[Dshield] Malware analysis question

Brenden Walker BKWalker at drbsystems.com
Wed Mar 12 19:06:08 GMT 2008


> -----Original Message-----
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Pete Cap
> Sent: Wednesday, March 12, 2008 11:49 AM
> To: list at lists.dshield.org
> Subject: [Dshield] Malware analysis question
> 
> List,
> 
> Anyone care to settle a disagreement?
> 
<snip>
> However, I'm pretty sure that if you haven't got an IP, and 
> the binary uses TCP/IP to communicate, that you would not see 
> any traffic.  Windows would simply not pass it, it would be 
> rejected, whatever (you would see ethernet frames and 
> whatnot, DHCP requests, but no IP traffic).
> 
> Which is correct?  And, can someone please explain to me what 
> happens, on a technical or application level, when a binary 
> wants to communicate?  What does it "talk" to?  I confess 
> that I have no real idea of how this works.

Under windows communication happens through windows sockets, basically a
windows api.  

I just did a test under vmware running Windows XP SP2 with wireshark
capturing on a NIC with no IP address.  No traffic was capture from
attempts to browse the web, windows update, telnet or ping.  I believe
applications will get an immediate connect failed trying to open a
socket to a specific address.





More information about the list mailing list