[Dailydave] VPC

[John H. Sawyer]

On Feb 22, 2008, at 12:18 PM, Jared DeMott wrote:

>  shouldn't a good sandbox basically just have something like  
> wireshark watching?  That way you're (relatively) sure you'll catch  
> all net traffic?  As for malware being able to detect and poop-out  
> if in a virtual environment, perhaps the CW guy can speak to that?   
> I think that's a real problem for most virtual environments like a  
> sandbox.  So if its super critical we find out exactly what the  
> malware is doing, and scaling is not a problem, perhaps a physical  
> (but air gapped) net is the only way to role?

That's the idea behind the TRUMAN sandnet. Joe Stewart released it in  
2006 (I think) and did a presentation about it at ShmooCon (and few  
other places). The setup can be as simple as two machines with a  
crossover cable. One of the systems is the controller that sniffs all  
network traffic and emulates services like DNS, SMTP, IRC, SMB, MySQL  
(scripts are included for those). You could add your own fake services  
and deploy nepenthes to collect malware as it is used to exploit  
services. The sacrificial host automatically downloads the malware  
from the controller and executes it. After running for X minutes,  
processes run on the host to collect data (registry changes, memory  
dump, etc). Once time is up, the machine reboots and via PXE booting,  
the sacrificial host is imaged back to the controller and a fresh  
image is placed back on it. Rinse and repeat. There is no Internet  
connection and everything can be fully self-contained.

TRUMAN
http://www.secureworks.com/research/tools/truman.html

Shmoocon video
http://www.shmoocon.org/2006/videos/Stewart-Malware.mp4

-jhs