[Dshield] Malware analysis question
Brenden Walker
BKWalker at drbsystems.com
Wed Mar 12 19:06:08 GMT 2008
> -----Original Message-----
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Pete Cap
> Sent: Wednesday, March 12, 2008 11:49 AM
> To: list at lists.dshield.org
> Subject: [Dshield] Malware analysis question
>
> List,
>
> Anyone care to settle a disagreement?
>
<snip>
> However, I'm pretty sure that if you haven't got an IP, and
> the binary uses TCP/IP to communicate, that you would not see
> any traffic. Windows would simply not pass it, it would be
> rejected, whatever (you would see ethernet frames and
> whatnot, DHCP requests, but no IP traffic).
>
> Which is correct? And, can someone please explain to me what
> happens, on a technical or application level, when a binary
> wants to communicate? What does it "talk" to? I confess
> that I have no real idea of how this works.
Under windows communication happens through windows sockets, basically a
windows api.
I just did a test under vmware running Windows XP SP2 with wireshark
capturing on a NIC with no IP address. No traffic was capture from
attempts to browse the web, windows update, telnet or ping. I believe
applications will get an immediate connect failed trying to open a
socket to a specific address.
More information about the list
mailing list