Mitigating Computer Fraud in the Online Environment

Mitigating Computer Fraud in the Online Environment

Introduction

Mitigation of malicious code is increasingly complicated by multi-staged and mutli-variant attacks taking place daily on the Internet today. It is now common for computers to be infected for long periods of time, with malicious browser help objects, rootkits, and similar stealth codes (Friedrichs, 2010). Identification and removal from a computer can be especially difficult. In some cases, the only reasonable effort may be to completely wipe and reinstall an image of the system, known to be free of malicious code. Manual mitigation of malicious code is a sophisticated process of threat identification, research, mitigation, and monitoring to properly remove all threat components related to an attack.

Threat Identification

Threat identification is one of the most challenging components of malicious code mitigation. If the threat is not identified, it cannot be mitigated. Worse, if only part of the threat is identified, additional threats continue to operate undetected and a false sense of security emerges.

In most cases, administrators look closer at a computer when something suspect occurs on that computer or over the network. It is common for users to call into the help desk complaining of unexplained crashes, unusual or slow performance, or similar problems that may point toward ad/spyware or malicious code on the computer. Network administrators often locate suspect machines by analyzing network traffic, when a trigger occurs for questionable or unauthorized traffic such as egress IRC traffic from a computer (Gavish & Tucci, 2008).

Once a computer has been identified for further investigation, policies and procedures must be followed to maintain a chain of custody in case data from the computer need to be used for any evidence collection. Once the analyst begins work on the computer, a few basic operating principles are required for threat identification:

Assume that the operating system (OS) can't be trusted. If it has been compromised, a rootkit may exist on the computer that may conceal files, processes, and more (http://www.kendunham.org/rootkit.wmv). Data may be stored in an alternate data stream (ADS). The operating system cannot be blindly trusted but may provide clues to facilitate the investigation. In short, investigate the operating system (OS) but don't blindly trust the results. If you don't find what you're looking for, keep looking. It may be required that the analyst mount the drive in question to gain full control over the file system.

Be comprehensive when it matters most. If legal is to be involved and evidence collected, be comprehensive in the identification, collection, and processing of data. In addition, if malicious code is found on a computer, a thorough examination of all data must be completed to rule out possible additional malicious codes, such as rootkits. For example, a downloader Trojan horse may be discovered, but if you don't look for a rootkit you won't know it's there. Don't forget to look into log files, multiple directories, hidden locations like ADS, and backups (Gengler, 2001).

Don't blindly trust tools. If anti-virus proactively protected the computer malicious code infections wouldn't ...