Dailydave mailing list archives
Re: VPC
From: Jared DeMott <demottja () msu edu>
Date: Fri, 22 Feb 2008 12:18:53 -0500
Thorsten Holz wrote:
On Thu, Feb 21, 2008 at 1:54 PM, Dave Aitel <dave () immunityinc com> wrote:There's another one called CWSandbox that has a free web form you can send exe's to.You can either send a sample to <https://cwsandbox.org/?page=submit> or <http://research.sunbelt-software.com/submit.aspx> More info about the tool is available in an article (<http://pi1.informatik.uni-mannheim.de/filepool/publications/j2holz.pdf>) and an example report is <https://cwsandbox.org/?page=details&id=156851&password=iokop>(They hook a bunch of things but I think you can escape the hooking by calling system calls directly?)
One thing I like about sandboxes is that they take a higher level view of malware than a debugger type tool or IDA. (So they tend to scale better than hiring more of us RE guys.) So even if the malware has some crazy way of sending network data that isn't hooked by most tools ... shouldn't a good sandbox basically just have something like wireshark watching? That way you're (relatively) sure you'll catch all net traffic? As for malware being able to detect and poop-out if in a virtual environment, perhaps the CW guy can speak to that? I think that's a real problem for most virtual environments like a sandbox. So if its super critical we find out exactly what the malware is doing, and scaling is not a problem, perhaps a physical (but air gapped) net is the only way to role?
Jared
But then you are not platform independent. CWSandbox was originally designed to automatically analyze the malware we capture with the help of honeypots (worms, bots, ...), but has evolved a lot since then. Cheers, Thorsten _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: VPC Tyler (Feb 23)