1. Slide 1 By: Date: 09/03/2003 Info Security Writing and Rootkits.

2. Slide 2 By: Date: 09/03/2003 Admin Papers Topic Main: Phil Backup: John One from me http://www.geek.com/news/geeknews/2005Nov/ gee20051122033430.htm Class times and finals schedule.

3. Slide 3 By: Date: 09/03/2003 Papers Section headings Longer paper, use section headings. Look at the assignment, several sections required. For related work section Start new paragraph for each complete experiment that you describe. When describing work Use names, not “a journalist” or “a person”, “a magazine” Instead “Sam Smith showed...” “Chavez at security.com did an...”

4. Slide 4 By: Date: 09/03/2003 Mass vs Count again Most modifies Plural nouns or mass nouns The most chickens The most money Largest Singular nouns Largest chicken Largest amount. Largest portion.

5. Slide 5 By: Date: 09/03/2003 Reminders A few repeat reminders Avoid the passive!! Sometimes it can't be helped, but a half dozen times in a paper this short should raise alarm bells. Subject verb agreement Make sure antecedents of all pronouns are clear ';' separates two closely related sentences Be careful of simile and metaphor A outscored B No feelings Rarely does it matter what you feel, but what you believe

6. Slide 6 By: Date: 09/03/2003 Next Draft Have a section for each of the sections listed in the assignment. (first person ok) Intro Talk about spam, where it comes from its problems etc. Related work Describe at least two other experiments (with two citations) Experiment Describe the experiment setup. (not the results) Use past tense next time (you did this already) Results Talk about the spam you received and where and when

7. Slide 7 By: Date: 09/03/2003 Next Draft II Discuss results Analyze what it means What does it mean that email address 3 got more spam? Conclusion Summarize, why is spam bad, results and implications for experiment Any future work that seems immediately indicated. I've made copies so improve your work.

8. Slide 8 By: Date: 09/03/2003 Rootkits Definition: Trojan horse backdoor tools that modify existing operating system software so that an attacker can hide on a machine and keep access to it. (skoudis) Note difference from everything that we've looked at thus far: Other software inserts itself in addition to existing software Rootkits replace parts.

9. Slide 9 By: Date: 09/03/2003 Rootkits Disguised to look like normal parts of the system Replace dir command from dos for example. Generally new version do not write to log files Most administrative actions logged Network connections logged too. Two types: Usermode (replace programs that users use) Kernal mode (modifies the heart of the operating system) Don't give admin access hide the fact that attacker has it

10. Slide 10 By: Date: 09/03/2003 MSWindows RootKit Example FakeGINA User mode rootkit Used to logon to windows Intercepts username, domain, password from winNT/200 machines http://ntsecurity.nu/toolbox/fakegina/

11. Slide 11 By: Date: 09/03/2003 Windows File protection Replaces any modified versions of a system program Does so transparently What are the implications? Why is fakeGina not affected?

12. Slide 12 By: Date: 09/03/2003 More Next Monday Have a good Thanksgiving.