Re: [Full-Disclosure] Unpacking Sasser
From: Lee (cheekypeople_at_sec33.com)
Date: 05/03/04
- Previous message: Mikael Abrahamsson: "Re: [Full-Disclosure] Michael Jäger/ITAmtBw/Rüstung/BMVg/DE ist außer Haus."
- In reply to: Nick FitzGerald: "Re: [Full-Disclosure] Unpacking Sasser"
- Next in thread: Spiro Trikaliotis: "[Full-Disclosure] Determinig VMWare environment (was: Unpacking Sasser)"
- Reply: Spiro Trikaliotis: "[Full-Disclosure] Determinig VMWare environment (was: Unpacking Sasser)"
- Reply: Gary E. Miller: "Re: [Full-Disclosure] Unpacking Sasser"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <nick@virus-l.demon.co.uk>, <full-disclosure@lists.netsys.com> Date: Mon, 3 May 2004 08:56:51 +0100
Hi Nick thanks for the comments, I can see your point, I do take advantage
of the vmxnets in vmware to stop anything coming out but a remote ssh
connection in, like always, "understand what you use, not take it for
granted" applies.
I am intrigued by your points of malware understanding the environment
"VM environment can be
> sensed by the code being tested and choose to act entirely differently
> from how it would otherwise."
I have never seen this before, have you any pointers for me? I use ESX
server alot and malware been able to detect my environment is something I
havent seen before. Would kind of go against the very nature of ESX server,
like said, very interested on this as it would help to safe guard our
testing environments.
What suggestions would you give for creating an adequate environment?
Kind Regards
Lee @ STS
http://www.seethrusec.co.uk
Building Knowledge and Security..
----- Original Message -----
From: "Nick FitzGerald" <nick@virus-l.demon.co.uk>
To: <full-disclosure@lists.netsys.com>
Sent: Monday, May 03, 2004 2:36 AM
Subject: Re: [Full-Disclosure] Unpacking Sasser
> "Lee" <cheekypeople@sec33.com> wrote:
>
> > As a side note I use Vmware workstation and GSX server edition to create
> > enviroments that can be trashed and re-used at will, just wanted to add
> > another secure way of testing malware etc...
>
> "Secure" so long as you are careful with the the virtual-to-physical
> network configuration. Far too many are not...
>
> Also, as with running under a debugger, the VM environment can be
> sensed by the code being tested and choose to act entirely differently
> from how it would otherwise. There is malware that does this and there
> will be more in future, so as always "Don't try this at home kids"...
>
> In short, whilst careful and thoughtful analysis can be greatly aided
> by tools such as VMWare and SoftICE, simply running or tracing a
> suspect .EXE under such an environment is far from sufficient if "a
> modestly adequate analysis" is the desired result.
>
>
> --
> Nick FitzGerald
> Computer Virus Consulting Ltd.
> Ph/FAX: +64 3 3529854
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Mikael Abrahamsson: "Re: [Full-Disclosure] Michael Jäger/ITAmtBw/Rüstung/BMVg/DE ist außer Haus."
- In reply to: Nick FitzGerald: "Re: [Full-Disclosure] Unpacking Sasser"
- Next in thread: Spiro Trikaliotis: "[Full-Disclosure] Determinig VMWare environment (was: Unpacking Sasser)"
- Reply: Spiro Trikaliotis: "[Full-Disclosure] Determinig VMWare environment (was: Unpacking Sasser)"
- Reply: Gary E. Miller: "Re: [Full-Disclosure] Unpacking Sasser"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
