jstewart at lurhq.com
Tue Jan 10 20:22:26 GMT 2006
On Tuesday 10 January 2006 11:39 am, Jon R. Kibler wrote:
> I had marked your session on sandnets as one that I was planning to
> attend -- but did not correlate your name to DShield. Two issues that
> I was hoping to hear you address: 1) A comparison of the sandnet
> analysis technology to the honeynet technology -- especially from the
> perspective of trapping and analysis of network traffic.
The major difference I see is that a honeynet has a real-time connection
to the Internet that is usually limited in some way. In a sandnet,
there is no real-time connection - the Internet is simulated. We can do
this because we are strictly dealing with malware we already have in
hand, as opposed to interactive attacks from worms or hackers.
> 2) How
> running in a VM environment effects the malware (for example:
> attempts to write to BIOS or raw disk, making NIC promiscuous,
> privilege escalation, installing and running services, how to keep
> the malware from compromising the VM or host O/S, etc.)
In the sandnet I have developed, no VMs are used. Not only for the
reasons you mention, but because there are now a number of easy ways to
detect a VM and this code is being included in some of the trojan bots.
Joe Stewart, GCIH
Senior Security Researcher
More information about the list