[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Unpacking Sasser

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Unpacking Sasser
From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 03 May 2004 13:36:41 +1200

"Lee" <cheekypeople@xxxxxxxxx> wrote:

> As a side note I use Vmware workstation and GSX server edition to create
> enviroments that can be trashed and re-used at will, just wanted to add
> another secure way of testing malware etc...

"Secure" so long as you are careful with the the virtual-to-physical 
network configuration.  Far too many are not...

Also, as with running under a debugger, the VM environment can be 
sensed by the code being tested and choose to act entirely differently 
from how it would otherwise.  There is malware that does this and there 
will be more in future, so as always "Don't try this at home kids"...

In short, whilst careful and thoughtful analysis can be greatly aided 
by tools such as VMWare and SoftICE, simply running or tracing a 
suspect .EXE under such an environment is far from sufficient if "a 
modestly adequate analysis" is the desired result.

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Unpacking Sasser
  - From: Lee

References:
- Re: [Full-Disclosure] Unpacking Sasser
  - From: Lee

Prev by Date: [Full-Disclosure] Re: [Full-Disclosure] Re: [Full-Disclosure] Michael Jäger/ITAmtBw/Rüstung/BMVg/DE ist außer Haus.
Next by Date: [Full-Disclosure] RE: [Full-Disclosure] Re: [Full-Disclosure] Re: [Full-Disclosure] Michael Jäger/ITAmtBw/Rüstung/BMVg/DE ist außer Haus.
Previous by thread: Re: [Full-Disclosure] Unpacking Sasser
Next by thread: Re: [Full-Disclosure] Unpacking Sasser
Index(es):
- Date
- Thread