Hi Joe,
Joe wrote:
Hi
I have some interesting to you:
How you are dealing with malware who identificates your dedicated
machines by using some tricks to detect any virtualisation or emulation
software?
Capture at the moment doesn't hide itself from any malware, I don't
think its well known enough yet to need to :) I'm not a big fan of
hiding that we are virtualised as its becoming more common to run
applications in a virtualised environment (commercially) but for home
purposes its definatly a problem as the average user won't be running in
a virtualised environment. Beats me how to do it.
Do you have any experiences with this in Joebox?
If we needed to the only thing that we really need to do is hide the
Capture process as we can already detect when malware tries to install
say a kernel driver. If that happens we could flag the data and use a
real box to "visit" it. If fact for Capture's purpose we could even get
away with running just the kernel drivers as they almost run
independently of Capture anways so maybe during visitation close Capture
and then sometime after open it again and process all the queued events
in the kernel drivers.
And how you make sure that the server on which malware is
hosted do not block your ip addresse?
What Jamie described would be the solution I would implement if I had 3
IPs :) but have been managing fine with just a single IP, I haven't
released any papers though using that ... I'm just the code monkey :)
How do you build system states and
compare to some other states (kernel hooks or file system comparing)?
Do you mean like how we specify what events in a system are malicious or
not? If so we create exclusion lists usually by running the system by
hand and filling the exclusion lists as we go ... a bit time consuming
but Christian has done the hard yards so I haven't had to go through
that painful step yet. We use an event system, which are kernel drivers
that use common exposed API functions in the kernel to monitor, we don't
use any hooking. We originally used Detours back in the day with some c#
implementation ... what a nightmare that was. I hope to one day use
Detours again for some user level hooking action but I'm more focused on
the low level stuff right now.
What about malware which needs user interaction to become installed?
Thats an interesting feature which I have got planned for the next major
version. If shouldn't be too difficult to create ... basically some
monitor which detects when windows are open, and uses some AI to
determine how to interact with it ... simple ... I wish!
Any news on Joebox? I haven't looked at your website in a while sorry.
Cheers,
Ramon.
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
