Dailydave mailing list archives
Re: VPC
From: "John H. Sawyer" <jsawyer () ufl edu>
Date: Sat, 23 Feb 2008 09:07:42 -0500
On Feb 22, 2008, at 12:18 PM, Jared DeMott wrote:
shouldn't a good sandbox basically just have something like wireshark watching? That way you're (relatively) sure you'll catch all net traffic? As for malware being able to detect and poop-out if in a virtual environment, perhaps the CW guy can speak to that? I think that's a real problem for most virtual environments like a sandbox. So if its super critical we find out exactly what the malware is doing, and scaling is not a problem, perhaps a physical (but air gapped) net is the only way to role?
That's the idea behind the TRUMAN sandnet. Joe Stewart released it in 2006 (I think) and did a presentation about it at ShmooCon (and few other places). The setup can be as simple as two machines with a crossover cable. One of the systems is the controller that sniffs all network traffic and emulates services like DNS, SMTP, IRC, SMB, MySQL (scripts are included for those). You could add your own fake services and deploy nepenthes to collect malware as it is used to exploit services. The sacrificial host automatically downloads the malware from the controller and executes it. After running for X minutes, processes run on the host to collect data (registry changes, memory dump, etc). Once time is up, the machine reboots and via PXE booting, the sacrificial host is imaged back to the controller and a fresh image is placed back on it. Rinse and repeat. There is no Internet connection and everything can be fully self-contained. TRUMAN http://www.secureworks.com/research/tools/truman.html Shmoocon video http://www.shmoocon.org/2006/videos/Stewart-Malware.mp4 -jhs _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave