Honeypots mailing list archives
Re: Stealth VM
From: Robert Sandilands <rsandilands () authentium com>
Date: Mon, 10 Nov 2008 10:33:22 -0500
Hi Thorsten, If you can provide a better unbiased view of current threats I would love for you to tell the world about it. Whatever the limitations of the Wildlist may be, it is the best unbiased view we have on the threats out there. It is easy to criticize something and I think the Wildlist has become a popular project to criticize, but I have yet to hear of any viable alternatives. I never measured formal statistics on the number of samples that worked in VMware and those that did not. At some stage it just turned out to be more efficient not to even try replicating it on VMware and we stopped doing it. How confident are you that the samples you receive are matches for the actual Wildlist malware? Using detection names generally has very limited value. Robert Thorsten Holz wrote:
On Fri, Nov 7, 2008 at 3:53 PM, Robert Sandilands <rsandilands () authentium com> wrote:The majority of Wildlist samples will not work in VMWare.Robert, do you have some concrete numbers for that claim? In our test, we observed that less than 10% of the samples did not run within VMware (tested about half a year ago). This test was based on the samples we receive at cwsandbox.org, so it may be a bit biased. But if I take a look at the Wildlist (where I doubt that it provides a realistic overview of current threats), I see lots of online gaming stealers, IRC bots, and similar malware that commonly does not include checks for VMware. Thus some more evidence for your claim would be nice. Cheers, Thorsten
-- --------------------------------------------------------------------- Robert Sandilands: Director, AV Disclaimer: http://robert.rsa3.com/disclaimer.html Authentium: Home of Command Software www.authentium.com
Current thread:
- Stealth VM Stuart Gilchrist-Thomas (Oct 06)
- Re: Stealth VM Michael Bailey (Oct 06)
- Re: Stealth VM Javier Fernandez-Sanguino (Nov 06)
- RE: Stealth VM Michael Owen (Nov 06)
- Re: Stealth VM Stuart Thomas (Nov 07)
- RE: Stealth VM Michael Owen (Nov 06)
- <Possible follow-ups>
- Re: Stealth VM Earl (Nov 07)
- Re: Stealth VM Robert Sandilands (Nov 07)
- Re: Stealth VM Thorsten Holz (Nov 08)
- Re: Stealth VM Robert Sandilands (Nov 10)
- Re: Stealth VM Thorsten Holz (Nov 10)
- Re: Stealth VM Robert Sandilands (Nov 07)