Makers of today’s malware go to great lengths to disguise their code and cover its tracks, often making it virtually impossible for even the most determined investigator to trace the true course of events.
For his MSc thesis at Royal Holloway University of London (RHUL), Steve Hendrikse, under the supervision of course director John Austen, set out to explore how formal incident response processes need to change in the light of this increasingly complex or 'armoured' malware.
In an article (.pdf) published here on SearchSecurity.co.UK, Hendrikse outlines the elements of a good incident response process, and then explains the various techniques malware developers use to disguise their code and prevent it from being analysed.
Read the article
Download the article on malware armouring (.pdf) by Steve Hendrikse.
Read the full thesis (.pdf).
Hendrikse concludes that the time and effort involved in conducting this analysis may not be worthwhile, especially since there is growing pressure on companies to have their systems up and running as soon as possible.
This article is essential reading for anyone involved in either designing an incident response process or in forensic investigations of malware infections.
This feature is one of six that SearchSecurity.co.UK is publishing this year in collaboration with RHUL.
This was first published in June 2012