[Dailydave] VPC
Tyler
tyler at hudakville.com
Sat Feb 23 15:34:09 EST 2008
> My point in testing was mainly this one, if your sandbox is detectable
> there is no need to have one, since the malware code will simply decide
> to act differently... easy with cwsandbox, easy with norman, difficult
> with joebox.
To play devil's advocate, by your reasoning, if any tool is detectable
there is no reason to have it. (Since a sandbox is really nothing
more than a tool.) As you, I have seen many pieces or malware act
differently, or not at all, if it detects VMs or a sandbox, but I have
also seen pieces of malware do the same if it detects common analysis
tools.
I truly believe sandboxes, and logically extended, sandnets will play
a huge roll in malware analysis in the future. I've been doing alot
of research on them recently and have given a couple presentations[1]
in the last few months (not that I'm saying I'm an expert by any means
whatsoever).
However, like all security things, they will never replace the person
sitting behind the computer interpreting the results and performing
more analysis. CWSandbox and Norman are getting picked on right now
because they are the most used - give it time and people will figure
out how to detect others like Anubis, Joebox and any others (if they
haven't already). In other words, use them as a tool not a solution.
Tyler
[1] -
http://www.korelogic.com/Resources/Presentations/Burying_Your_Head_in_the_SandNet.pdf
More information about the Dailydave
mailing list