Hi Christian & Ramon, I've tried incorporating the proxy/DNS suggestions you've mentioned, regarding how to preserve the original pages that served malware for as long as possible. However, the solution isn't perfect. Here's an example:
If the VM visits a page where the malware is contained within a banner ad that rotates, it's possible that when you try to view the original page, javascript within the page might (try) to load a different ad -- making it difficult to replicate initial compromises. Of course, one solution to this, would be to capture PCAP data, and try to serve this PCAP data back to the browser/application. This sounds hard. THE GOOD NEWS: -------------- Fortunately, it looks like the folks at Microsoft have made life a little easier; check out this URL about STRACE/HTTPREPLAY: http://blogs.msdn.com/emmanubo/archive/2007/06/04/introduction-to-strac e-httpreplay-support-tools.aspx http://tinyurl.com/4llhar Essentially, STRACE is a (DLL) wrapper that you can inject into _ANY_ windows application, that logs all TCP/UDP traffic to/from the application -- one of the biggest benefits, is that it's able to log raw HTTP data -- even data that's been wrapped in an SSL stream (before encryption/after decryption!). Here's the best part: HTTPREPLAY is a tool that allows you to "replay" strace logs within IE (or any browser), in order to serve up the exact content that was logged. This solves a whole slew of issues that I'm sure we've all been dealing with. What's really cool about this approach, is that you could inject the STRACE DLL even into live, running processes (via INJLIB.EXE) -- and it even works with Mozilla Firefox! Anyway, it's based off the "Detours" library, which appears to be used extensively by sysinternals utilities. Okay, so what's the catch? THE BAD NEWS: ------------- I've done some initial testing with STRACE/HTTPREPLAY and Capture, and it looks like the code doesn't (exactly) play nice. Specifically, it seems CaptureProcessMonitor.sys sometimes causes BSODs and some (weird) false positives -- for example, if you have a process tree like: PROCESS (PID) 1) CMD.EXE (389) 2) +- RUNELEVATE.EXE (783) 3) +- WITHDLL.EXE (762) 4) +- IEXPLORE.EXE (3726) And the processes terminate in the order of: #2, #3, #1, #4, then (for example) Capture will report WITHDLL.EXE terminated with an parent process of (783) -- but no parent process EXE name listed (i.e., RUNELEVATE.EXE), because that parent process has already terminated. So Capture seems to list the parent process PID when it can't determine the parent process name. In other words, when process trees terminate in any other order than bottom to top, we start getting PIDs listed as parent process names -- which makes it difficult to filter within the corresponding .EXL Anyway, you can see some of the initial testing I've tried in this changelog (example code): http://www.honeyclient.org/trac/changeset/1599 First off, check out the STRACE/HTTPREPLAY libraries and let me know what you guys think; specifically, I'm curious if you manage to get Capture working with the libraries, or if you also run into any BSODs. If they get more consistent, I can try to get a minidump for you in order to debug further. Second, you're interested in using this library, I'm curious what your thoughts were on how it could be (easily) incorporated into the Capture code. Hope this helps, -- Darien _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
