[Dshield] Malware analysis question
peteoutside at yahoo.com
Wed Mar 12 15:48:43 GMT 2008
Anyone care to settle a disagreement?
Like many others, I use honeyd to do functional analysis of binaries. When I get a malicious attachment in a spam or something, I take it to my test LAN and release it into the simulated network, and I use ARP spoofing and VM hosts to see what sites the malware goes out to, and what it tries to do when it gets there.
So, recently we had a case where another tech got a sample, and ran it in the test LAN without starting honeyd or anything (he didn't even have an IP assigned to his NIC). His report to the customer states that the sample was nonmalicious because he saw no traffic in Wireshark.
However, I'm pretty sure that if you haven't got an IP, and the binary uses TCP/IP to communicate, that you would not see any traffic. Windows would simply not pass it, it would be rejected, whatever (you would see ethernet frames and whatnot, DHCP requests, but no IP traffic).
Which is correct? And, can someone please explain to me what happens, on a technical or application level, when a binary wants to communicate? What does it "talk" to? I confess that I have no real idea of how this works.
Thanks and best regards,
Never miss a thing. Make Yahoo your home page.
More information about the list