Slide
‹#›
Writing and Rootkits.
By:
Date: 09/03/2003

Slide
‹#›
Papers
Topic
Main: Phil
Backup: John
One from me http://www.geek.com/news/geeknews/2005Nov/ gee20051122033430.htm
Class times and finals schedule.
By:
Date: 09/03/2003

Slide
‹#›
Section headings
Longer paper, use section headings.
Look at the assignment, several sections required.
For related work section
Start new paragraph for each complete experiment that you describe.
When describing work
Use names, not “a journalist” or “a person”, “a magazine” By:
Date: 09/03/2003
Instead
“Sam Smith showed...” “Chavez at security.com did

Slide
‹#›
Most modifies
Plural nouns or mass nouns
The most chickens
The most money
Largest
Singular nouns
Largest chicken
Largest amount.
Largest portion.
By:
Date: 09/03/2003

Slide
‹#›
A few repeat reminders
Avoid the passive!!
Sometimes it can't be helped, but a half dozen times in a paper this short should raise alarm bells.
Subject verb agreement
Make sure antecedents of all pronouns are clear
';' separates two closely related sentences
Be careful of simile and metaphor
A outscored B
No feelings
By:
Date: 09/03/2003
Rarely does it matter what you feel, but what you believe

Slide
‹#›
Have a section for each of the sections listed in the assignment. (first person ok)
Intro
Talk about spam, where it comes from its problems etc.
Related work
Describe at least two other experiments (with two citations)
Experiment
Describe the experiment setup. (not the results)
Use past tense next time (you did this already)
Results
By:
Date: 09/03/2003
Talk about the spam you received and where and when

Slide
‹#›
Discuss results
Analyze what it means
What does it mean that email address 3 got more spam?
Conclusion
Summarize, why is spam bad, results and implications for experiment
Any future work that seems immediately indicated.
By: I've made copies so improve your work.

Slide
‹#›
Definition:
Trojan horse backdoor tools that modify existing operating system software so that an attacker can hide on a machine and keep access to it.
(skoudis)
Note difference from everything that we've looked at thus far:
Other software inserts itself in addition to existing software
Rootkits replace parts.
By:
Date: 09/03/2003

Slide
‹#›
Disguised to look like normal parts of the system
Replace dir command from dos for example.
Generally new version do not write to log files
Most administrative actions logged
Network connections logged too.
Two types:
Usermode (replace programs that users use)
Kernal mode (modifies the heart of the operating system)
By:
Date: 09/03/2003
Don't give admin access hide the fact that attacker has it

Slide
‹#›
Example
FakeGINA
User mode rootkit
Used to logon to windows
Intercepts username, domain, password from winNT/200 machines http://ntsecurity.nu/toolbox/fakegina/
By:
Date: 09/03/2003

Slide
‹#›
Replaces any modified versions of a system program
Does so transparently
What are the implications?
Why is fakeGina not affected?
By:
Date: 09/03/2003

Slide
‹#›
Have a good Thanksgiving.
By:
Date: 09/03/2003