[Dshield] Shmoocon

Joe Stewart jstewart at lurhq.com
Tue Jan 10 20:22:26 GMT 2006

On Tuesday 10 January 2006 11:39 am, Jon R. Kibler wrote:
> I had marked your session on sandnets as one that I was planning to
> attend -- but did not correlate your name to DShield. Two issues that
> I was hoping to hear you address: 1) A comparison of the sandnet
> analysis technology to the honeynet technology -- especially from the
> perspective of trapping and analysis of network traffic. 

The major difference I see is that a honeynet has a real-time connection 
to the Internet that is usually limited in some way. In a sandnet, 
there is no real-time connection - the Internet is simulated. We can do 
this because we are strictly dealing with malware we already have in 
hand, as opposed to interactive attacks from worms or hackers. 

> 2) How 
> running in a VM environment effects the malware (for example:
> attempts to write to BIOS or raw disk, making NIC promiscuous,
> privilege escalation, installing and running services, how to keep
> the malware from compromising the VM or host O/S, etc.)

In the sandnet I have developed, no VMs are used. Not only for the 
reasons you mention, but because there are now a number of easy ways to 
detect a VM and this code is being included in some of the trojan bots.


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

More information about the list mailing list