Full Disclosure mailing list archives
Re: Unpacking Sasser
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 03 May 2004 13:36:41 +1200
"Lee" <cheekypeople () sec33 com> wrote:
As a side note I use Vmware workstation and GSX server edition to create enviroments that can be trashed and re-used at will, just wanted to add another secure way of testing malware etc...
"Secure" so long as you are careful with the the virtual-to-physical network configuration. Far too many are not... Also, as with running under a debugger, the VM environment can be sensed by the code being tested and choose to act entirely differently from how it would otherwise. There is malware that does this and there will be more in future, so as always "Don't try this at home kids"... In short, whilst careful and thoughtful analysis can be greatly aided by tools such as VMWare and SoftICE, simply running or tracing a suspect .EXE under such an environment is far from sufficient if "a modestly adequate analysis" is the desired result. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Unpacking Sasser Tom K (May 02)
- Re: Unpacking Sasser IndianZ (May 02)
- Re: Unpacking Sasser Byron Copeland (May 02)
- Re: Unpacking Sasser Andrew Ruef (May 02)
- Re: Unpacking Sasser - (May 02)
- Re: Unpacking Sasser Lee (May 02)
- Re: Unpacking Sasser Nick FitzGerald (May 02)
- Re: Unpacking Sasser Lee (May 03)
- Determinig VMWare environment (was: Unpacking Sasser) Spiro Trikaliotis (May 03)
- Re: Determinig VMWare environment (was: Unpacking Sasser) Lee (May 03)
- Re: Unpacking Sasser Gary E. Miller (May 03)
- Catching Sasser Shashank Rai (May 04)
- Re: Unpacking Sasser - (May 02)
- Re: Unpacking Sasser IndianZ (May 02)
- <Possible follow-ups>
- RE: Unpacking Sasser Angelaix (May 02)