Honeypots mailing list archives

Re: Looking for Honeypots???

From: Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>
Date: Thu, 06 Apr 2006 12:06:58 -0700


On 06.04.2006, at 10:55, David Jiménez Domínguez wrote:

One example is the submit-norman module in nepenthes... when the
malware has anti-vmware techniques ( for example by looking for the
vmware tools registry key o a mac address) the report sended by norman
is useless...

Please note that the Norman Sandbox does not run under VMWare, sochecking for registry keys will not help a given piece of malware :-)Consult the whitepaper about the Sandbox to learn more about it:http://sandbox.norman.no/pdf/03_sandbox%20whitepaper.pdf

In the near future could some one make a code to first inspect the
characteristics of the "sandhost" where the malware is run, and make
some DNS queries to a domain name where this information is
shown???...for example:

mac00-00-00-71-B4-AA.com
so.win2k.net
vmware.present.net
ip.192.168.1.2.com

this information is going to be sended to the bad guy by email and he
could map the all the information he needed

Do you know if It is posible?

Depends on how the sandbox is designed. If the sandbox is isolatedfrom the Internet, there should be no communication flow. Certainlythere could be some covert channel using the output of the sandbox,though....


Just my thoughts,
  Thorsten

Current thread:

Looking for Honeypots??? David Jiménez Domínguez (Apr 05)
- Re: Looking for Honeypots??? Mark Ryan del Moral Talabis (Apr 05)
  - Re: Looking for Honeypots??? David Jiménez Domínguez (Apr 06)
    - Re: Looking for Honeypots??? Thorsten Holz (Apr 06)
- <Possible follow-ups>
- RE: Looking for Honeypots??? Roger A. Grimes (Apr 05)
- RE: Looking for Honeypots??? Mohd Rosli Saidin (Apr 06)
- RE: Looking for Honeypots??? Roger A. Grimes (Apr 09)