Penetration Testing mailing list archives

RE: Exploit package analysis

From: "Eyal Udassin" <eyal () swiftcoders com>
Date: Fri, 29 Jul 2005 00:08:47 +0200

Hello Erin,

I run into this sort of work while doing forensics/incident response
projects, never as part of a pentest.

Anyhow, the site at http://virusscan.jotti.org/ will probably be of use.
In the event that the previous site was not able to classify the suspected
malware, I recommended running it on a separate box (or VM) and following
it's execution with softice, strace or any other monitoring/debugging tool
you're familiar with. Format the dedicated box when you're done.
If you're lucky and it's a small and non-obfuscated code, you can always
reverse it and identify it's characteristics by static code analysis.


Regards,

Eyal Udassin - Swift Coders
POB 1596 Ramat Hasharon, 47114
972+547-684989
eyal () swiftcoders com

-----Original Message-----
From: Erin Carroll [mailto:amoeba () amoebazone com] 
Sent: Thursday, July 28, 2005 6:45 PM
To: pen-test () securityfocus com
Subject: Exploit package analysis


All,

Some of the fun of moderating this list is getting a wide exposure to
aspects of pen-testing I have yet to tackle. One thing managing the list has
prompted me to explore is exploit/code package analysis... thanks to all the
spam I get to sift through :)

In addition to worrying about my poker game, manly endowment & performance,
and Rolex collection (once I get money from my friends in Nigeria), I get a
lot of spams with attachments, usually .zip, that are obviously malware that
I'd like to open up safely and see how they tick. I'm hoping to pick up some
interesting pen-test techniques by looking at the current state of malware
exploits to see how they work/reproduce/hide at the system level. While most
of them I assume will be run-of-the-mill spambot or zombie generators,
there's always a chance of running across a 0-day in the wild.

My question to all of you is what are some basic sandbox tools you would
recommend to pursue this? Does anyone work in a similar vein and has the
experience been helpful in your pen-testing work?


--
Erin Carroll
"Do Not Taunt Happy-Fun Ball"

Current thread:

Exploit package analysis Erin Carroll (Jul 28)
- RE: Exploit package analysis Eyal Udassin (Jul 28)
- Re: Exploit package analysis Mattias Ahnberg (Jul 29)
- RE: Exploit package analysis Matt (Jul 30)
- <Possible follow-ups>
- RE: Exploit package analysis Todd Towles (Jul 28)
  - Re: Exploit package analysis Justin Ferguson (Jul 29)
- Re: RE: Exploit package analysis mark . handy (Jul 29)
- RE: Exploit package analysis Todd Towles (Jul 29)
- RE: Exploit package analysis Lars Troen (Jul 29)