A common approach to analyzing malware is to turn it loose inside of a VMware session, but some malware have methods for detecting virtual machines and will refuse to run if they encounters one. Joe Stewart has developed a tool called Truman that can be used to construct a sandnet. The sandnet expands on the idea of using VMware as a sandbox. The malware runs inside of a normal OS environment not a virtual one and it interacts with what it thinks is an entire network.

This is how the setup works: You have two machines connected using a crossover network cable. Machine 1 is the server and machine 2 is the client that the malware will be run on. Machine 2 is booted via PXE into a clean Windows install (or whatever OS your malware is for). Once booted it begins watching a directory on the server for the malware’s exe. Once you copy the executable into the directory the Windows machine copies the file and executes it. After 10 minutes the Windows machine dumps its physical memory to disk and then shuts down. An image of the newly infected Windows file system is then saved. The client machine then boots into Linux for analysis of the new Windows image. Truman improves analysis speed because you don’t have to constantly reimage the client machine by hand.

The PXE server also acts as a fauxinternet for the client machine. By watching tcpdump you can see what outbound connections the malware is trying to make. To aid in this process, Truman includes several fauxservers which are just simple Perl scripts designed to act like servers. The fauxservers tell the malware exactly what it wants to hear in hopes that it will cough up logins, passwords and other useful information.

Continue reading “Shmoocon 2006: Behavioral Malware Analysis Using Sandnets” →

I attended ShmooCon 2006 Jan. 13-15th. I had been waiting for the video and slides from the con to be posted, but I figured I should start posting before I completely forget what went on. Over the next few days I’ll be posting about the various talks I attended.

Dan Geer‘s keynote was one of my favorite talks from the con. He believes that “if people respect you enough to have you deliver a keynote, respect your audience enough to write it out”. Thanks to that he’s provided the full text and a pdf of the slides from his talk. My summary won’t do it justice, but you can at least know what you are getting yourself into. Read on.

Continue reading “Shmoocon 2006: Dan Geer Keynote” →

ShmooCon starts in two days and? uh? I’m sure I’ll be caught up with work by then. (UPDATE: [Tom] has an interview with Bruce and Beetle from the ShmooGroup) On a more important note: Yehoshua’s borg seems to have gotten lost on its way home from a New Year’s party and our Folding team has taken a hit. We’ve got sitemeter stats now in case you’ve ever wondered. It has only been active for two days, so the math is a little off.

More links after the jump (you should grab a beverage).

Continue reading “Hack-A-Day Extra” →

We hope you have a happy and safe holiday. Thanks for reading!

Continue reading “Happy New Year” →

From the photo above you can see the holidays have been treating me pretty well. [bugloaf] brought a bottle of pisco back from Peru for me. My parents mounted the laser-cut logo that [smouldering-dog] had sent me. They also gave me a copy of The Radioactive Boy Scout: The Frightening True Story of a Whiz Kid and His Homemade Nuclear Reactor. I should have it finished by Shmoocon, so if you see me there and ask for it, I’ll gladly give it up (since I don’t have any swag right now).

Team Hack-A-Day is still cranking away; turning in over 8 million points in 3.5 months. If you’re tired of your family you can always come idle in the #hackaday channel on Efnet.

More links after the jump.

Continue reading “Hack-A-Day Extra” →

Today and yesterday’s 22C3 included tons of fun hacker stuff. Highlights from day 00 and 01 included a slew of topics from politics to hardcore geekery. We toured the CCC‘s annual hackfest to bring you the best of the new hacks.

We commence our tour with Hack-A-Day’s friend Dan “I Like Big Graphs and I Cannot Lie” Kaminsky. Dan presented yummy OpenGL graphics and DNS cache proof of the Sony Rootkit around the world. He also released Xovi, a tool which allows you to do network visualizations in realtime. Realtime: we dig it.

Next on to fun scanning of 3G wireless networks! The team of btk and ahzf presented a rather thorough intro to GPRS/UMTS packet theory (we use the term theory rather concretely here because packet loss and lag are rampant on cellphone based data networks all over the world). Slides for the talk in PDF format are here. They showed how to circumvent packet filtering / port filtering / data type filtering on data networks. This can be extremely useful when trying to run VoIP applications over a cellphone network since they are usually blocked.

Also of note was the talk on IrDA hotel system hacking presented by Major Malfunction. Which we mentioned when we were at Toorcon.

Continue reading “22C3 Day 00 And 01 Round Up” →

Hack-A-Day is here at 22C3: Private Investigations, the Chaos Computer Club‘s annual hacker conference in snow covered Berlin, Germany. The CCC’s annual Congress is the European answer to Las Vegas located DEFCON. This 22nd annual conference has been lengthened from three days to four to be able to accommodate more talks.

We’ll be here all week reporting on the coolest hardware hack topics at the conference from talks to Blinkenlights. If you’re here, drop us a line in the comments!

Continue reading “Chaos Computer Club’s 22C3 Congress” →