Agreed, but those as internal malware findings. You can very quickly get
a sense of where and what is doing external in a sandbox. If it is a
botnet, you can find where it is going and have it shutdown by the time
you find your way thru all the functions. You can have it running on a
VMWare network running ethereal, when you are using IDA against it on
another box. Maximize your time and get the most information.
For sure, RCE using IDA is at the core of analyzing malware and you have
a very good point. I am pretty sure anti-virus companies run malware in
sandboxes...safer that way.
I once infected myself while attempt RCE, tried to unpack a sample with
a UPX unpacker, it loaded the file into memory and ran it. I cleared it
off without a problem, so no harm done. Stuff happens...
-----Original Message-----
From: Justin Ferguson [mailto:jnferguson@gmail.com]
Sent: Thursday, July 28, 2005 7:45 PM
To: Todd Towles
Cc: Erin Carroll; pen-test@securityfocus.com
Subject: Re: Exploit package analysis
If you are using windows, then IDA, if you are using unix,
then objdump. You do not need a sandbox, just need to know
how to read assembly.
On 7/28/05, Todd Towles <toddtowles@brookshires.com> wrote:
A bit off-topic, but I would look into VMWare. There are
several Linux
tools that will work the same as well. A separate OS
environment would
be very helpful in your new interest. Plus, it is very easy
to go back
to a fresh OS state after a malware analyzing session.
-----Original Message-----
From: Erin Carroll [mailto:amoeba@amoebazone.com]
Sent: Thursday, July 28, 2005 11:45 AM
To: pen-test@securityfocus.com
Subject: Exploit package analysis
All,
Some of the fun of moderating this list is getting a wide
exposure
to aspects of pen-testing I have yet to tackle. One thing
managing
the list has prompted me to explore is exploit/code package
analysis... thanks to all the spam I get to sift through :)
In addition to worrying about my poker game, manly endowment &
performance, and Rolex collection (once I get money from
my friends
in Nigeria), I get a lot of spams with attachments, usually .zip,
that are obviously malware that I'd like to open up
safely and see
how they tick. I'm hoping to pick up some interesting pen-test
techniques by looking at the current state of malware exploits to
see how they work/reproduce/hide at the system level.
While most of
them I assume will be run-of-the-mill spambot or zombie
generators,
there's always a chance of running across a 0-day in the wild.
My question to all of you is what are some basic sandbox
tools you
would recommend to pursue this? Does anyone work in a
similar vein
and has the experience been helpful in your pen-testing work?
--
Erin Carroll
"Do Not Taunt Happy-Fun Ball"
