[Dailydave] VPC
Jared DeMott
demottja at msu.edu
Fri Feb 22 12:18:53 EST 2008
Thorsten Holz wrote:
> On Thu, Feb 21, 2008 at 1:54 PM, Dave Aitel <dave at immunityinc.com> wrote:
>
>
>> There's another one called CWSandbox that has a free web form you can
>> send exe's to.
>>
>
> You can either send a sample to <https://cwsandbox.org/?page=submit>
> or <http://research.sunbelt-software.com/submit.aspx>
> More info about the tool is available in an article
> (<http://pi1.informatik.uni-mannheim.de/filepool/publications/j2holz.pdf>)
> and an example report is
> <https://cwsandbox.org/?page=details&id=156851&password=iokop>
>
>
>> (They hook a bunch of things but I think you can escape
>> the hooking by calling system calls directly?)
>>
>
>
One thing I like about sandboxes is that they take a higher level view
of malware than a debugger type tool or IDA. (So they tend to scale
better than hiring more of us RE guys.) So even if the malware has some
crazy way of sending network data that isn't hooked by most tools ...
shouldn't a good sandbox basically just have something like wireshark
watching? That way you're (relatively) sure you'll catch all net
traffic? As for malware being able to detect and poop-out if in a
virtual environment, perhaps the CW guy can speak to that? I think
that's a real problem for most virtual environments like a sandbox. So
if its super critical we find out exactly what the malware is doing, and
scaling is not a problem, perhaps a physical (but air gapped) net is the
only way to role?
Jared
> But then you are not platform independent. CWSandbox was originally
> designed to automatically analyze the malware we capture with the help
> of honeypots (worms, bots, ...), but has evolved a lot since then.
>
> Cheers,
> Thorsten
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080222/abc7cd6f/attachment.htm
More information about the Dailydave
mailing list