Malware plays Defense

[Gregory Hicks <ghicks () cadence com>]

[...]

Often, we take it for granted that we can keep dangerous code in a
sandbox. We can use proxies to hide our IP addresses, we can spoof
email to hide our real identities, and we can sandbox an environment
with VMware to protect our machines while we look at potentially
malicious binaries, right?

Unfortunately, that's no longer the case. It may be old news to the
vast majority of malware researchers out there, but over the last few
years, malware writers have given their code the ability to detect if
it is inside a VMware session. This allows the worm writers to find out
if someone is attempting to analyze their exploits.

This capability puts a big crimp in a lot of anti-malware detection
services that attempt to do large-scale sweeps of the Internet in hopes
of finding malware signatures before their competitors do.

[...]

More:
http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=134970

---------------------------------------------------------------------
Gregory Hicks                           | Principal Systems Engineer
Cadence Design Systems                  | Direct:   408.576.3609
555 River Oaks Pkwy M/S 9B1
San Jose, CA 95134

I am perfectly capable of learning from my mistakes.  I will surely
learn a great deal today.

"A democracy is a sheep and two wolves deciding on what to have for
lunch.  Freedom is a well armed sheep contesting the results of the
decision."

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.