Dailydave mailing list archives
Re: VPC
From: Tyler <tyler () hudakville com>
Date: Sat, 23 Feb 2008 15:34:09 -0500
My point in testing was mainly this one, if your sandbox is detectable there is no need to have one, since the malware code will simply decide to act differently... easy with cwsandbox, easy with norman, difficult with joebox.
To play devil's advocate, by your reasoning, if any tool is detectable there is no reason to have it. (Since a sandbox is really nothing more than a tool.) As you, I have seen many pieces or malware act differently, or not at all, if it detects VMs or a sandbox, but I have also seen pieces of malware do the same if it detects common analysis tools. I truly believe sandboxes, and logically extended, sandnets will play a huge roll in malware analysis in the future. I've been doing alot of research on them recently and have given a couple presentations[1] in the last few months (not that I'm saying I'm an expert by any means whatsoever). However, like all security things, they will never replace the person sitting behind the computer interpreting the results and performing more analysis. CWSandbox and Norman are getting picked on right now because they are the most used - give it time and people will figure out how to detect others like Anubis, Joebox and any others (if they haven't already). In other words, use them as a tool not a solution. Tyler [1] - http://www.korelogic.com/Resources/Presentations/Burying_Your_Head_in_the_SandNet.pdf _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave