vulnerable machines Since it’s a parasite, it start consumes its host resources Processing power Storage Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 21

Slide 21 text

myGOSSCON 2009, Malaysia Malware Communication Issues in malware containment Issue What make it so troublesome. . . Malware also become open source, even some was GPL’ed! Experienced, professional cyber criminal Tools to create malware are also available Botherders rent their malware for profit Fastflux problem Become a problem to crack down Malware analysis is challenging Malware become polymorphic, metamorphic Use code obfuscation, anti disassembly, anti forensic, anti sandbox etc Some use encryption, even beta - md6! Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 22

Slide 22 text

myGOSSCON 2009, Malaysia Selection of solutions IDS Intrusion Detection/Prevention Snort Hogwash Snort inline SurfIDS Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 23

Slide 23 text

myGOSSCON 2009, Malaysia Selection of solutions Antivirus and friends AV related tools ClamAV Currently under Sourcefire Sourcefire sponsors Snort IDS too WinPooch seems abandoned hence abandonware it works side by side with ClamAV or Bitdefender Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 24

Slide 24 text

myGOSSCON 2009, Malaysia Selection of solutions Reporting sensors How to obtain data for analysis Methods Deploy sensors IDS/IPS Honeypot Network Management System, e.g : OpenNMS Collect binaries Nepenthes sensor for example, allow automated binary submission to sandboxes Turn on reporting Analyze infected host Clean up infected host Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 25

Slide 25 text

myGOSSCON 2009, Malaysia Selection of solutions Reporting sensors Honeypot Honeypot emulates operating system (heavy) or services (light) It can be either server (passive) or client (active crawl) Light interaction Emulates potential vulnerable services i.e HTTP,FTP,SSH Most of the time attracts automated malware Heavy interaction A dedicated machine, which emulates real machine and software Difficult(relatively) Known to attract real attacker (human) Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 26

Slide 26 text

myGOSSCON 2009, Malaysia Selection of solutions Reporting sensors Comparison Light interaction Nepenthes Glastopf Labrea tinyhoneypot Amun Dionaea Kojoney Capture-HPC Heavy interaction Honeyd Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 27

Slide 27 text

myGOSSCON 2009, Malaysia Selection of solutions Reporting sensors Some other stuffs. . . FFdetect detects fast-flux domain CaptureBAT analyze outputs from CaptureHPC Malzilla Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 28

Slide 28 text

myGOSSCON 2009, Malaysia Nepenthes Honeypot Setup Nepenthes setup Since I was using Nepenthes so I’ll share my experience Set virtual IPs.. either local IPs or public IPs Only use unused IPs with permission, somebody may complain later :— Since Linux allow IP aliasing, you can simulate hundreds of IPs, as if there’s a lot of machines Nepenthes emulates Windows vulnerable services Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 29

Slide 29 text

myGOSSCON 2009, Malaysia Nepenthes Honeypot Setup Nepentes setup Relatively easy . . . as easy as “apt-get install nepenthes” Tune a little bit on config file, such as services that you plan to emulate and your email address Will generate a lot of alerts if you’re in polluted traffic IP aliasing can be done by for x in ‘seq in 230 254‘ ; do ip addr add 192.168.1.$x/24 dev eth0; done Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 30

Slide 30 text

myGOSSCON 2009, Malaysia Nepenthes Honeypot Malware flow illustrated Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 31

Slide 31 text

myGOSSCON 2009, Malaysia Amun Honeypot Amun. . . najmi@notre−dame :˜/ Desktop /amun$ sudo ./ amun server . py [ sudo ] password f o r najmi : / \ / / \ \ / \| | \/ \ / | \ Y Y \ | / | \ \ | / | | / /| | / \/ \/ \/ s t a r t i n g Amun s e r v e r . . . . : : [ Amun − Main ] a l l s e r v e r s l i s t e n i n g on : 0 . 0 . 0 . 0 : : . . : : [ Amun − Main ] l o a d i n g v u l n e r a b i l i t y modul vuln−ms08067 : : . . : : [ Amun − Main ] l o a d i n g v u l n e r a b i l i t y modul vuln−wins : : . . : : [ Amun − Main ] l o a d i n g v u l n e r a b i l i t y modul vuln−axigen : : . . : : [ Amun − Main ] l o a d i n g v u l n e r a b i l i t y modul vuln−s l m a i l : : . . . . . . . . . . . . . : : [ Amun − Decoder ] c o m p i lin g bonn xor decoder : : . . : : [ Amun − Decoder ] c o m p i lin g p l a i n 1 s h e l l c o d e : : . . : : [ Amun − Decoder ] c o m p i lin g p l a i n 2 s h e l l c o d e : : . . : : [ Amun − amun server ] Port a l r e a d y i n use : IP : 0 . 0 . 0 . 0 Port : 25 : : . . : : [ Amun − Main ] ready f o r e v i l o r d e r s : : : . Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 32

Slide 32 text

myGOSSCON 2009, Malaysia Amun Honeypot List of open connections Open connections Snipped output of list of open files (lsof) root@notre−dame:˜# l s o f −Pni | grep amun . . . . . . . . . . amun serv 22500 root 15u IPv4 276034 TCP ∗:21 (LISTEN) amun serv 22500 root 16u IPv4 276035 TCP ∗:23 (LISTEN) amun serv 22500 root 17u IPv4 276036 TCP ∗:38736 (LISTEN) amun serv 22500 root 30u IPv4 276049 TCP ∗:1025 (LISTEN) amun serv 22500 root 31u IPv4 276050 TCP ∗:1111 (LISTEN) amun serv 22500 root 32u IPv4 276051 TCP ∗:1581 (LISTEN) amun serv 22500 root 56u IPv4 276075 TCP ∗:41523 (LISTEN) Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 33

Slide 33 text

myGOSSCON 2009, Malaysia SurfIDS What is SurfIDS As the name suggests, it is an IDS Development led by a group of researcher in Univ of Amsterdam Offers system install or USB as sensor Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 34

Slide 34 text

myGOSSCON 2009, Malaysia New honeypot Dionaea Dionaea Currently developed by Markus Koetter as a part of GSoC, Google Summer of Code Suppose to be better than Nepenthes Check http://dionaea.carnivore.it/ Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 35

Slide 35 text

myGOSSCON 2009, Malaysia New honeypot Dionaea Before . . . $nmap l o c a l h o s t S t a r t i n g Nmap 4.76 ( http :// nmap . org ) at 2009−10−31 12:42 MYT Warning : Hostname l o c a l h o s t r e s o l v e s to 2 IPs . Using 1 2 7 . 0 . 0 . 1 . I n t e r e s t i n g p o r t s on l o c a l h o s t ( 1 2 7 . 0 . 0 . 1 ) : Not shown : 994 c l o s e d p o r t s PORT STATE SERVICE 22/ tcp open ssh 25/ tcp open smtp 631/ tcp open ipp 9091/ tcp open unknown 15000/ tcp open unknown 45100/ tcp open unknown Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 36

Slide 36 text

myGOSSCON 2009, Malaysia New honeypot Dionaea Execute . . . nmap l o c a l h o s t / opt / dionaea / bin / dionaea −l a l l ,−debug −L ’∗ ’ Dionaea Version 0 . 1 . 0 Compiled on Linux /x86 at Oct 31 2009 00:23:48 with gcc 4 . 3 . 3 S t a r t e d on notre−dame running Linux / i686 r e l e a s e 2.6.28−15− g e n e r i c Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 37

Slide 37 text

myGOSSCON 2009, Malaysia New honeypot Dionaea After . . . $nmap l o c a l h o s t S t a r t i n g Nmap 4.76 ( http :// nmap . org ) at 2009−10−31 12:46 MYT Warning : Hostname l o c a l h o s t r e s o l v e s to 2 IPs . Using 1 2 7 . 0 . 0 . 1 . I n t e r e s t i n g p o r t s on l o c a l h o s t ( 1 2 7 . 0 . 0 . 1 ) : Not shown : 988 c l o s e d p o r t s PORT STATE SERVICE 21/ tcp open f t p 22/ tcp open ssh 25/ tcp open smtp 42/ tcp open nameserver 80/ tcp open http 135/ tcp open msrpc 443/ tcp open h t t p s 445/ tcp open microsoft−ds 631/ tcp open ipp 9091/ tcp open unknown 15000/ tcp open unknown 45100/ tcp open unknown Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 38

Slide 38 text

myGOSSCON 2009, Malaysia New honeypot Dionaea Check services . . . dionaea 4590 root 8u IPv4 176514 TCP 1 2 7 . 0 . 0 . 1 : 8 0 (LISTEN) dionaea 4590 root 9u IPv4 176515 TCP 1 2 7 . 0 . 0 . 1 : 4 4 3 (LISTEN) dionaea 4590 root 10u IPv4 176518 UDP 1 2 7 . 0 . 0 . 1 : 6 9 dionaea 4590 root 11u IPv4 176519 TCP 1 2 7 . 0 . 0 . 1 : 2 1 (LISTEN) dionaea 4590 root 12u IPv4 176520 TCP 1 2 7 . 0 . 0 . 1 : 4 2 (LISTEN) dionaea 4590 root 13u IPv4 176521 TCP 1 2 7 . 0 . 0 . 1 : 4 4 5 (LISTEN) dionaea 4590 root 14u IPv4 176522 TCP 1 2 7 . 0 . 0 . 1 : 1 3 5 (LISTEN) dionaea 4590 root 15u IPv6 176523 TCP [ : : 1 ] : 8 0 (LISTEN) dionaea 4590 root 16u IPv6 176524 TCP [ : : 1 ] : 4 4 3 (LISTEN) dionaea 4590 root 17u IPv6 176529 UDP [ : : 1 ] : 6 9 dionaea 4590 root 18u IPv6 176530 TCP [ : : 1 ] : 2 1 (LISTEN) dionaea 4590 root 19u IPv6 176531 TCP [ : : 1 ] : 4 2 (LISTEN) dionaea 4590 root 20u IPv6 176532 TCP [ : : 1 ] : 4 4 5 (LISTEN) dionaea 4590 root 21u IPv6 176533 TCP [ : : 1 ] : 1 3 5 (LISTEN) dionaea 4590 root 22u IPv4 176534 TCP 1 9 2 . 1 6 8 . 2 . 2 : 8 0 (LISTEN) dionaea 4590 root 23u IPv4 176535 TCP 1 9 2 . 1 6 8 . 2 . 2 : 4 4 3 (LISTEN) dionaea 4590 root 24u IPv4 176542 UDP 1 9 2 . 1 6 8 . 2 . 2 : 6 9 dionaea 4590 root 25u IPv4 176543 TCP 1 9 2 . 1 6 8 . 2 . 2 : 2 1 (LISTEN) dionaea 4590 root 26u IPv4 176544 TCP 1 9 2 . 1 6 8 . 2 . 2 : 4 2 (LISTEN) dionaea 4590 root 27u IPv4 176545 TCP 1 9 2 . 1 6 8 . 2 . 2 : 4 4 5 (LISTEN) dionaea 4590 root 28u IPv4 176546 TCP 1 9 2 . 1 6 8 . 2 . 2 : 1 3 5 (LISTEN) dionaea 4590 root 29u IPv6 176549 TCP [ fe80 : : 2 1 3 : c e f f : feba : cedf ] : 8 0 (LISTEN) dionaea 4590 root 30u IPv6 176554 TCP [ fe80 : : 2 1 3 : c e f f : feba : cedf ] : 4 4 3 (LISTEN) dionaea 4590 root 31u IPv6 176567 UDP [ fe80 : : 2 1 3 : c e f f : feba : cedf ] : 6 9 dionaea 4590 root 32u IPv6 176572 TCP [ fe80 : : 2 1 3 : c e f f : feba : cedf ] : 2 1 (LISTEN) dionaea 4590 root 33u IPv6 176577 TCP [ fe80 : : 2 1 3 : c e f f : feba : cedf ] : 4 2 (LISTEN) dionaea 4590 root 34u IPv6 176582 TCP [ fe80 : : 2 1 3 : c e f f : feba : cedf ] : 4 4 5 (LISTEN) dionaea 4590 root 35u IPv6 176587 TCP [ fe80 : : 2 1 3 : c e f f : feba : cedf ] : 1 3 5 (LISTEN) Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 39

Slide 39 text

myGOSSCON 2009, Malaysia New honeypot Dionaea Ok, now we already got the binaries, what is next? Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 40

Slide 40 text

myGOSSCON 2009, Malaysia Toying with binaries Analyst tools Analysis of binaries I Static Analysis *nix strings, strace, ltrace, lsof Objdump readelf Ollydbg though is free, but yet to be open sourced Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 41

Slide 41 text

myGOSSCON 2009, Malaysia Toying with binaries Analyst tools Analysis of binaries II Dynamic Analysis Anubis Open framework, but source code isn’t available Running of Qemu Wepawet Service is free,handling Flash/JavaScript files Bitblaze Developed by Univ of Berkeley Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 42

Slide 42 text

myGOSSCON 2009, Malaysia Toying with binaries Emulation What to emulate? Qemu and Virtualbox can be used as a sandbox as well Since malware loaded on a virtual machine, chance is safer than running on host machine But for precautious purpose, plug it off from any networking device Apart from them, Wine can be used as a fishbowl as well Unless it’s a wine-aware malware, you should be able to look at the malware’s behavior on guest OS Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 43

Slide 43 text

myGOSSCON 2009, Malaysia Toying with binaries IDS IDS on sensing worms IDS is Intrusion Detection System Trigger alerts Somehow a project such as snort inline includes firewall reaction hence it’s known as an IPS - P for prevention IDS can be used to trigger the existence of malicious attack Remember Conficker? Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 44

Slide 44 text

myGOSSCON 2009, Malaysia Toying with binaries IDS IDS signature generator Why automated signature generation? Writing alert signature for IDS isn’t fun Automation is good especially when there’s existence of unknown/unclassified attack Hence the automated signature is really helpful Isn’t false positive free though . . . Example Nebula for example, creates signature from honeytrap argos Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 45

Slide 45 text

myGOSSCON 2009, Malaysia Toying with binaries Nebula Signature alert for Conficker A and B The following alerts was created automatically by Nebula a l e r t tcp any any − > $HOME NET 445 (msg : ” c o n f i c k e r . a s h e l l c o d e ”; content : ”| e8 f f f f f f f f c1 |ˆ|8 d |N|10 80|1| c4 | Af |81|9 EPu| f5 ae c6 9d a0 |O|85 ea |O|84 c8 |O|84 d8 |O| c4 |O|9 c cc | IrX | c4 c4 c4 | , | ed c4 c4 c4 94|& $HOME NET 445 (msg : ” c o n f i c k e r . b s h e l l c o d e ”; content : ”| e8 f f f f f f f f c2 | |8 d |O|10 80|1| c4 | Af |81|9MSu| f5 | 8 | ae c6 9d a0 |O|85 ea |O|84 c8 |O|84 d8 |O| c4 |O|9 c cc | I s e | c4 c4 c4 | , | ed c4 c4 c4 94|&

Slide 46

Slide 46 text

myGOSSCON 2009, Malaysia Conclusion Summary of everything . . . Muhammad Najmi myGOSSCON 2009, Malaysia

Slide 47

Slide 47 text

myGOSSCON 2009, Malaysia Conclusion fin() najmi{at}kict.iiu.edu.my Muhammad Najmi myGOSSCON 2009, Malaysia