Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source Tools<br />Jim Clausing, PMTS, AT...
Thanx up front<br />Page 2<br />
The Author<br />
Page 4<br />Jim Clausing, GCIA, GCFA, GREM, GCIH, GCFW, GSIP, GSOC, SSP-MPA, CISSP<br />GCIA (Gold) #64 – 2000<br />GCFA (...
The Paper<br />
Page 6<br />SANSFIRE 2008<br />
The patches and scripts<br />http://handlers.sans.org/jclausing/grem_gold/<br />http://www.giac.org/certified_professional...
The Environment – A Little History<br />
In the beginning<br />Page 9<br />
Malware DB<br />Page 10<br />
Motivation – The Environment<br />
Forest?  Trees?<br />Page 12<br />
Unpacking may lead to surprises – like no results <br />Page 13<br />
Page 14<br />We’ve got malware, now what?<br />
Truman (well, and Joe Stewart) FTW<br />Page 15<br />
The Analysis Environment<br />
Processing a Sample<br />
Analysis Flow<br />Page 18<br />
Submission<br />[jac@fltruman001 ~]$ for i in 090???-*.piz; do sudo submit.sh $i && mv $i old-malware/; sleep 10; done    ...
Monitoring<br />[jac@fltruman001 ~]$ alias status<br />alias status=&apos;cat /tmp/current.txt && echo &quot;&quot; && cat...
Monitoring, cont’d<br />[jac@fltruman001 ~]$ status<br />Server.exe<br />request: name=ftp.sickbassline.com, class=IN, typ...
Page 22<br />Original Truman Analysis Tools<br />
Page 23<br />The 4 Areas of Analysis<br />
The Report – Tool Output<br />
Page 25<br />Identify the OS<br />Summary report for xxx.xxx-XPSP2-files created at ………<br />OS info&gt;&gt;&gt;<br />kern...
Page 26<br />Analyzing Network Traffic – fauxdns<br />DNS&gt;&gt;&gt;<br />request: name=sslrapidshare.or.tp, class=IN, ty...
Analyzing Network Traffic – fauxftp<br />Connection from 4.5.6.7<br />USER 0wn@sickbassline.com<br />PASS smokeweed<br />T...
Page 28<br />Analyzing Network Traffic – fauxirc<br />IRC&gt;&gt;&gt;<br />2009-05-27-16:49:17: Connection from 4.5.6.7<br...
Page 29<br />Analyzing Network Traffic – ipaudit<br />IP traffic&gt;&gt;&gt;<br />srcdst  proto sp dp bytes   pkts  start ...
Page 30<br />Analyzing Network Traffic – tshark<br />===================================================================<b...
Page 31<br />Analyzing Network Traffic – tcptrace<br />HTTP&gt;&gt;&gt;<br />mod_http: Capturing HTTP traffic (port 80)<br...
Page 32<br />Analyzing Disk Image – AIDE<br />---------------------------------------------------<br />Added files:<br />-...
Page 33<br />Analyzing Disk Image – ADS<br />Alternate Data Streams&gt;&gt;&gt;<br />/mnt/new/Documents and Settings/All U...
Page 34<br />Analyzing Disk Image – RegRipper<br />Registry Run Key changes&gt;&gt;&gt;<br />Registry Service Key changes&...
Page 35<br />Analyzing Disk Image – hosts file*<br />Host file changes&gt;&gt;&gt;<br />+<br />+127.0.0.1      www.symante...
Memory Image Analysis – Volatility<br />Page 36<br />
Page 37<br />Analyzing Memory Image – connections<br />Open Ports&gt;&gt;&gt;<br />Local Address             Remote Addres...
Page 38<br />Memory/Static Binary Analysis – ssdeep<br />ssdeep info&gt;&gt;&gt;<br />1536:RVt4qqO5FjciL3KBupEAbAX/e9SP+Ia...
Page 39<br />Static Binary Analysis – binhash<br />BinHash info&gt;&gt;&gt;<br />File: [/forensics/exes/abod.exe]        b...
Page 40<br />Static Binary Analysis – packerid.py<br />Packer info&gt;&gt;&gt;<br />[[&apos;Armadillo v1.71&apos;], [&apos...
Page 41<br />Static Binary Analysis – Volatility malfind.py*<br />#<br /># lsass.exe (Pid: 676)<br />#<br />+ VAD node @82...
Page 42<br />Limitations<br />
Page 43<br />Future Work<br />
Page 44<br />More Future Work<br />
Questions?<br />E-mail: jac@att.com or jclausing@isc.sans.org <br />Page 45<br />
SANS Mentor Class – SEC 508 (Forensics)<br />For those of you from central OH (or folks you work with), I’ll be facilitati...
Upcoming SlideShare
Loading in …5
×

Building an Automated Behavioral Malware Analysis Environment using Free and Open-Source Software

1,445 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,445
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
2
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Building an Automated Behavioral Malware Analysis Environment using Free and Open-Source Software

  1. 1. Building an Automated Malware Behavioral Analysis Environment Using Free and Open-Source Tools<br />Jim Clausing, PMTS, AT&T CSO<br />18 Jun 2009<br />
  2. 2. Thanx up front<br />Page 2<br />
  3. 3. The Author<br />
  4. 4. Page 4<br />Jim Clausing, GCIA, GCFA, GREM, GCIH, GCFW, GSIP, GSOC, SSP-MPA, CISSP<br />GCIA (Gold) #64 – 2000<br />GCFA (Gold) #25 – 2002<br />GREM (Gold) #48 – 2005<br />And other certs along the way…<br />SANS Mentor, StaySharp/STAR instructor, CommunitySANS instructor, Internet Storm Center handler since 2002<br />Instrument-rated private pilot – 2003/2004<br />
  5. 5. The Paper<br />
  6. 6. Page 6<br />SANSFIRE 2008<br />
  7. 7. The patches and scripts<br />http://handlers.sans.org/jclausing/grem_gold/<br />http://www.giac.org/certified_professionals/practicals/grem/48.php<br />Page 7<br />
  8. 8. The Environment – A Little History<br />
  9. 9. In the beginning<br />Page 9<br />
  10. 10. Malware DB<br />Page 10<br />
  11. 11. Motivation – The Environment<br />
  12. 12. Forest? Trees?<br />Page 12<br />
  13. 13. Unpacking may lead to surprises – like no results <br />Page 13<br />
  14. 14. Page 14<br />We’ve got malware, now what?<br />
  15. 15. Truman (well, and Joe Stewart) FTW<br />Page 15<br />
  16. 16. The Analysis Environment<br />
  17. 17. Processing a Sample<br />
  18. 18. Analysis Flow<br />Page 18<br />
  19. 19. Submission<br />[jac@fltruman001 ~]$ for i in 090???-*.piz; do sudo submit.sh $i && mv $i old-malware/; sleep 10; done <br />Archive: 090529-rnd_jpg.piz<br /> inflating: rnd.jpg <br />*****Processing rnd.jpg - ONEBOOT******<br />interface: eth1 (4.0.0.0/255.0.0.0)<br />filter: (ip) and ( not port 45612 and not port 45611 and not tcp port 6987 and not udp port 32785 )<br />tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br />listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes<br />tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 1514 bytes<br />Starting Faux FTP Server Emulation on port 21<br />Starting Faux MySQL Server Emulation on port 3306<br />Starting Faux SMTP Server Emulation on port 25<br />Starting Faux SMB Server Emulation on port 445<br />Starting Faux IRC Server Emulation on port 6667<br />Starting Faux DNS Server Emulation on port 53<br />Page 19<br />
  20. 20. Monitoring<br />[jac@fltruman001 ~]$ alias status<br />alias status=&apos;cat /tmp/current.txt && echo &quot;&quot; && cat /tmp/sandnet*.log | tr -c &quot;[:print:][:blank:] &quot; &quot;.&quot; ; tcpdump -nnr /tmp/sandnet.pcap -w - &quot;not broadcast and (not src net 4.5.6 or not dst net 4.5.6)&quot; | ipaudit -CST -r - -l 4.5.6.7 ; ngrep -I /tmp/sandnet.pcap &quot;GET|POST|HEAD|OPTIONS|JOIN&quot; &quot;tcp port 80 and not host 4.5.6.1&quot; | tr -c &quot;[:print:][:blank:] &quot; &quot;.&quot;‘<br />Page 20<br />
  21. 21. Monitoring, cont’d<br />[jac@fltruman001 ~]$ status<br />Server.exe<br />request: name=ftp.sickbassline.com, class=IN, type=A, peer=4.5.6.7<br />responseIP: 4.3.2.86<br />responseIP: 4.3.2.63<br />response: rcode=NOERROR, … …, auth=, add=, aa=1<br />request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7<br />responseIP: 4.5.6.1<br />response: rcode=NOERROR, ans=…, auth=, add=, aa=1<br />Connection from 4.5.6.7<br />USER 0wn@sickbassline.com<br />PASS smokeweed<br />TYPE A<br />PORT 4,5,6,7,4,7<br />STOR User.mps<br />reading from file /tmp/sandnet.pcap, link-type EN10MB (Ethernet)<br />4.5.6.7 4.3.2.86 6 1030 21 674 578 9 9 2009-06-04-11:24:02.2148 2009-06-04-11:24:03.3459 1 1<br />4.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-06-04-11:24:09.5569 2009-06-04-11:24:10.4709 1 1<br />input: /tmp/sandnet.pcap<br />filter: (ip) and ( tcp port 80 and not host 4.5.6.1 )<br />match: GET|POST|HEAD|OPTIONS|JOIN<br />##########exit<br />Page 21<br />
  22. 22. Page 22<br />Original Truman Analysis Tools<br />
  23. 23. Page 23<br />The 4 Areas of Analysis<br />
  24. 24. The Report – Tool Output<br />
  25. 25. Page 25<br />Identify the OS<br />Summary report for xxx.xxx-XPSP2-files created at ………<br />OS info&gt;&gt;&gt;<br />kern - Determine OS from a Windows RAM Dump (v.0.1_20060914)<br />Ex: kern &lt;path_to_dump_file&gt;<br />File Description : NT Kernel & System<br />File Version : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)<br />Internal Name : ntoskrnl.exe<br />Original File Name : <br />Product Name : Microsoft® Windows® Operating System<br />Product Version : 5.1.2600.2180<br />
  26. 26. Page 26<br />Analyzing Network Traffic – fauxdns<br />DNS&gt;&gt;&gt;<br />request: name=sslrapidshare.or.tp, class=IN, type=A, peer=4.5.6.7<br />responseIP: 4.3.2.51<br />responseIP: 4.3.2.154<br />response: rcode=NOERROR, ans=… …, auth=, add=, aa=1<br />request: name=gfmd1.or.tp, class=IN, type=A, peer=4.5.6.7<br />responseIP: 4.3.2.104<br />responseIP: 4.3.2.240<br />response: rcode=NOERROR, ans=… …, auth=, add=, aa=1<br />request: name=time.windows.com, class=IN, type=A, peer=4.5.6.7<br />responseIP: 4.5.6.1<br />response: rcode=NOERROR, ans=…, auth=, add=, aa=1<br />
  27. 27. Analyzing Network Traffic – fauxftp<br />Connection from 4.5.6.7<br />USER 0wn@sickbassline.com<br />PASS smokeweed<br />TYPE A<br />PORT 4,5,6,7,4,7<br />STOR User.mps<br />Page 27<br />
  28. 28. Page 28<br />Analyzing Network Traffic – fauxirc<br />IRC&gt;&gt;&gt;<br />2009-05-27-16:49:17: Connection from 4.5.6.7<br />2009-05-27-16:49:17: PASS lammers<br />2009-05-27-16:49:17: NICK [00|USA|296161]<br />2009-05-27-16:49:18: USER XP-8165 * 0 :ATT<br />2009-05-27-16:49:18: MODE [00|USA|296161] +iB-x<br />2009-05-27-16:49:18: JOIN #WiFi-a Crypt<br />2009-05-27-17:00:13: QUIT System shutting down.<br />2009-05-27-17:00:15: QUIT Leaving<br />
  29. 29. Page 29<br />Analyzing Network Traffic – ipaudit<br />IP traffic&gt;&gt;&gt;<br />srcdst proto sp dp bytes pkts start end 1 / 2<br />4.5.6.7 4.3.2.516 1046 80 748 346 5 5 2009-05-27-16:49:17.1300 <br />2009-05-27-16:49:17.1473 1 2<br />4.5.6.7 4.3.2.104 6 1047 4242 816 697 10 10 2009-05-27-<br />16:49:17.1613 2009-05-27-17:00:15.5921 1 2<br />4.5.6.7 239.255.255.250 17 1050 1900 0 525 0 3 2009-05-27-16:49:17.3746 2009-05-27-16:49:23.3815 1 1<br />4.5.6.7 224.0.0.22 2 0 0 0 108 0 2 2009-05-27-17:00:14.2087 2009-05-27-17:00:14.9690 1 1<br />
  30. 30. Page 30<br />Analyzing Network Traffic – tshark<br />===================================================================<br />Protocol Hierarchy Statistics<br />Filter: frame<br />frame frames:602 bytes:733467<br /> eth frames:602 bytes:733467<br />ip frames:573 bytes:731979<br />tcp frames:387 bytes:146779<br /> http frames:30 bytes:22708<br /> short frames:5 bytes:17790<br /> data-text-lines frames:3 bytes:644<br /> data frames:8 bytes:849<br />udp frames:57 bytes:10014<br />nbdgm frames:11 bytes:2511<br />smb frames:11 bytes:2511<br />mailslot frames:11 bytes:2511<br /> browser frames:11 bytes:2511<br />nbns frames:27 bytes:2538<br />dns frames:6 bytes:532<br /> http frames:3 bytes:525<br />ntp frames:2 bytes:180<br />bootp frames:8 bytes:3728<br /> short frames:127 bytes:575066<br />igmp frames:2 bytes:120<br />arp frames:29 bytes:1488<br />===================================================================<br />
  31. 31. Page 31<br />Analyzing Network Traffic – tcptrace<br />HTTP&gt;&gt;&gt;<br />mod_http: Capturing HTTP traffic (port 80)<br />1 arg remaining, starting with &apos;../small.pcap&apos;<br />Ostermann&apos;stcptrace -- version 6.6.7 -- Thu Nov 4, 2004<br />10 packets seen, 10 TCP packets traced<br />elapsed wallclock time: 0:00:00.002643, 3783 pkts/sec analyzed<br />trace file elapsed time: 0:00:00.017257<br />Http module output:<br />4.5.6.7:1046 ==&gt; 4.3.2.51:80 (a2b)<br /> Server Syn Time: Wed May 27 16:49:17.130145 2009 (1243457357.130)<br /> Client Syn Time: Wed May 27 16:49:17.130085 2009 (1243457357.130)<br /> Server Fin Time: Wed May 27 16:49:17.146947 2009 (1243457357.147)<br /> Client Fin Time: Wed May 27 16:49:17.147323 2009 (1243457357.147)<br />GET /here2 HTTP/1.0<br /> Response Code: 404 (Not Found)<br /> Request Length: 66<br /> Reply Length: 468<br /> Content Length: 289<br /> Content Type : text/html;<br /> Time request sent: Wed May 27 16:49:17.130584 2009 (…)<br /> Time reply started: Wed May 27 16:49:17.146886 2009 (…)<br /> Time reply ACKed: Wed May 27 16:49:17.147077 2009 (…)<br /> Elapsed time: 16 ms (request to first byte sent)<br /> Elapsed time: 16 ms (request to content ACKed)<br />
  32. 32. Page 32<br />Analyzing Disk Image – AIDE<br />---------------------------------------------------<br />Added files:<br />---------------------------------------------------<br />added: /mnt/new/WINDOWS/avmont.exe<br />added: /mnt/new/Documents and Settings/All Users/Application Data/TEMP<br />---------------------------------------------------<br />Removed files:<br />---------------------------------------------------<br />removed: /mnt/new/WINDOWS/system32/CatRoot2/tmp.edb<br />---------------------------------------------------<br />Changed files:<br />---------------------------------------------------<br />changed: /mnt/new/WINDOWS/system32/drivers/etc/hosts<br />changed: /mnt/new/WINDOWS/WindowsUpdate.log<br />changed: /mnt/new/WINDOWS/setupapi.log<br />
  33. 33. Page 33<br />Analyzing Disk Image – ADS<br />Alternate Data Streams&gt;&gt;&gt;<br />/mnt/new/Documents and Settings/All Users/Application Data/TEMP -&gt; 75443743<br />getfattr --absolute-names -n ntfs.streams.list -PR /mnt/new <br />
  34. 34. Page 34<br />Analyzing Disk Image – RegRipper<br />Registry Run Key changes&gt;&gt;&gt;<br />Registry Service Key changes&gt;&gt;&gt;<br />+AvMont|Monitor de Antivirus|&quot;C:WINDOWSavmont.exe&quot;|0x0|Auto Start|<br />-RemoteRegistry|Remote Registry|%SystemRoot%system32svchost.exe -k LocalService|Share_Process|Auto Start|<br />+RemoteRegistry|Remote Registry|%SystemRoot%system32svchost.exe -k LocalService|Share_Process|Disabled|<br />-wscsvc|Security Center|%SystemRoot%System32svchost.exe -k netsvcs|Share_Process|Auto Start|<br />+wscsvc|Security Center|%SystemRoot%System32svchost.exe -k netsvcs|Share_Process|Disabled|<br />Firewall changes&gt;&gt;&gt;<br />-EnableFirewall -&gt; 1<br />
  35. 35. Page 35<br />Analyzing Disk Image – hosts file*<br />Host file changes&gt;&gt;&gt;<br />+<br />+127.0.0.1 www.symantec.com<br />+127.0.0.1 securityresponse.symantec.com<br />+127.0.0.1 symantec.com<br />+127.0.0.1 www.sophos.com<br />+127.0.0.1 sophos.com<br />+127.0.0.1 www.mcafee.com<br />+127.0.0.1 mcafee.com<br />+127.0.0.1 liveupdate.symantecliveupdate.com<br />+127.0.0.1 www.viruslist.com<br />+127.0.0.1 viruslist.com<br />+127.0.0.1 viruslist.com<br />+127.0.0.1 f-secure.com<br />+127.0.0.1 www.f-secure.com<br />+127.0.0.1 kaspersky.com<br />+127.0.0.1 kaspersky-labs.com<br />+127.0.0.1 www.avp.com<br />+127.0.0.1 www.kaspersky.com<br />+127.0.0.1 avp.com<br />
  36. 36. Memory Image Analysis – Volatility<br />Page 36<br />
  37. 37. Page 37<br />Analyzing Memory Image – connections<br />Open Ports&gt;&gt;&gt;<br />Local Address Remote Address Pid<br />4.5.6.7:1047 4.3.2.104:4242 1484 <br />896 135 6 Wed May 27 20:39:59 2009 <br />1032 1027 17 Wed May 27 20:40:13 2009 <br />1096 1900 17 Wed May 27 20:40:14 2009 <br />1484 1047 6 Wed May 27 20:49:18 2009 <br />&lt; 908 -&gt; 135 TCP <br />&gt; 896 -&gt; 135 TCP <br />9,11c9,11<br />&lt; 992 -&gt; 1032 TCP <br />&gt; 1484 avmont -&gt; 1047 TCP C:WINDOWSavmont.exe <br />14,15c14,16<br />&lt; 992 -&gt; 138 UDP <br />&lt; 908 -&gt; 445 UDP <br />&gt; 1484 avmont -&gt; 137 UDP C:WINDOWSavmont.exe <br />&gt; 0 System -&gt; 138 UDP <br />&gt; 896 -&gt; 445 UDP <br />
  38. 38. Page 38<br />Memory/Static Binary Analysis – ssdeep<br />ssdeep info&gt;&gt;&gt;<br />1536:RVt4qqO5FjciL3KBupEAbAX/e9SP+IaiOW:eu5tciL3KApRbAz+Ia1W,&quot;abod.exe&quot;<br />768:ruBNNTLa973GMVkIZqqnO5FDvcTsvJesUJDSP+f4/cF1oGoiOWK:YVt4qqO5FjcSe9SP+JaiOW,<br />&quot;/data/forensics/abod.exe-XPSP2-files/0c596000-abod.exe“<br />--------------------------------------------------------------------------------<br />ssdeep info&gt;&gt;&gt;<br />1536:0BlSTT+JwGgVXGsOkCMGVLwaQyafnSI0OYRr:0BYNlVXGsOtPwFtfm,<br />&quot;1b1e067fdb0f2a44a50d9e290022b9ed.exe&quot;<br />1b1e067fdb0f2a44a50d9e290022b9ed.exe matches e933dbd16c9509418a2212c9d62c7976.exe (80)<br />3072:0zhQO2dw847UiImHkwebMPK4wRE4pRThKt/94:09QbViEwEM94TThKt14,<br />&quot;/data/forensics/1b1e067fdb0f2a44a50d9e290022b9ed.exe-XPSP2-files/0ca74000-sandnet.exe&quot;<br />/data/forensics/1b1e067fdb0f2a44a50d9e290022b9ed.exe-XPSP2-files/0ca74000-sandnet.exe matches /data/forensics/e933dbd16c9509418a2212<br />c9d62c7976.exe-XPSP2-files/007bc000-sandnet.exe (96)<br />
  39. 39. Page 39<br />Static Binary Analysis – binhash<br />BinHash info&gt;&gt;&gt;<br />File: [/forensics/exes/abod.exe] b826d0f222242c1e48f4e1ebe778a534<br />PE Phdr: af86103672ba3bba2d21f2691465520f<br />PE Opt Hdr: f8ea55a399eeec409874af01ca0cf01d<br />Import [1] Offset: (f570) Size: (180): 93f613363a9cb87c3a20e3f2e1fc47b7<br />Import [12] Offset: (f000) Size: (608): eafa58275a218a26f92631bf75b10b8f<br />[0] (.text)<br />(VirtualAddress: 00001000) (PtrToData: 00001000) (SizeOfData: 0000e000) <br />Shdr: aaa4cacbb1cc38713961cc2e5931b982<br />Shdr Data: f571948f8203e66d09c87b00ae748c8d<br />[1] (.rdata)<br />(VirtualAddress: 0000f000) (PtrToData: 0000f000) (SizeOfData: 00002000) <br />Shdr: 46aa637bbc2c0335c427f6ca42021df9<br />Shdr Data: 3b10f3f4c6012e87d46686464575926c<br />[2] (.data)<br />(VirtualAddress: 00011000) (PtrToData: 00011000) (SizeOfData: 00003000) <br />Shdr: cff63d398711731f58eee390a6ce8513<br />Shdr Data: 71cc6a0ff1c18b313d21f1f03229738e<br />
  40. 40. Page 40<br />Static Binary Analysis – packerid.py<br />Packer info&gt;&gt;&gt;<br />[[&apos;Armadillo v1.71&apos;], [&apos;Microsoft Visual C++ v5.0/v6.0 (MFC)&apos;], [&apos;Microsoft Visual C++&apos;]]<br />
  41. 41. Page 41<br />Static Binary Analysis – Volatility malfind.py*<br />#<br /># lsass.exe (Pid: 676)<br />#<br />+ VAD node @821bfb00 Start 00c60000 End 00c6ffff Tag VadS Flags 18<br />+ VAD node @8236b208 Start 00c80000 End 00c96fff Tag VadS Flags 18<br /> - Status: disassembling with pydasm...<br /> 0xc80000 call 0x567d<br /> 0xc80005 retn 0x8<br /> 0xc80008 push ecx<br /> 0xc80009 push esi<br /> 0xc8000a call 0x1582<br />Found 2 suspicious Vad entries<br />
  42. 42. Page 42<br />Limitations<br />
  43. 43. Page 43<br />Future Work<br />
  44. 44. Page 44<br />More Future Work<br />
  45. 45. Questions?<br />E-mail: jac@att.com or jclausing@isc.sans.org <br />Page 45<br />
  46. 46. SANS Mentor Class – SEC 508 (Forensics)<br />For those of you from central OH (or folks you work with), I’ll be facilitating another mentor class in the fall.<br />Thursday evenings from 6:30-8:30PM in Reynoldsburg, OH running 10 Sep-12 Nov.<br />http://www.sans.org/mentor/details.php?nid=19458<br />Page 46<br />

×