AU2006272461B2

AU2006272461B2 - Automated threat analysis

Info

Publication number: AU2006272461B2
Application number: AU2006272461A
Authority: AU
Inventors: Sergei Shevchenko
Original assignee: PC Tools Technology Pty Ltd
Current assignee: PC Tools Technology Pty Ltd
Priority date: 2006-02-08
Filing date: 2006-11-20
Publication date: 2008-10-30
Anticipated expiration: 2026-11-20
Also published as: AU2006272461A1

Description

AUTOMATED 'I'TREAT ANALYSIS Technical Field [001] The present invention generally relates to the field of computing and malicious software or software threats, such as for example a computer virus, and more particularly to a method, system, computer readable medium of instructions and/or computer program product for providing automated threat analysis.

Background Art [002] As used herein a "threat" includes malicious software, also known as "malware" or "pestware", which includes software that is included or inserted in a part of a processing system for a harmfull purpose. Types of malware can include, but are not limited to, malicious libraries, viruses, worms, iTroans, adware, malicious active content and denial of service attacks. In the case of invasion of privacy for the purposes of fraud or theft of identity, malicious software that passively observes the use of a computer is known as "spyware".

[003] A hook (also known as a hook procedure or hook function), as used herein, generally refers to a callback function provided by a software application that receives certain data before the normal or intended recipient of the data. A hook function can thus examine or modify certain data before passing on the data. Therefore, a hook function allows a software application to examine data before the data is passed to the intended recipient.

[004] An API ("Application Programming Interface") hook (also known as an API interception), as used herein as a type of hook, refers to a callback function provided by an application that replaces functionality provided by an operating system's API. An API generally refers to an interface that is defined in terms of a set of functions and procedures, and enables a program to gain access to facilities within an application. An API hook can be inserted between an API call and an API procedure to examine or modify function parameters before passing parameters on to an actual or intended function. An API hook may also choose not to pass on certain types of requests to an actual or intended function.

[005] A process, as used herein, is at least one of a running software program or other computing operation, or a part of a running software program or other computing operation, that performs a task.

[006] A hook chain as used herein, is a list of pointers to special, application-defined callback functions called hook procedures. When a message occurs that is associated with a particular type of hook, the operating system passes the message to each hook procedure referenced in the hook chain, one after the other. The action of a hook procedure can depend on the type of hook involved. For example, the hook procedures for some types of hooks can only monitor messages, others can modify messages or stop their progress through the chain, restricting them from reaching the next hook procedure or a destination window.

[007] A kernel, as used herein, refers to the core part of an operating system, responsible for resource allocation, low-level hardware interfaces, security, etc.

[008] An interrupt, as used herein, is at least one of a signal to a processing system that stops the execution of a running program so that another action can be performed, or a circuit that conveys a signal stopping the execution of a running program.

[009] A library is a file containing executable code and data which can be loaded by a process at load time or run time, rather than during linking. There are several forms of a library including, but not limited to, Dynamic Linked Libraries (DLL) and Active X technologies.

[0C10] In a networked information or data communications system, a user has access to one or more terminals which are capable of requesting and/or receiving information or data from local or remote information sources. In such a communications system, a terminal may be a type of processing system, computer or computerised device, personal computer (P mobile, cellular or satellite telephone, mobile data terminal, portable computer, Personal Digital Assistant (PDA), pager, thin client, or any other similar type of digital electronic device 'The capability of such a terminal to request and/or receive information or data can be provided by software, hardware and/or firmware. A terminal may include or be associated with other devices, for example a local data storage device such as a hard disk drive or solid state drive.

[011] An information source can include a server, or any type of terminal, that may be associated with one or more storage devices that are able to store information or data, for example in one or more databases residing on a storage device. The exchange of information (ic. the request and/or receipt of information or data) between a terminal and an information source, or other terminal(s), is facilitated by a communication means. The communication means can be realised by physical cables, for example a metallic cable such as a telephone line, semi-conducting cables, electromagnetic signals, for example radio-frequency signals or infra-red signals, optical fibre cables, satellite links or any other such medium or combination thereof connected to a network infrastructure.

[012] A system registry is a database used by modern operating systems, for example Windows 1 platforms. The system registry includes information needed to configure the operating system. The operating system refers to the registry for information ranging from user profiles, to which applications are installed on the machine, to what hardware is installed and which ports are registered.

Manual threat analysis [013] Known techniques that seek to protect users against unwanted tihreats or malicious software rely on anti-virus software that firstly attempt to identify a threat. Once the threat is identified the threat is then blocked from affecting the user environment, for example the threat is disinfected, deleted or quarantined. This process normally requires the following steps: 1. A threat, being an unknown file, is scanned by an AV product; 2. Based on the results of the scan the unknown file is either allowed or blocked in some manner; 3. A false negative is a common and problematic issue. A false negative occurs each time a threat is wrongly identified by an AV product as being a clean file or as not being identified as malicious. New threats are typically designed with the purpose of avoiding detection by an AV product, that is to achieve a false negative result, in order to compromise a user environment (eg. a user processing system); 4. Whenever a new threat penetrates past an AV product into a user environment, typically only a relatively short period of time elapses until the threat is known to AV product vendors via various threat submission mechanisms. Some AV detection products may identify a threat based on behavioural patterns. Once a threat is intercepted or identified, the threat is initially considered "suspicious" and is still required to be submitted to an AV product vendor for the following purposes: "0 The suspicious or potential threat needs to be identified: If the potential threat is confirmed as a threat by analysts then new threat detection mechanisms must be created based on signatures or threat detection algorithms; AV software products must be updated with the new threat detection mechanisms; and The new threat should be described to define and enable threat removal procedures, threat characteristics, replication mechanisms, etc.

[014] This is the typical process that is presently followed to identify threats and update AV products, Even when AV products rely on identifying potential threats by suspicious behaviour, such suspicious behaviour-based AV products are generally considered to be prone to false positives. Thus, the known manual approach remains the most effective solution, whereby a potential threat is submitted to and analysed by a human analyst, prior to updating AV software products and producing documentation describing removal procedures, threat characteristics, replication mechanisms, etc [015] This known process is illustrated in Fig. 1. In process 10 a threat 12 emerges from the Internet 14. If threat 12 is not identified by AV product 16 a user 18 may become aware of threat 12 and inform AV vendor 20 of suspicious activity of threat 12. AV vendor 20 analyses threat 12 and may be required to update AV product 16 so that the next time AV product 16 encounters threat 12 the threat is identified and banned or blocked at step 22.

[016] In practice a new threat is normally discovered relatively quickly, for example by being intercepted by proactive detection system or a suspicious file being submitted by a cautious user. The main "bottle-neck" of the presently known process is the AV product vendor response time. During the period of time an AV product vendor is identifying a threat, a user environment remains vulnerable to that threat because virus dictionaries have not as yet been updated.

[017] The threat identification phase is the most important and critical stage. The major reason why it normally takes at least hours for an AV product vendor to respond is because the threat identification phase involves extensive manual analysis performed by specialist malicious software analysts. Once a tireat is identified, for example as a spybot, a new virus dictionary update can be created and delivered to AV software product installations and a user environment is then secured against the threat.

[018] However, once a new threat is identified it is still required to be described.

Users/customers may now have a new set of concerns, for example: where did the threat come from (eg. country of origin)? Is the threat based on other threats in its functionality (eg. are there any similarities with other threats)? What sort of exploits/vulnerabilities does the threat employ? What are the side effects or what was the actual damage caused? How to revert a system into a pre-infection stage (eg. removal instructions)? What sort of confidential information may have been stolen? What sort of reputation damage may have been caused? How vulnerable is a system for future threats similar to the identified threat? and many other concerns.

[019] Preferably, any threat mitigation task is associated with not only threat identification, but also the important task of threat description. Some AV product vendors follow a practice of providing generic detections, for example when a single virus name represents thousands of virus variations. In practice, this means that a user/customer receives a virus dictionary update to detect a new threat with no clarification regarding the threat functionality, removal instructions, and many other threat mitigation issues, [02.01 Thus, two manual activities involve "threat identification" and "threat description" and require an extensive manual analysis, and therefore provide the largest contribution to delays in overall response time in updating AV products. Both threat identification and threat description can be considered as a single concept, that of "threat analysis".

[021] Threat analysts around the world employ various techniques in threat analysis.

However, presently threat analysis is essentially a manual process and typically involves the following manual actions: 1. A threat is unpacked/decoded/unencrypted to obtain a form that is as close to the original threat form as possible: by applying stand-alone tools; by emulating threat code until some portions of data are unpacked/decoded/unencrypted; or by "black-boxing" a threat in an isolated environment so that the process module of the threat can be dumped for further study; 2. The original form is then reviewed to visually detect any suspicious or common strings. This may also give an experienced analyst an indication of what known threats may be sirnilar, what the threat "looks like", does the th-reat remind the analyst of any existing threat families or not. An experienced analyst may have already identified a threat at this stage, for example the analyst may conclude "this threat is a new IRC hot" or similar.

3. If a threat is still not identified and/or a threat needs to be studied in more detail, an analyst carries out two types of analysis being "w,hite-boxing" and "black-boxing". White-boxing analysis involves threat disassembly in order to study the assembler code of the threat and identify the threat's functionality on the lowest possible level. Black-boxing involves implanting a threat into an isolated environment where the threat is executed with no risk of infecting other systems.

4. Black-boxing analysis provides an analyst with information on what a threat is actually doing in a system, while white-boxing reveals what a threat may potentially do. Black-boxing is normally carried out either in the real physical environment or inside a hardware-emulated virtual environment. As a threat is expected to run unnoticed to convince a user that nothing unusual is happening in the user environment, an analyst employs software products to reveal any stealth-mode functionality and/or any system changes, such as a malicious payload or other less destructive side-effects. Such software products include file/registry monitors, root kit revealers, file system/registry snap shot providers or network traffic sniffers.

[021] There exists a need for a method, system, computer readable medium of instructions, and/or a computer program product to provide automated threat analysis which addresses or at least ameliorates one or more problems inherent in the prior art, [022] The reference in this specification to any prior publication (or information derived from it), or to any matter which is known, is not, and should not be taken as an acknowledgment or admission or any form of suggestion that that prior publication (or information derived from it) or known matter forms part of the common general knowledge in the field of endeavour to which this specification relates.

Disclosure Of Invention [023] According to a first broad form, there is provided an automated threat analysis system comprising a core, the core associated with an input interface and an output interface and the core comprising: one or more core components; and, an operating system having at least one library hooked to at least one of the one or more core components; wherein, when a threat is passed into the core and the threat is executed in the core, report data is generated and the report data is passed out of the core via the output interface.

[024] According to a second broad form, there is provided a computer program product for providing automated threat analysis, the computer program product comprising a core, the core associated with an input interface and an output interface and the core comprising: one or more core components; and, an operating system having at least one library hooked to at least one of the one or more core components; wherein, the computer program product is configured such that when a threat is passed into the core and the threat is executed in the core, report data is generated and the report data is passed out of the core via the output interface.

[025] According to a third broad form, there is provided a method of providing automated threat analysis by utilising a core, the core associated with an input interface and an output interface, the core comprising one or more core components and an operating system having at least one library hooked to at least one of the one or more core components, the method comprising the steps of. in a processing system: passing a threat into the core; executing the threat in the core; generating report data using the one or more core components; and, passing the report data out of the core via the otpuput iterface.

[026] According to a particular emIbodiment, an Automated Threat Analysis System (ATAS) is provided and is designed to accelerate threat identification and threat description phases for new threats, real or potential, thereby providing a significant reductiorn in time for the entire threat analysis response cycle. This assists an AV product vendor to respond accurately and in a timely manner to new threats. ATAS, in one form, can provide answers to questions that users/customers or AV product vendors may have regarding threat functionality, such as a description of threat characteristics, removal instructions and/or replication mechanisms, [027] In another form, as ATAS is automated, the system may automatically build descriptions for various threats. These descriptions can be used to update a comprehensive forensics database with search capabilities, such as the ability to search possible side effects for all known threats. If a new threat reveals a certain set of side effects then a search for those features in the database may assist in identifying a threat family to which the new threat belongs, and therefore reveal any additional features/characteristics, the new threat may have. This can help security agencies to obtain more information about specific threats and not only those threats that are published by AV product vendors.

[028] According to another embodiment, this allows ATAS to be used to automatically build a threat removal tool by knowing the scope of side effects caused by a threat. In another non-limiting form, the report data is passed out of the core via the output interface according to a predefined format.

[029] According to other forms, the present invention provides a computer readable medium of instructions or a computer program product for giving effect to any of the methods or systems mentioned herein. In one particular, but non-limiting, form, the computer readable medium of instructions are embodied as a software program.

Brief Description Of Figures [030] An example embodiment of the present invention should become apparent from the following description, which is given by way of example only, of a preferred but nonlimiting embodiment, described in connection wih ithe accompanying figures.

[03 1] Figure I illustrates a l~nown manual method of analysing threats: [032] Figure 2 illustrates a functional block diagram of an example processing system that can be utilised to embody or give effect to a particular embodiment; [033] Figure 3 illustrates a functional block diagram of an example automated threat analysis system; [034] Figure 4 illustrates a flow diagram of an example method for automated threat analysis; and, [035] Figure 5 illustrates a functional block diagram of a further example automated threat analysis system.

Modes for Carrying Out The Invention [036] The following modes, given by way of example only, are described in order to provide a more precise understanding of the subject matter of a preferred embodiment or embodiments.

[037] In the figures, incorporated to illustrate features of an example embodiment, like reference numerals are used to identify like parts throughout the figures.

Processing system [038] A particular embodiment of the present invention can be realised using a processing system, an example of which is shown in Fig. 2. In particular, processing system 100 generally includes at least one processor 102, or processing unit or plurality of processors, memory 104, at least one input device 106 and at least one output device 108, coupled together via a bus or group of buses 110. In certain embodiments, input device 106 and 10 output device 108 could be the same device. An interface 112 can also be provided for coupling processing system 100 to one or more peripheral devices, for example interface 112 could be a PCI card or PC card, At least one storage device 114 which houses at least one database 116 can also be provided. The memory 104 can be any form of memory device, for example, voatile or non-volatile memory, solid state storage devices, magnetic devices, etc. The processor 102 could include more than one distinct processing device, for example to handle different functions within the processing system 100.

[039] Input device 106 receives input data 118 and an an include, for example, a keyboard, a pointer device such as a pen-like device or a mouse, audio receiving device for voice controlled activation such as a microphone, data receiver or antenna such as a modem or wireless data adaptor, data acquisition card, etc. Input data i 8 could come from different sources, for example keyboard instructions in conjunction with data received via a network. Output device 108 produces or generates output data 120 and can include, for example, a display device or monitor in which case output data 120 is visual, a printer in which case output data 120 is printed, a port for example a USB port, a peripheral component adaptor, a data transmitter or antenna such as a modem or wireless network adaptor, etc. Output data 120 could be distinct and derived from different output devices, for example a visual display on a monitor in conjunction with data transmitted to a network, A user could view data output, or an interpretation of the data output, on, for example, a monitor or using a printer. The storage device 114 can be any form of data or information storage means, for example, volatile or non-volatile memory, solid state storage devices, magnetic devices, etc, [040] In use, processing system 100 is adapted to allow data or information to be stored in and/or retrieved from, via wired or wireless communication means, the at least one database 116, and also for processes or software modules to be executed. The interface 112 may allow wired and/or wireless communication between processing unit 102 and peripheral components that may serve a specialised purpose. The processor 102 receives instructions as input data 118 via input device 106 and can display processed results or other output to a user by utilising output device 108. More than one input device 106 and/or output device 108 can be provided. It should be appreciated that the processing system 100 may be any form of terminal, server, specialised hardware, or the like.

Ii- [041] Processing system 100 may be an isolated system when analysing a threat.

However, if appropriate, processing system 100 may be a part of a networked communications system. Processing system 100 could connect to network, for example the Internet or a WAN, Inp d anor oput data 118 and/or output data 120 could be communicated to other devices via the network. The transfer of information and/or data over the network can be achieved using wired communications means or wireless communications means. A server can facilitate the transfer of data between the network and one or more databases. A server and one or more databases provide an example of an infonration source.

Automated Threat Analysis System [042] Referring to Fig. 3, there is illustrated an automated threat analysis system 300 comprising a core 305 in an isolated environment, core 305 is associated with an input interface 310 and an output interface 315. Core 305 includes one or more core components 320 and an operating system 325 where at least one library 330 of operating system 325 is hooked to at least one core component 335 of the one or more core components 320.

[0 4 3 When a threat 340 is passed into core 305 via input interface 310 and threat 340 is executed in core 305 using operating system 325 this results in report data 345 being generated by the one or more core components 320. Report data 345 is then passed out of core 305 via output interface 315, which in one non-limiting example may be according to a predefined format. For example, a predefined format of report data 345 can be used to further isolate eat 340 so treat 34 so teat 340 cannot escape or send output data from core 305 thereby maintaining core 305 as an isolated environment.

[044] A predefined formnat of report data 345 is not essential as if a threat attempts to escape core 305 by infecting report data 345 that core 305 delivers back into the clean environment, then the format of the data will eventually be violated because threat 340 is not aware of that format. Data with a corrupted format would simply be discarded and analysis of such a threat can be considered as failed.

12- [045] Systern 300 can also be provided with a snapshot manager to record the state of at least part of core 305 before and after execution of threat 340. At least some of any differences in the state of core 305, for example in the state of operating system 325, before execution of threat 340 and after execution of threat 340 can form part of report data 345. The snapshot manager can also include or be associated with a database of exclusions of known differences in state before and after execution to filter out normal changes caused by normal operation of operating system 325.

[046] Furthermore, system 300 can include at least one or more service components 350 and each particular service component 355 can be used to monitor at least one port associated with operating system 325. A service component 355 can also emulate response data at a port using a particular protocol. One or more core components 320 can be used to record at least part of any data transferred via a port using a protocol. Such recorded data can then form part of report data 345.

[047] System 300 can be associated with a searchable database to store report data 345 from various threats. Operating system 325 may be a modified Windowss) operating system. Preferably, operating system 325 functions and parameters used by threat 340 are logged by the one or more core components 320. It is also possible that at least some return data from operating system 325 functions is modified by the one or more core componen t s 320 [048] A core manager can also be provided which at least in part supplies th-eat 340 to core 305 and receives report data 345 from core 305. System 300 may also include a wrapper acting as an interface between the core manager and the searchable database. The core manager can also be used to control return data on ports to core 305 that may be used by threat 340. The return data to ports can be provided in accordance with a protocol associated with a specific port. For example, the protocol may be HTTP, SMTP, DNS, Time, SNTP, IRC or RPC DCOM.

[049] Referring to Fig. 4 there is illustrated a method 400 of providing automated threat analysis by utilising core 305 in an isolated environment. The method can be performed in a processing system, for example processing system 100, and includes the steps of passing the threat to the core at step 410, executing the threat in the core using the operating system at step 420, automatically analysing the threat functionality using core components and/or service components at step 430, generating report data at step 440, and passing the report data out of the core at step 450, The report data may then be provided to a user at Sstep 460 and/or stored in a database at step 470.

Further Example [050] The following example provides a more detailed description of a particular embodiment. The example is intended to be merely illustrative and not limiting to the scope of the present invention.

[051] Referring to Fig. 5 there is illustrated a functional block diagram of a further example Automated Threat Analysis System (ATAS). Functionally, ATAS 500 includes the following components: 1. Core 505 a fully isolated physical or virtual environment that involves the following sub-components: Tweaked operating system (OS) and hooks 510 e Service providers and monitors 515 Snapshot Manager 520 2. Core Manager 525 3. Wrapper 4. Database [051] Core Manager 525 provides the Core 505 comporent with a threat sample 530 via the Input Interface 535. Core Manager 525 then instructs Core 505 to execute te t threat in a filly isolated hardware or hardware-emulated virtual) environment. Software that runs inside Core monitors t th threat and inspects the threat's behaviour. Tihe collected information can then be placed into the reports 540 which are delivered back to the Core Manager 525 via Output Interface 545. The interfaces are built in such a way that a threat cannot "escape" fromr the isolated environment. This task is achieved by employing strictly defined internal formats for the reports that are delivered via a file sharing mechanism.

There are no network communications used to accomplish this task (in case of the virtual enviromnent, the NAT service is fully disabled).

i4- [052] A Wrapper coordinates work between the Core Manager and the Database components to establish a forensics database update with the newly obtained information.

Modified Operatin System (OS) and Hooks [053] The operating system inside Core 505 is modified in such a way that many of the system libraries 550 are hooked to forward their functionaity into the Core's own components. This serves two major purposes: To log the functions invoked by a threat, including the function parameters; To modify the returns of the invoked functions [054] An example implementation of an API hook is as follows: a system DLL's export entry is patched with the export forward. Forwarded export is then handled by the Core's own DLL: it is either served entirely by the DLL, or the call is then forwarded back into the native DLL, In any case, the call handler is capable of modifying parameters and/or logging the function call itself. If a native Windows system DLL performs hash-based checks (such as file contents or export table CRC checks), then the native DLL logics should also be patched so that it allows itself to be loaded in spite of its file being physically modified. Windows file integrity checks should also be disabled in this case to prevent the patched system DLLs from being restored from the Windows DLL cache.

[055] For example, by hooking the Windows system API UCer3 2.SetWindowsHookExK, it is possible to reveal the following parameters: hook procedure and the handle to the DLL that contains the hook procedure. By knowing the handle to the hook module, it is possible to reveal the filename of the module that was requested as a hook handler. This way, it becomes possible to reveal any attempts to install keystroke monitors that are used by keyloggers. Once logged, the intercepted API call is then forwarded back to the native system DLL to be served in a proper manner.

[056] An example of how the invoked function return may be modified is as follows: the hooks installed on the system APIs RasEnumComections) and Ras(etConnectStatush) of rasapi32.d allow Core to fake the presence of a valid RAS connection in the system, should a threat rely on this fact in its logics. Core DLL can return the AP] call to the caller. That is, the intercepted API call is never forwarded back to the native DLL.

Service providers monitors [057] Core Manager's service providers 5i5 can include: SHTTP Server o SMITP Server o DNS Server Time Server e SNTP Server IRC Server RPC DCOM Provider [058] These servers listen on corresponding ports and seirve incoming requests in strict accordance with the relevant protocol specification For example, RPC DCOM Provider listens on ports 135/445 with the native Windows server switched off (such as LSASS The Local Security Authority Subsystem Service). As soon as a threat attempts to establish a new connection on ports 135/445, the installed RPC DCOM Provider accepts the connection and provides the connected client with legitimate response SMB packets according to protocol. Accepted SMB packets are then logged and wrapped into the reports that are then delivered back to Core Manager. The "dumped" traffic is then analysed by Core Manager to reveal any attempts by the connected clients to rely on existing RPC DCOM exploits. If there were exploit signatures detected in the intercepted traffic, then the threat that generated such traffic can be identified as a RPC DCOM worm (such as Spybot, Randex, IRC bot, etc.) [059] Appendix A provides an example report resulting from a Spybot and contains information about an MS04-12 exploit detected in the outbound traffic on port 135/tcp.

[060] The Time/SNTP Servers can be used to serve any possible threat attempts to rely on a time factor in functionality (such as the Sober worm).

-16-- [061] Appendix B provides an example report resulting from the Sober worrn and relies on the date January 5, 2006 the last day when the Sober worm still replicated; the next day its mass-mailing routine was stopped.

062] The I-TTP Server monitors any possible IITTP Get/Post requests that a threat may generate.

[063] The DNS Server supplies a client that makes a DNS query with a fake MX record for the recipient's domain name, which is a host name of a mail exchange server accepting incoming mail for that domain. This is required to reveal any mass mailers that rely on DNS servers in their mass mailing functionality (such as Netsky, Sober).

[064] The SMTP Server co-mmunicates with the clients acting like a legitimate SMTP Server: a threat is convinced that it communicates with the real SMTP server. The intercepted SMTP traffic is then delivered back to Core Manager for further analysis and parsmg.

[065] The IRC Server accepts incoming requests to join IRC channels and generates responses that are common for the legitimate IRC servers. Moreover, IRC server attempts to release hacker commands to the connected client. The commands it sends are common for IRC bots, such as Randex and Spybot. If the connected bot does not rely on passwordprotected authentication, then the IRC server may cause the connected bot to initiate DoS attacks inside the isolated environrent to make sure that the connected bot is capable of initiating such attacks.

Snapshot Manager I[066] Snapshot Manager 520 makes snapshots before and after a threat is run. Snapshot Manager 520 then compares two snapshots and reveals any differences that may have taken place in the system. The snapshots may be taken for the following Windows objects: I File system SRegistry Service Control Manager Memory (all processes and modules) 17 e Ports 0 Screen A Kernel components, such as Interrupt Descriptor Table, System Service Descriptor Table, installed kernel device drivers, Model-Specific Registers, Major I/O Request Packet Function Tables in the device driver objects, etc.

[067] If the Snapshot Manager reveals any changes in the file system after running a threat, it is assumed that the file changes were induced by that threat. Any modifications in the state of the kernel components, such as modified contents of the System Service Descriptor Table, or modified addresses of the Major I/O Request Packet unctions, are designed to reveal a possible rootkit component of the threat. The Snapshot Manager contains a large database of exclusions to filter out those changes that are normally caused by the operating system itself.

[068] The file system and registry changes, changes in the services, and open ports are all wrapped into the reports that are delivered to the Core Manager. Memory is handled in the following way: the Snapshot Manager reveals any newly created processes and/or any newly loaded modules. For every newly created processn/module, a mapped executable/DLL filename is revealed to check if the retrieved filename is among the newly created files.

[069] This approach reveals only newly created processes/modules that correspond to the newly created files. Then, the Snapshot Manager dumps the new processes/modules and delivers the dumps back into the Core Manager for further analysis. This allows the Core Manager to accomplish heuristics analysis over the memory dumps to detect any additional characteristics, as memory dumps represent memory images of the malicious code in the unpacked/decoded/unencrypted form, the form that the malicious code obtains at some point in order to run. The threat must be capable of decrypting itself in order to run. Once decrypted, the threat is dumped and the dump is studied and searched for signatures.

[070] The Snapshot Manager is also capable of detecting any newly created windows in the system. The Snapshot Manager then snapshots the screen contents, cuts out the 18 background and delivers the image back in the reporting systemr 1[71] If a threat starts generating SMTP traffic, then the Snapshot Manager loads a Graphics User Interface (GUI) that fakes the look of an email client application. Then, it into the GUI all the characteristics of the intercepted SMTP traffic, such as email sender, recipient, subject, message body and attachment name. Once the GUI is populated, a new snapshot image is created and delivered back to the Core Manager. The final report can then create a screen capture designed to simulate how a new mass-mailer would look in an email client application.

[072] In another form, ATAS can be used to provide for the detection of rootkit files/ADS and registry entries. This can be achieved if the second snapshot of an affected systems was taken from a clean primary partition by reading the affected (secondary) partition's files/registry. Automatic partition mounting is achievable both for a physical machine (by using relays) and a virtual machine (by modifying files that represent virtual drives and machine configuration).

[073] Appendices A and B demonstrate many of the aforementioned features. The reports are produced by an example implementation of the Automated Threat Analysis System.

[074] The embodiments discussed may be implemented separately or in any combination as a software package or components. Such software can then be used to notify, restrict, and/or prevent malicious activity being performed. Various embodiments can be implemented for use with the Microsoft Windows operating system or any other operating system.

[075] Optional embodiments of the present invention may also be said to broadly consist in the parts, elements and features referred to or indicated herein, individually or collectively, in any or all combinations of two or more of the parts, elements or features, and wherein specific integers are mentioned herein which have known equivalents in the art to which the invention relates, such known equivalents are deemed to be incorporated herein as if individually set forth, -19- 00 [076] Although a preferred embodiment has been described in detail, it should be understood that various changes, substitutions, and alterations can be made by one of ordinary skill in the art without departing from the scope of the present invention.

[077] Throughout this specification and the claims which follow, unless the context requires otherwise, the word "comprise", and variations such as "comprises" or "comprising", will be understood to imply the inclusion of a stated integer or step or group IDof integers or steps but not the exclusion of any other integer or step or group of integers or steps.

[078] The reference in this specification to any prior publication (or information derived from it), or to any matter which is known, is not, and should not be taken as, an acknowledgement or admission or any form of suggestion that that prior publication (or information derived from it) or known matter forms part of the common general knowledge in the field of endeavour to which this specification relates.

20 Appendix A: Generated report for Spybot Submission Summary: Submission Date: 31/1/2006 File Size: 130,048 bytes File MDS: 0x2EC1 FA5FCA52B9C36BDDEA35 11178882 Procesing Time: 1 min 55 sec Submission Options: Default Behavioural Registers itself in the registry to start each time Characteristics: that user starts Windows 3 Backdoor trojan functionality that gives an attacker unauthorized access to a compromised computer An IRC Bot capable to join IRC networks and participate in DoS attacks a An RPC DCOM Worm capable to replicate across networks by utilising existing exploits S A Network-aware worm capable to replicate across network shares Technical Details: To mark its presence in the system, the sample created the following Mutex object: aleksOOi The following file was created in the system: File MD5: Ox2EC1FA5FCA52B9C36BDDEA3511178882 File Size: 130,048 bytes Detection: Backdoor.Win32.Rbot.adf [Kaspersky], W32.Spybot.ZlF [Symantec], W32/Sdbot.worm gen.bg [McAfee] Filename: I o %System %\svcdata.exe Note: ooysiemX is a varnaie itat refers to mte System TOiaer. by aefauit, mis is C:\Windows\System (Windows 95198/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP) There was a new process created in the system: Process Name Proccess Filename svcdata.exe %System% \svcdata.exe Attention! There was outbound traffic produced on port 135/tcp with the following characteristics: -21 MS04--012: DCOM RPC Overflow exploit replication across TCP 135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC Bots) Automated Threat Analysis System has performed Heuristics Analysis of the created process and detected the following: Details Detected in Process Bugtraq ID 9213: DameWare Mini Remote svcdata.exe Control Server Pre-Authentication Buffer (%System%\svcdata.exe) Overflow Vulnerability MS03-026: DCOM RPC Interface Buffer svcdata.exe Overrun Vulnerability replication across (%System%\svcdata exe) TCP 135/139/445/593 (common for Spybot, Randex, other IRC Bots) MS03-007: Microsoft UIS WebDAV Remote svcdata.exe Compromise Vulnerability Unchecked (%System%\svcdata.exe) Buffer in Windows Component Could Cause Server Compromise MS04-011: LSASS Overflow exploit svcdata exe replication across TCP 445 (common for (%System%\svcdata.exe) Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots) Capability to join IRC channels and svcdata.exe communicate with the remote computers (%System%\svcdata.exe) with the purpose of notification or remote administration) Capability to perform DoS attacks against svcdata.exe other computers I(%System%\svcdata.exe) Automated Threat Analysis System has established that the sample is capable to steal CD keys of the following games: Battlefield 1942 SChrolme FIFA 2002 e FIFA 2003 s Half-Life e Hidden Danqerous 2 Nascar Racing 2002 e Nascar Racing 2003 e Need For Speed Hot Pursuit 2 t NHL 2002 e NHL 2003 SSoldier of Fortune II Double Helix The Gladiators Automated Threat Analysis System has established that the sample is capable to spread across the following network shares:

ADMIN$

C$

D$

SIPC$

Remote activation is achieved by creating a scheduled task with the NetBEUI function, NetScheduleJobAdd(). Network propagation across the weekly restricted shares uses the following login credentials dictionary: o 007 123 1234 12345 123456 1234567 12345678 123456789 2002 2004 accept access accounting accounts action SAdmin admin$ Administrador Administrat SAdministrateur administrator Sadmins aliases america apri 1 cackup E bill1 b bitI-ch oblank b r bran c ca ptI--u re *changqeme chi *Cisco c omiip aq *computer *connect *conitinue c cont,.rol1 c, ounr.try- *crash *database databasepass di ca ta ba s eas s wo rnd 210 Gdbpass odboassword o ce cemb e r *default Dell d isplay oma in doma inpa ss *4 doma inpas sworc.

downl o ad *emai oexcl-anqe rance fre ch fr idav george g od 4 0 g us *home h ho meus er1 24 internet i.ntaneft ipos Rate katie kermit linux ioginpass logout marcy mary *mike monday netbios netdeviI network nokia november

OEM

oemiT.Vistall omCuser office oracle outlook

OWNER

pase pass 234 F passwd Password asswordl DaS-.BD (3; e t own G;qwnertv random R FOOT *running saturday serial

SERVER

exc s si.emenrs S t f f s studen t s sunPday So SY STE M o eache r 0te"Om~.-a us da 0UNI x ouloa d s uer, 0 *video win,'U1 *N Wifl-.dows 0 wi noa s s 01 winxo The newly created Registry Values are: 0 svcdata.exe t svcdaraexes, tn the recistry keyv :-IKEY LOICAL AIN\SFAP\Icsft ino \Cre\e o ta svcd a ta ex runs eve ry t,7im.e Wid WStat ~n the registry key HKE LOCAL_ MACHWNE \-SOFT WARE \M Jc r os of t W inIdows\ Cu r-I:rntv'e rs£ion\ RunServices so) that- ,7,,vcdata e:a.e runs e-ver'; tim WinIdow).s starts 9P svcdata.~~e =svctta.ee the registry ke HE CURRENT U S E R S o 1_t w a re \Nicro so t L nd owjs\Cu rr eInter s o thatI- s-vcdata., exe ruins er ti ne W, indow,,qs start S The following ports were open in the system: Port number Protocol jOpened r File 69 UJDP -%System 1)/\svcd ata, 113 [TOP I%System%\svcdata.exe 1057 I3System %\svcd ata. exe 1? TO se \vdt~xe 1896 TO P %Sy'stem \svcdata e e 1897 TOP 1 S§ystem %\svcdata.exe 1898 ITOP %Systemn%\svcdata.exe 1890 TOP %Systemi%\svcdataexe 1891 TOP %Svstem%'\svcdata.exe 18928_ TOP %/Systern%\svcdataexe 100 TOP %System %\svcdataexe 45343 TP%System%\svcdata.exe The following Host Name was requested from s c uni ~r c. d e a host database.: were registered attempts to establish connection with the remote WP addresses, The connection details are: Remote IP address Port Number 1270,247.251 139 127.0.1 42358 39 12T.0.138,223 127.0.241,85 139 127.0.33.8 139 127,0.136.126 139 127.0.44.180 127,0.0,36 1234 127.0.165.253 127.0.235-240 135 -12-7,0. 0. 37 1234 127.0.40.2 135 127.0,0.38 1234 .127.0.0.39 1234 127.0.7.89 135 127.0.0.40 1234 127.0.0.43 1234 127.0..44 1234 127.0.219.5 135 127..4513 12-7,.0,0. 46 4234 127.0.014 134 1 2 .6 1 127.0.0A48 1234__ 127,0.3116 135 Attention! There was a new connection established with a generated outbound !RC traffic is provided below:: remote IRC Server, The NIC'K AU2P0?- 11 USER f zcs I 0 0 USAi12061i U S ER140S T U ISA: %611 MODE USA'20611 -x JODIN -ne44 as-s NOTICE U--A .VERSION mIRC y .14 Khaled Ma rdam--Sev.

PRI-VT4SO #Pasri1-new# [MAIN] Status: Reaidv, Sot U'otime: Od 0n 1"rn.T PRIVYMSOI P#asn--new##± MAIN" Sot ID: aleksO001.

PRIVNSG fl#asn1-new#fl SCA"N] ExploitE fStLatistnJcs: 'WebDav: 0, NletBios: 0, N'IPass: DoornilS: 0, DoomS: 0, MSSQL: 0, Beaglel: 0, BeagleS2: 0, MvDoomp: 0, le-ass 450 pi:0 28 URPN p 0, N e tDe EI 1:0 Da (aeW are :0 y1 uan1 ,q 2: 0 S)um7b 0, Wks~vo English: 0, WksSvc Other: 0, 'Veri tas Backucip Exec: 0, A S N.1 ~HTT .I SF1R'7V450G ~4a snnet MI N] U p~ L me: 0d O h 3m.

PPINSCPflsnnt 44 F00 :Failed to termjnate process [An t i,,i rus/Fii 1] SF171180 #iasn-nc -w#Pf H IHT TP D I Server liste-nina on IS:.

127.0.01:2001l, D ire c tor y:\ tasn-new4P D'S] Flooding: (12707<2 ':123l4) for onds.

SF171150 i4asn-new~4 S SCAN Fa l1e d to s ta rtI- scan, portL i s i rnra 11 d.

SF171150 tdtasn-r.ewtt# [SCAN] Random; PortL Scan satdon 127 x :1I-3 9 w th a del ay of s sE-co n ds fo0r 0 rminmu tes u si-ng th-reads.

SF171150I,:z 4asn--n-ew4P :SCAN] I lRalndom Port Scan start1-ed on 127 x.:x135-- w ith1 a delIay of: S- seconds for C) miniutes us-,nQ threads.

SF171150 -Pas-new# [S CAN]I Port scan start-ed:.

127 0.0. 2l 234~ with delay: 5 0(1'm s) SF171150-IS *t#asrn ewttP SendingI 40 packets to: 127.10.0.2. Sacnket size: 50, Delay: 50 (mis SF17150t#tasn-new44# :[PIN. Se-3nding 40 pings to 12-7,0.0.2.

oacket siz-e: 50, timeout G0 (ins) PFI7N.'MSO Pfasn--newfl4 [PING] Fin.ished senidingq pingas to 127.0.,0.2, PRIV11q-SO fltasnl-rnewttf [U2DP] Finished sedn packets to 1 7 0) 0 Appendix B: Generated report for Sokber Submission Summary:, Submission Date: 1411/2005 File Size: 1598bytes File MOS: Ox 45067D805EEFE98EB89222C345EAOBFE Proces in 9 Time: sec Submission Options: Slow Analysis Use Date 611/2006 Submission GUID: t6241 B636-51 CB-4EC2--859AX-62E46A58CF86 Technical Details: Possible Couintry of Origin The new window was created, as shown below: Error in Graphic Data

OK

The following files were created in the system: Hie #1: Hie MD5: 0x53D2E479E0FCFDB34882F1 5B8D)69B52E file Size" 135,968 bytes Detection: Email-Worm Win3.Sober.t [Kasperskyi, \AW32,Sober.W\f@ rnmn [Symantec], VV32/Sober. s.dr Whename: McAfee]_____ Filenarne [sample's original directoryjisarnpleexe File File ID5.: I x046470C7F32B81 ASDAB4B3326ABAD3F-C4 FieSize:. 1128, 032jbtes Detection: Email-Worm.Win32Sober~t [Kaspersky], W32,Sober.W@n-m [Symantec], W32/Sober.s@MM [McAfee] Fiename: indir%\ConniectionStatus\Microsoft\se-vices. exe File File MD5: 0x2EE7I0864077AEAB4F5272BE4A61 21 File Size: 572 bytes Filename: %WVindir%\ConnectionStatus\Microsoft\concon.www' File #4: File MD5: OxD9l BC7EAOFE6FABBA[i)ADD3C i EA77696D2 File Size: 55,390 bytes Detection: Email-WormW'n2 Sober.y [Kaspersky], W32.Sober.X@,Tm [Symantec], W32/Soberod4MM1M I Mc fee] Filename. Vindir%\WV'inSe crityliservicesexe File File MD5: 0x22586BCA92AFE4DD6DE09B47B5EB6942 File Size: 55,390 bytes Dte ct ion: Email-Worrm.Win32.Sober.y [Kaspersky], VV32.Sober.X@mm (Symantec], VV/32/Soberc" -OWMMM68I !McAfee] Filename: %W linidir%,o\WinSecurity\smss.exe File #6: File MD5: 0x243639727EBLCCFF6203EC618EOC 7C3656 File Size: 1 5,390 bytes Detection: Email(rm.in32.Sober. y [Kaspersky], V%'32.Sober.X@mm [Syrmantec], 32/Sober MWM61 IMcAfee] Filename:{ %titncd8ir%\WinSecuritkvcsrss.exe File #7 Fie MD5: 0xAC89003431 B9D71OEAF8A3EB1 C78AFAA File Size: 75,996 bytes Detection: I Email--Wormnin322Sober.y (kaspersky], VV132.Sober. X py [oUm2 zLm J§_ante_ Filename: a %W~indir%\W,%IinSecurity\socketio i 0 %Vidir%\in)Security\socket2 ,io %W,%Iind ir%\VinSecu rity\socket3.ifo File #8- File _MD5- Ox09C5A82682D 64767B' File Size: 323 btes Filename: %,owindir%W VinSecuirity\mssockl di I File #9: File M D51 0x1O*C36540D2698C656943455D626A64AE File Size: 316 bytes Filenarre: I /UV%'indIr%\WinSeciuritylmssock2 di File -31 [File MDS: Ox9l11292 BB9O323BCBBCSSCCS:ADI1 982DFF File SOibteze. %Wjindir%\W,,inSecurbty\mssock3.dli File #11:.

File MD5: ____T<x7498F5CFe94e3OA66BE29e7CEB4D53 File Size: [52 b ytes-- Filename-0 ,%Windir%/ \W,,4inSecurity\winmemlory Filnam T %WNindir%\VWinSecuirity\winmeml d i r% \Win Secu rity\wi nmem 3. cry The following directories were created: o%W indi r%\w inSecuri ty Notes'.

o[sample's original directorytsampleexe stands for a filenamne that is used by ThreatForensics to implants the original sample into the systemr o%VWindir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt oThe specified filename is not constant across the entire report not always created or is random) There were new processes created in the system:.

Proc ess Name Proccess Filename servicesexe cur~t(Liity,,ser-vices.exe smssexe 1%WaVndir%\WinSecuritv,\smss .exe csrss.exe j%Wind ir%\WiJnSecuritv\csrss.exe Sa121e.exe _____[sample's original directo ryfsample exe services .exe %Wind ir%\ConnectionStatuis\tvlcrosoftseri- ces. exe The newly created Registry Values are:o WinChe c k i nd ir%9;\_on n ec aionS tatus Mi c ro so f tsrvc e s exYe in tue -registrv key HKVEY LOCAL 4CHITME\ St -WAP E\M icrosof W J Wind o ws\ so that services. exe r-uns every,, t1im.e 'Windows sat W Windows W" n diir% e r r v ie e_ nfl the rrea strv k ey LKE)! LOCAL MACLI ?Q\)OFWRE\ Microsoft \Windows CurrenVers ion un so that services .exe runs every time Windows starts WinCheckldir onnetonS atus\icrosoft\services.exe' in the reqistrv key WHIEY CURRENT USER\ Soil twa re \Microso ft \Wi.ndows CurrentVers on\Run so that: services-exe runs every time Windows star1-s c Windo~s U; 5AJrcr% \vnSecuiervie in the registry key HKE' CURRENT USER\ S of t war e \Microsof t \lnd ows Cursre ntVe rs i on '\Rfiun so that services-exe runs every time Windows starts The foliowing ports were open in the system: Port numnber Protocol 1 Opened by File 1362 TCP Vindir-%\inSecurity\serv"ces .exe 1394 TOP %WiindirVA NlinSecurit\csrss.exe 1395 TOP I%Windir%\V'inSecurity\smss.exe The following Host Names were requested from a host database: o cuckoo nevada edu smtp .sbcql obalI. yahoo com smt> .compuserve de ma il .postman .ne t sintauttiearthlnk. net e relay claranet h au. s t p k un d es e rv e r d e smtp.isp.netscape.com smtp amer i t ech yaho co s smtp. acs corn 0 smtu LI uni ae fl nt rop i nria f time-extrnissor eidu Q [MX record for the recipient's domain namelI 0 nt.ptnheremaLler.ne it- 3 0 co rnell e dL Sgandai .t heunixman con: tire.xrn-ss on.con" -ed^-ral-tele hose~iL.gandi net utcnist colorado edu t o mob r i-d*r e aI a d i n c o m time .en.it Ixl. icqna412 wor 1d. corn mxha l web.de maiihsti-plusner.

m a I ho i u n e B n tn-i ece, cmu. edu r e reay2 .uc ia. gov mx nyc. untd, corn maT1 F Secur- e con I etrn.neatracz ntoc mcc ac. ulhn ix arcor de o seinaii2 .everynenet Note: there was a DNS query made requesting the MX record for the recipient's domain name, which is a host name of mail exchange server accepting incoming mail for that domain.

Attention! There was outbound SMTP traffic registered in the system with the following en-al message characteristics: Email Sender (spoofed): a vstrmian C-tnawt e .com R~~OStm~Ster@Ebjaxt cor)n P sCri a 2c, t- e r E b v.4 c o m 3 Inrooverisigncon VWebrastertaw t e cor steve t ohnsonasomewnre con Se rv, ic e Lthiaw te corn BI. Bunddbka, bund. de l nfo(-etioc) c net Gewirnnr@RrTL, de isBKAQ bIa, bond. de B K QaE"K2 e *A dr_.nl@ trustcenter de wo..,brias t erll-veri.s cf-. corn *In ternotoc-abk a. LU'd. de Host'rnasto.r@corro, eocorn.

Servi'ce Cddlsigt-us1c- orn 0postmran(,nownoro .corn 0Adm Ln @thI- a w Ce cr Postmiasor@%Yalicert. corn n) It ern eBKA. do 0Departrnn@fbi 0H o st ma s t er t havtoe corn 0Sorvid cdno t -lock.,i ot R'rL- TV@ORTLWo rlId ,doe I1Adrn,_JjnfcaaL qorv *In f o(diqs igtrus .corn R Th?-R T L o rld doe postnastr@sOrnewhee o. corn trastor, saunal ahiti L oPostmand:fosto olm Inf odaonplac. .corn, ooff ico" nowhe ro orn 2 5 e Soervicocivonrisqn. con *Host-rnastorQfsto. orq *Postrnan@'Ptt -postr' o Soervi-;coe railI 112p Is: Down"'oadsd'_hKA. do s t mas te ofes Le o ra o hs trnmaseor 4oe- t rus tbe *RTL TVCQDP TL doe Info@Ebav. corn o .nt~sonohor .corn liono-rzes(?anotlock, net o Wbrnastoror)orro corn. uy P o s t rna s toe t haw te c orn BKlA. Bund@BKA, do Adrninoacorroo.corn~uv Note: sender email address is spoofed it uses domnain padt of som,-e locally stored email addresses Email Recipient: 0 ma ilingbox~yahoo c f l~istenincfrhotrnail de 0seve--,'yn ilY Jm.de steve~ivnchtyahoo.de 0 premium- 3e£vCe mhotmai± -de 0ips%cirx.a 0 inf o@yahoo. coin vpreniun-serverduahoo he 0 steve lvnchoqmxaL 0ellenorzesay~ahoo corn 0smntpdvahoo c oxpost~hotrail.se Ssteve lvnch@vahoo. corn Thiskccount@y'ahoo.cle x raii-list@gqrxat festedvahoc c cps@hotmai. de railserver96lS@yahoc. corn-.

vMailIn Box.@hotmail. he 0x rail-listcgmx.de 0 ps@hotmailide 6 e ste~vahoc -corn 0zfreemaiwerhvahoo he msilver-certs~hotrnail.de 0personal -fSreenai"_~cix he 0Z-User~gmx at :KXFreeMal l@vahoo. corn 0Z-UserB7O@crnx -at stevejohnsonecjmx at 0ernal lyahoo -corn 0Tb isAcoountPt hawt e.corn 0steve lync-Sgqrx -cl 6Thistkccount@hotmail e 0steve lvnch~hotrnail -corn zfreernailer>thawte corn 0steve "ynchgxn Email Subject: *Mai izusteilung wurhe unterbyochen.- Sehr ceehrter Ebay-Kunde 6' EIMTPMa,_l gesoheiLtert S i ive ar ne w_ mail11 ad dr es Smai zusteil1uno wud u rro.e e TL: Her Lwi rd Mil iona er cA Mil d eIiv ery fail1e d IrPa&swocrt ~Your Password Ermi tlngsvrfarenwurde einelcit-e t Hil-ton NJ co' e Richie A~ Accounrt Informf Iat i 0 AccountIn:ormatio *Sic 'besitzen Raub, Oaonzen- *You visit ill-c-qel wjebsites ETA; H er wir1d Mi-'Lizn.aer snito maiI taiLled e hr Pa-sswo.,rt.

o 504-mai f ai led *ReqiLs*,-rati-on Conf irmation Your-Password P Par is Hilt on Ncco le R ic hie Sehr qeehrter Elbay)-Kunde SYour IP was loppqed Attachment Name: o Email-text. zip *Ebav--s 1r7YS Re-C- z ip m ra ilt et ip AkteIBCD.zip GewTionn Te xt z P o malil1. zip Ak t e 59-9 z i *Akte9" .4.zip orec -pass, zip A ktC e212 9,Z i p *down. oQ~m. Z &Ebjav, UserlC 4S9 ReqC z ip 'vaIi c ert -TIex t o .z p C) A kt-eGOOSr io question i s t ,zip 6 z0 Akte4.8?4.zip Cs netiook-Textinfo zip 0 RTL-TV.zip 0Gewinn zip 6 PTL zip t mail body. zip ft verIiin--Textlffo 'Ap ft maii-Textinto. zip e Akte97O4 .zip 0feste--Textlnfo.zio v Ebay. zip 0 AktelS94 .zip ft reg pass-data.zip 0trustcenter-Textlnfo. zip *Akte9S49.zip nowhere-Text info. zip question listBBS.zip rkteG72,zi *Ebay-UserlS2lC ReqC.zip,- *list. zip *digsiqtrust-Textlnfo~zip c~e-trust-Textlnfo.zip SAkte68Kzip WWM Text zip, fAktel36S.zip *somewere-Textlnfo. zip C, M zip Message Body: This is an auitomnatically generated Delivery Status Notificatimn.SMTP Error afraid I wasn't able to del iver yo~ur message.This is a permanent error; I given up. Sorry it didn' t work out. The full mail-text and header is attached! Eel unc' wuroc emn neu t es Brenutzerkonto mit dem Namen.

'Handorana tenHaraidl9GJ" beantragt.Urn das Konto einzurichten, benoetigen wax cine Bestaetigung, class die bei der Anmeldung a ngegebene e-Mail-Adresse stit. Bitte sencten Sic zur Bestactigung den a u sqe fuliten Anhang an uns zurueck.-Wir riohten Ihr Benutzerkonto gleich nach Einlanqen der Bestaetiqunci ein und versteendigen Sic dann per c-Mail, sobald Sic lhr Konto benutzen koennen.Vielcrn 38 Dank ,I-hr Ebay--Tea m hey i-ts me, my old address dont work at time. a auont kn-ow whyflin- the last days a-ve got some mails. P think thaz your m,.a ils bu t imf not sure 1lZ read an,.d che ck.......aaaaaaa se'hr qeeh' rte Dame sehr qeehrter Herr, das H-erunterladenvon F-imen, Software und MP~s 1st illegal und somit strafEbar.WiUr moecaten IhIne-- hiermit vorat: itt-'. dass -lh-r Flechner tinter der IF l34.1-09,110.222 erfasst wurue.

Der Inhalt limes Pechner wurde1 als Bewei.'smitt el sichergestelt und es wird cmi- Ermittlunis ye rf anren gegen Sic ein~gwe-tet,.Di4e Strafanize'sge urA di Moegi- lunnet u Ste"llungnahm"e wirId Ihinen in den na echsten Taci schriftlich zugeste ilt .Aktenze-icnen NR -12 569 (siehe IAn-hang) Hochach tungs-voll11i A.

Juergen Stock--- Bundeskriminalamt EllA--- Referat LS 2 651 17 3 W ie sbaden.,- reTI:+ 4 9 0)611 -55 12 331 o d er- I InlC 1 -Gl1u e ckw unis cn B e Iu s er er.- E MaI Au slosun b a tt-en Sie un. id weitere neun ranidaten- GlueckSic sitzeni demn-aechst bei Guelther Jauch in-. Studio!Weitere Details ihrer Daten entnehmen Sic bitt n dem Anhani. RTL interac"' xrp Gmb"H G'eschaef ts fueh-un'm Dr. Constantin LIancie Am C1oloneum 5 0329 Ko.e-ln±±c+ Fon:- ±4 9(C' 1)22 1-73!'9 0 0 od er±+ -4 9 130 5 44 66 99 Thrp Nutrircindaten wuraen erfolgreich geaendert. Details entnehmen S- L bit"-e dem Anhanci.* tp //www thawte E-Mail: -a s d h a w c Sehr geeh-rte Dame, sehr- gee'h rter Herr, das -Herunt1erladen von Film, en, Software und MAP3s st illegail und soDmit strafbar.W.,ir moechten 11lhnen hiermit vorab mitt~zenl, oass -Ihr Rechnier uniter der I1? 2 34 153 .126. 15 e rf ass t wurde.

Der Tuhalt Ihres xechner wurde als Beweismittel si'chercestellt una es wird-- cm Ermittlungsvr1:rahren qegen S Sic eincle itet Die St rafanrzeige und die Mvo-gl1ichkei zur Stel 11. nhm v,,71 rd IhnMen indn niaechs te Tag9e, schri ft'lc', zuestellt, Aktenzeichen NR #12129 sie'he IA n hang) H- c h ach tu n qsvoll 1i A Juercen Stock- Budekrmialm Ref erat LS 2-- 65173 Wviesbaden Tel. -49 611 55 12331 odert.--- Tel.: +49 (0'611 -55 0 Vnis s an aul itomat ically generated DeliLvery_ Status Not if rc I'm afraidJ wasn-'t able to deliver yvour mes sageThi s is a ~pe r-manenrt error I' e g iven uip. Sorrvt didn'It work out Th e full mailtext and header is attached! TeSimple Life:VJiew -Paris Hilton Nicole R.IchiLe vi-deo cl~ps pictures more ;)Dowla is freutlJn 2006 Please use our Download m-ranager.

eluns wurde can, neucs Benusser koo zy mit d em iar-en 'Ppu"beanitr.ac::t. m has Konte eirnsurichten, benloetccaen wa icne Be' actiqun, Kasibidc .nmeldmurcangegebene c--Mail -Adresse S1- mint ,Bi1__t e sernd en Sic stzur Bes tLact,- igung den ausqefuellIten Aihariq an uris surueck.WNir richten Ihr Beuscknt ,lciLch nach Finane4 ncr Bestactaguri can unn-i verstacrigen Lie dann per e-Mlaaa, sobald Lie Ihr Korito b,-enu--ten, koennen.Vieden Dank, Ih-r Ebav- Team 1i-re Nut zu-ngsdaten wurden ertoigreich geacnncert. Details critnbmenSic bitt,-e hem An-,ari,** h t.tp;:/,/www .va. Ei ri 1 ~f**ENi:Pass i.-in'al icer:t. COm Sch-.r gech.rte Dame, sehr gechrter Herr. das Herunr.terladenr.

vo.. Flumen, So:ftware udM PI-s ist ill1egal urid somat. strafbar .Wir mocbtei Thri.en hiermit v,?orab inittcaacn, dass I h PRec her un t er h er 12P 105 .1,115.,12 2. 17'13 e r fa sqt wUr de.

Dr Trib1,a I. thrI iees R ecbns -ir wu rd e al1s B ew eas mttCel sicnerqesa-el" it etsi itiJ ei nErjs verflD.Y:cc en S ic cincleiq 1t et DEF Strafanseae und die Moegliolhkeit -7 mr Stellricranine wird Ihneri in den riaecosten Tageri sritSrhzug ,este]? h.krcris eichc-ln 1\,EP :4824 (siche Anh ang) t kocha cntun-- rg svn 11 i A Juerqen Stock-- unskinli Re-ferat LST 173 WYiesbaher--- Tel~ +4:1,671 5 5 -12 3 31 oder Tde 49 60)515-05 De ar S ir //Ma dami, we barv Inoo ed o; 1r 12P- addr e ss o)n more tha n illiegal Webs ites. Impon, Please answer our quest ions !The "List of questimnS are a-tached. Yours faihfulySteenAlaaso,-ri++±+ Cnrl IntelligLence Agency Offace of. Public Affairs+±++ Washington, D.C. 20505+±,+± phone: ('703) 482-06234.+++ am to 5: 00_p S Ea st e rn tme Thre Nutzunnedac en wur11deni erfoigreich geacridert. 'Details entnehmen Sic -1-te hem, Anharig. lit *ttp:' 1www. feste orc;*** A Mail: PassAdmin~fcste.org Bea Lns wurhe can neises Beriutscrkont1-o mit hem Nalnmen "Ha~ wvwianaten-,rHarald" beantragt .Dm. das Konto eanzu-rachten, henoe'E gren waeine Bestactl-igung, dass di.e bei ner d ing anrgegebene c -Mail Adrcee staimmt.Eitte senderi Sac stir- B3estactigung den aujsgefue lLdfl An:rihan an, uIris surueck.W,,ir racntlen Ihrr Benutscrkoi -to 9leich nach ELinlannen der Bestactigulc din urn ,,e-staE--ndi-qen Sic danri per e-Mail, sobald Sic Thr Konto bent -,en kocennen,'Vicler Dankj<, Ihr Ebay-Team Schr gcchrte Dam-re; sehr qcehwher Perrhas }Heruntcrladen von Lilinen, Sottware uind MP3S s t a 1 Ieqal' uri-d sorma lt strafbar Wir mocoten Thrier hiermi vor).-ab mitCteilen, dass Thr 1Rechnier- unter der 12 1419.1241.75,109 erfaset'-wur de. Der Inhail- t hree Rechner wuirde ale Beweisit'-tel sicherqestLellr.

und es wird ein Ermittlungsvertanren qegen Sie eingleitet.Die Stiafanzeiqe und die Moeqlichkeit zur Stelluncnahne wird Innen in den naechsten Tacen schriftlich zuestelt.Aktenzeicnen NR. :ttS0lS (siene Anhang) i ochachtung volli.

Juergen Stock--- Bundeskriminalat Referat LS 65173 Wiesbaden~ Tel.: +49(0)611 55 12331 oder-- Tel.: ±49 (0)611 -55 Account and Password Tnformation are attached! T~re Nutunasa n wuren erfolreich eaendert. Details entnehmen Sic bitte dem Anhang http://www.trustcenterde*** E-Mail: PassAdmin trustcenter de Protected message is attached!***** Go to: http: /www. correo. corm. uy Email postmancorreo. corn

Claims

1. An automated threat analysis system comprising a core in an isolated environment, the core associated with an input interface to receive a threat and an output interface to IDallow report data to exit the core, and the core comprising: one or more core components to generate the report data; and, I an operating system having at least one library hooked to at least one of the one NO or more core components; and, S 10 at least one service component to monitor a port associated with the operating system, and to return a fake response from an emulated service according to a protocol if requested by the threat, at least part of the fake response recorded by the one or more core components; wherein, when a the threat is passed into the core via the input interface and the threat is executed in the core and using the operating system, the report data is generated by the one or more core components and the report data is passed out of the core via the output interface.

2. The system as claimed in claim 1, including a snapshot manager to record the state of at least part of the core before and after execution of the threat.

3. The system as claimed in claim 2, wherein at least some of any differences in the state before execution of the threat and the state after execution of the threat form part of the report data.

4. The system as claimed in either claim 2 or claim 3, wherein the snapshot manager records the state of one or more of the operating system components of: File system; Registry; Service Control Manager; Memory; Ports; Screen; and Kernel components.

5. The system as claimed in any one of claims 2 to 4, wherein the snapshot manager includes a database of exclusions used to filter out normal changes caused by the operating system. I -42- 00 CI

6. The system as claimed in any one of claims 1 to 5, wherein the at least one service dcomponent emulates a service by exchanging data with the threat in accordance with the protocol of the service.

7. The system as claimed in claim 6, wherein the at least part of the fake response O recorded by the one or more core components forms part of the report data. C,

8. The system as claimed in claim 6, wherein the at least one service component INO emulates a service selected from the group of a: HTTP server; SMTP server; DNS server; C- 10 Time server; SNTP server; IRC server; and RPC DCOM provider.

9. The system as claimed in any one of claims 1 to 8, wherein the system includes a core manager that supplies the threat to the core and receives the report data from the core.

10. The system as claimed in any one of claims 1 to 9, wherein the system is associated with a searchable database to store the report data from various threats.

11. The system as claimed in claim 10, wherein the system includes a wrapper being an interface between the core manager and the database.

12. The system as claimed in any one of claims 1 to 11, wherein the isolated environment is hardware or hardware-emulated.

13. The system as claimed in any one of claims 1 to 12, wherein the report data is passed out of the core via the output interface according to a predefined format.

14. A computer program product for providing automated threat analysis, the computer program product comprising a core in an isolated environment, the core associated with an input interface to receive a threat and an output interface to allow report data to exit the core, and the core comprising: one or more core components to generate the report data; an operating system having at least one library hooked to at least one of the one or more core components; and, 43 00 O O at least one service component to monitor a port associated with the operating system, and to return a fake response from an emulated service according to a protocol if requested by the threat, at least part of the fake response recorded by the one or more core components; wherein, the computer program product is configured such that when the threat is Ipassed into the core via the input interface and the threat is executed in the core and using the operating system, the report data is generated by the one or more core components and ,I the report data is passed out of the core via the output interface. O S 10

15. The computer program product as claimed in claim 14, wherein the report data forms part of a threat removal tool.

16. The computer program product as claimed in either claim 14 or 15, wherein the operating system is a modified Windows® operating system.

17. The computer program product as claimed in any one of claims 14 to 16, wherein the core is in an isolated hardware or hardware-emulated environment.

18. The computer program product as claimed in any one of claims 14 to 17, wherein operating system functions and parameters used by the threat are logged by the one or more core components.

19. The computer program product as claimed in claim 18, wherein at least some return data from the operating system functions are modified by the one or more core components.

The computer program product as claimed in any one of claims 14 to 19, wherein a core manager controls return data on ports to the core.

21. The computer program product as claimed in claim 20, wherein the return data is provided in accordance with a protocol associated with a port. -44- 00 i

22. The computer program product as claimed in claim 21, wherein the protocol is at least one of the group: HTTP; SMTP; DNS; Time; SNTP; IRC; and RPC DCOM.

23. The computer program product as claimed in any one of claims 14 to 22, wherein the core includes a snapshot manager to record the state of at least part of the core before Sand after execution of the threat. Ci

24. The computer program product as claimed in claim 23, wherein the snapshot INO 1 manager includes, in the report data, at least some of the changes relating to one or more C' 10 of: the file system; the registry; the memory; new windows; and the use of ports.

The computer program product as claimed in any one of claims 14 to 24, wherein the report data is passed out of the core via the output interface according to a predefined format

26. A method of providing automated threat analysis by utilising a core in an isolated environment, the core associated with an input interface to receive a threat and an output interface to allow report data to exit the core, the core comprising one or more core components to generate the report data, an operating system having at least one library hooked to at least one of the one or more core components, and at least one service component to monitor a port associated with the operating system, and to return a fake response from an emulated service according to a protocol if requested by the threat, the method comprising the steps of, in a processing system: passing the threat into the core via the input interface; executing the threat in the core using the operating system; generating the report data using the one or more core components; and, passing the report data out of the core via the output interface.

27. An automated threat analysis system, substantially as hereinbefore described with reference to the accompanying figures.

28. A method of providing automated threat analysis, substantially as hereinbefore described with reference to the accompanying figures.