- rhn.chandra AT gmail.com
- +1 647 834 1636
Security Research
University of Toronto - CSC469:Operating Systems Forensics (January 2012 - August 2012)
- Abstract: Examination of an unknown binary file used to infect a computer and steal intellectual property, recovered and displayed in the initial table. Analysis showed that when the initial binary file was executed, it would exploit a flaw in UPX unpacking to write a temporary file to the temp directory, open a file handle to it and then delete the temporary file to hide its presence. However the open file handle allowed it to make use of the contents of the file, which are then executed, in the upx unpacking process. The unpacked binary that is executed contains a rootkit, later determined to be the allinone virus, that allows for remote shell execution from the attacker.
- Keywords: allinone virus, remote shell access, UPX unpacking exploit, intellectual property theft, obfuscation through compression
University of Toronto - CSC469:Operating Systems Forensics (January 2012 - August 2012)
- Abstract: Extended the work performed by Mark Russinovich and Michael Hale Ligh on the memory footprint of a Siemen’s industrial controller infected with the Stuxnet virus using Volatility 2.0. In particular, following from the 18 artifacts found by Michael Hale Ligh, an additional 3 artifacts were found in the memory footprint. In particular evidence for the SQL commands used to bootstrap the main Stuxnet DLL and evidence of its RPC server functionality. Additionally a second infected memory footprint was investigated with Volatility 2.0, to locate the exploitation of similar vulnerabilities. Evidence of code injection, http and downloads requests to a known malicious website, and traces of a socket established to a known malicious RPC server.
- Keywords: Stuxnet, Volatility 2.0, Memory analysis, SQL injection, Remote Procedurce Call servers, rootkit, process injection
- External sources:
Stuxnet's Footprint in Memory with Volatility 2.0, Michael Hale Ligh
Analyzing a Stuxnet Infection with the Sysinternals Tools, Mark Russinovich
University of Toronto - CSC469:Operating Systems Forensics (September 2012 - December 2012)
- Abstract: Analysis using TSK: autopsy and FTK of a recovered EXT2 file system and a separate EXT3 file system suspected to have deleted or hidden incriminating evidence. Additionally a broad survey of the operations that alter or update MAC-D (modified, accessed, copy, deleted) times in nfs and ext3 was performed to provide corroborating evidence.
- Keywords: TSK: autopsy, FTK, EXT2 and EXT3 file recovery, EXT3 and NFS MAC-D time update analysis