Royal Holloway 2012: An incident response process for armoured malware


Royal Holloway 2012: An incident response process for armoured malware

2012 Royal Holloway thesis seriesMakers of today’s malware go to great lengths to disguise their code and cover its tracks, often making it virtually impossible for even the most determined investigator to trace the true course of events.

For his MSc thesis at Royal Holloway University of London (RHUL), Steve Hendrikse, under the supervision of course director John Austen, set out to explore how formal incident response processes need to change in the light of this increasingly complex or 'armoured' malware.

In an article (.pdf) published here on, Hendrikse outlines the elements of a good incident response process, and then explains the various techniques malware developers use to disguise their code and prevent it from being analysed.

Read the article

Download the article on malware armouring (.pdf) by Steve Hendrikse.

Read the full thesis (.pdf).

Hendrikse concludes that the time and effort involved in conducting this analysis may not be worthwhile, especially since there is growing pressure on companies to have their systems up and running as soon as possible.

This article is essential reading for anyone involved in either designing an incident response process or in forensic investigations of malware infections.

This feature is one of six that is publishing this year in collaboration with RHUL.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

This was first published in June 2012


COMMENTS powered by Disqus  //  Commenting policy