funsec mailing list archives

Re: Malware plays Defense

From: der Mouse <mouse () rodents montreal qc ca>
Date: Fri, 5 Oct 2007 09:09:22 -0400 (EDT)

malware writers have given their code the ability to detect if it is
inside a VMware session.


Software cannot tell when it's running under emulation, if the
emulation is sufficiently good; this just means that VMware is not
"sufficiently good" for those purposes.  There must be something
they're not emulating correctly (where "correctly" here means "the way
real hardware does it").

This allows the worm writers to find out if someone is attempting to
analyze their exploits.


Not quite; there are other reasons for running under VMware.  I know
someone who routinely runs *everything* in a VMware session (hardware
compatability issues).

Perhaps someone should approach the VMware people about producing a
version that *is* "sufficiently good"?

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               mouse () rodents montreal qc ca
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Malware plays Defense Gregory Hicks (Oct 05)
- Re: Malware plays Defense der Mouse (Oct 05)
  - Re: Malware plays Defense Brian Loe (Oct 05)
  - Re: Malware plays Defense Valdis . Kletnieks (Oct 05)