Re: VPC

["John H. Sawyer" <jsawyer () ufl edu>]

On Feb 22, 2008, at 11:44 AM, Kurt Baumgartner wrote:

> > Hint : There are better ones than CWsandbox,
> > - Joebox
> > - Anubis (qemu -> easy to detect)
>
> ThreatExpert too:
> www.threatexpert.com
>
> Evasion techniques are implemented in active malcode for all of them.
> The most common techniques target vmware, emulator weaknesses, or
> directories and components of the frameworks themselves.
<CODE SNIPPED>

I came across several forum posts a few months ago when doing research  
that contained detection code for CWSandbox and Norman that was there  
for cut-n-paste so others could use it.

Detecting sandboxes is one of those, I dare say, arms races where the  
sandbox creators are trying to keep up with the detection techniques  
that the bad guys are developing. Even the script kiddies have access  
to the do-it-yourself malware creation tools. I was testing Shark 3  
when it was recently released and the "Anti Debugging" configuration  
page is:
"Terminate server,if it is being started on...
- VMWare
- Norman Sandbox
- Debugged mode
- Sandboxie
- Virtual PC
- Symantec Altiris SVS
- innotek VirtualBox (unstable)"

-jhs
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave