Dailydave mailing list archives

Re: VPC

From: Jared DeMott <demottja () msu edu>
Date: Fri, 22 Feb 2008 12:18:53 -0500

Thorsten Holz wrote:

On Thu, Feb 21, 2008 at 1:54 PM, Dave Aitel <dave () immunityinc com> wrote:

 There's another one called CWSandbox that has a free web form you can
 send exe's to.


You can either send a sample to <https://cwsandbox.org/?page=submit>
or <http://research.sunbelt-software.com/submit.aspx>
More info about the tool is available in an article
(<http://pi1.informatik.uni-mannheim.de/filepool/publications/j2holz.pdf>)
 and an example report is
<https://cwsandbox.org/?page=details&id=156851&password=iokop>

(They hook a bunch of things but I think you can escape
 the hooking by calling system calls directly?)

One thing I like about sandboxes is that they take a higher level viewof malware than a debugger type tool or IDA. (So they tend to scalebetter than hiring more of us RE guys.) So even if the malware has somecrazy way of sending network data that isn't hooked by most tools ...shouldn't a good sandbox basically just have something like wiresharkwatching? That way you're (relatively) sure you'll catch all nettraffic? As for malware being able to detect and poop-out if in avirtual environment, perhaps the CW guy can speak to that? I thinkthat's a real problem for most virtual environments like a sandbox. Soif its super critical we find out exactly what the malware is doing, andscaling is not a problem, perhaps a physical (but air gapped) net is theonly way to role?


Jared

But then you are not platform independent. CWSandbox was originally
designed to automatically analyze the malware we capture with the help
of honeypots (worms, bots, ...), but has evolved a lot since then.

Cheers,
  Thorsten
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: VPC, (continued)
- - - Re: VPC Andrew R. Reiter (Feb 22)
    - Re: VPC Eduardo Tongson (Feb 22)
    - Re: VPC Jared DeMott (Feb 22)
    - Re: VPC Thierry Zoller (Feb 23)
    - Re: VPC Joanna Rutkowska (Feb 25)
    - Re: VPC dan (Feb 25)
    - Re: VPC Joanna Rutkowska (Feb 25)
    - Re: VPC Kurt Baumgartner (Feb 22)
    - Re: VPC John H. Sawyer (Feb 23)
- Re: VPC Thorsten Holz (Feb 21)
  - Re: VPC Jared DeMott (Feb 22)
    - Re: VPC John H. Sawyer (Feb 23)
  - Re: VPC Halvar Flake (Feb 27)
- Re: VPC Thierry Zoller (Feb 22)
- Re: VPC Alexander Sotirov (Feb 24)
- Re: VPC Anthony Lineberry (Feb 28)
  - Re: VPC Matt Richard (Feb 29)
    - Re: VPC Jon Oberheide (Feb 29)
    - Re: VPC Andrew R. Reiter (Mar 03)
- Re: VPC Thierry Zoller (Feb 23)
  - Re: VPC Tyler (Feb 23)

(Thread continues...)