Penetration Testing mailing list archives
RE: Exploit package analysis
From: "Todd Towles" <toddtowles () brookshires com>
Date: Fri, 29 Jul 2005 11:01:28 -0500
Agreed, but those as internal malware findings. You can very quickly get a sense of where and what is doing external in a sandbox. If it is a botnet, you can find where it is going and have it shutdown by the time you find your way thru all the functions. You can have it running on a VMWare network running ethereal, when you are using IDA against it on another box. Maximize your time and get the most information. For sure, RCE using IDA is at the core of analyzing malware and you have a very good point. I am pretty sure anti-virus companies run malware in sandboxes...safer that way. I once infected myself while attempt RCE, tried to unpack a sample with a UPX unpacker, it loaded the file into memory and ran it. I cleared it off without a problem, so no harm done. Stuff happens...
-----Original Message----- From: Justin Ferguson [mailto:jnferguson () gmail com] Sent: Thursday, July 28, 2005 7:45 PM To: Todd Towles Cc: Erin Carroll; pen-test () securityfocus com Subject: Re: Exploit package analysis If you are using windows, then IDA, if you are using unix, then objdump. You do not need a sandbox, just need to know how to read assembly. On 7/28/05, Todd Towles <toddtowles () brookshires com> wrote:A bit off-topic, but I would look into VMWare. There areseveral Linuxtools that will work the same as well. A separate OSenvironment wouldbe very helpful in your new interest. Plus, it is very easyto go backto a fresh OS state after a malware analyzing session.-----Original Message----- From: Erin Carroll [mailto:amoeba () amoebazone com] Sent: Thursday, July 28, 2005 11:45 AM To: pen-test () securityfocus com Subject: Exploit package analysis All, Some of the fun of moderating this list is getting a wideexposureto aspects of pen-testing I have yet to tackle. One thingmanagingthe list has prompted me to explore is exploit/code package analysis... thanks to all the spam I get to sift through :) In addition to worrying about my poker game, manly endowment & performance, and Rolex collection (once I get money frommy friendsin Nigeria), I get a lot of spams with attachments, usually .zip, that are obviously malware that I'd like to open upsafely and seehow they tick. I'm hoping to pick up some interesting pen-test techniques by looking at the current state of malware exploits to see how they work/reproduce/hide at the system level.While most ofthem I assume will be run-of-the-mill spambot or zombiegenerators,there's always a chance of running across a 0-day in the wild. My question to all of you is what are some basic sandboxtools youwould recommend to pursue this? Does anyone work in asimilar veinand has the experience been helpful in your pen-testing work? -- Erin Carroll "Do Not Taunt Happy-Fun Ball"
Current thread:
- Exploit package analysis Erin Carroll (Jul 28)
- RE: Exploit package analysis Eyal Udassin (Jul 28)
- Re: Exploit package analysis Mattias Ahnberg (Jul 29)
- RE: Exploit package analysis Matt (Jul 30)
- <Possible follow-ups>
- RE: Exploit package analysis Todd Towles (Jul 28)
- Re: Exploit package analysis Justin Ferguson (Jul 29)
- Re: RE: Exploit package analysis mark . handy (Jul 29)
- RE: Exploit package analysis Todd Towles (Jul 29)
- RE: Exploit package analysis Lars Troen (Jul 29)