Re: Stealth VM

[Robert Sandilands <rsandilands () authentium com>]

Hi Thorsten,

If you can provide a better unbiased view of current threats I would
love for you to tell the world about it. Whatever the limitations of the
Wildlist may be, it is the best unbiased view we have on the threats out
there. It is easy to criticize something and I think the Wildlist has
become a popular project to criticize, but I have yet to hear of any
viable alternatives.

I never measured formal statistics on the number of samples that worked
in VMware and those that did not. At some stage it just turned out to be
more efficient not to even try replicating it on VMware and we stopped
doing it.

How confident are you that the samples you receive are matches for the
actual Wildlist malware? Using detection names generally has very
limited value.

Robert

Thorsten Holz wrote:
> On Fri, Nov 7, 2008 at 3:53 PM, Robert Sandilands
> <rsandilands () authentium com> wrote:
>   
> > The majority of Wildlist samples will not work in VMWare.
> >     
>
> Robert, do you have some concrete numbers for that claim? In our test,
> we observed that less than 10% of the samples did not run within
> VMware (tested about half a year ago). This test was based on the
> samples we receive at cwsandbox.org, so it may be a bit biased. But if
> I take a look at the Wildlist (where I doubt that it provides a
> realistic overview of current threats), I see lots of online gaming
> stealers, IRC bots, and similar malware that commonly does not include
> checks for VMware. Thus some more evidence for your claim would be
> nice.
>
> Cheers,
>   Thorsten
>   


-- 
---------------------------------------------------------------------
Robert Sandilands: Director, AV
Disclaimer: http://robert.rsa3.com/disclaimer.html
Authentium: Home of Command Software
www.authentium.com