funsec mailing list archives
Re: Malware plays Defense
From: der Mouse <mouse () rodents montreal qc ca>
Date: Fri, 5 Oct 2007 09:09:22 -0400 (EDT)
malware writers have given their code the ability to detect if it is inside a VMware session.
Software cannot tell when it's running under emulation, if the emulation is sufficiently good; this just means that VMware is not "sufficiently good" for those purposes. There must be something they're not emulating correctly (where "correctly" here means "the way real hardware does it").
This allows the worm writers to find out if someone is attempting to analyze their exploits.
Not quite; there are other reasons for running under VMware. I know someone who routinely runs *everything* in a VMware session (hardware compatability issues). Perhaps someone should approach the VMware people about producing a version that *is* "sufficiently good"? /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse () rodents montreal qc ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Malware plays Defense Gregory Hicks (Oct 05)
- Re: Malware plays Defense der Mouse (Oct 05)
- Re: Malware plays Defense Brian Loe (Oct 05)
- Re: Malware plays Defense Valdis . Kletnieks (Oct 05)
- Re: Malware plays Defense der Mouse (Oct 05)