Re: VPC

[Tyler <tyler () hudakville com>]

> My point in testing was mainly this one, if your sandbox is detectable
> there is no need to have one, since the malware code will simply decide
> to act differently... easy with cwsandbox, easy with norman, difficult
> with joebox.

To play devil's advocate, by your reasoning, if any tool is detectable 
there is no reason to have it.  (Since a sandbox is really nothing 
more than a tool.)  As you, I have seen many pieces or malware act 
differently, or not at all, if it detects VMs or a sandbox, but I have 
also seen pieces of malware do the same if it detects common analysis 
tools.

I truly believe sandboxes, and logically extended, sandnets will play 
a huge roll in malware analysis in the future.  I've been doing alot 
of research on them recently and have given a couple presentations[1] 
in the last few months (not that I'm saying I'm an expert by any means 
whatsoever).

However, like all security things, they will never replace the person 
sitting behind the computer interpreting the results and performing 
more analysis.  CWSandbox and Norman are getting picked on right now 
because they are the most used - give it time and people will figure 
out how to detect others like Anubis, Joebox and any others (if they 
haven't already).  In other words, use them as a tool not a solution.

Tyler


[1] - 
http://www.korelogic.com/Resources/Presentations/Burying_Your_Head_in_the_SandNet.pdf
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave