Dailydave mailing list archives
Re: VPC
From: Joanna Rutkowska <joanna () invisiblethings org>
Date: Sun, 24 Feb 2008 18:32:31 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thierry Zoller wrote: | Some malware I've seen is actively detecing cwsandbox, sandboxie, norman and vmware | and is taking a different execution path and logic from there on. If you try to | detect malware using sandboxes in an automatic fashion, that's a bad | prerequisite. | While it might be true that *today* some malware behaves differently depending on whether it detects a presence of a VMM (e.g. VMWare), this is not expected to be true anymore in the near future. Right now there is a trend to "virtualize everything" on the server side, but we also start seeing trends to do that on the desktop platforms. It is quite likely that within 3 years, most desktops will be running under some sort of a hypervisor or will be hosting some hypervisor. So, the question would be: whether my sandbox malware analyzer is or is not indistinguishable from VMWare, XEN, VPC, etc. j. -----BEGIN PGP SIGNATURE----- iQEVAwUBR8GqLswG7MOLAMOlAQIihAf/ZezfXiYQVdlwn3Ljw5wFRSR8XEEnbpEF PrdsKpKAeATCYwoxEFfHzy3k5N0yRil1iG/Erjfg23LukqACNiL2MWxzIyedtCnv HToMmkJXUS4xEJqnSeFDiPpJQHacSCa4RJF3YaaICwPeYcrmn8shJqzXvCPGrsNr wO9rfYmm36zDSaLFDIM1vD45H6LfxyMYuggQYBfbD4l3/qgYRkxkGj5JI85SvSgn wODEi4uhnc2YmcYkLt/QFlaDWmMLgrk5uqKNsjgYMORGTt3JgL9+h1y6mbui5Zk4 Ic+voZnt1TJV4UuqFZnHl7p+OEfbCrCayS5n/oVzPHTsX0N0+uMGkQ== =SLnP -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- VPC Dave Aitel (Feb 21)
- Re: VPC Kurt Baumgartner (Feb 22)
- Re: VPC John H. Sawyer (Feb 23)