Re: Bow and question
Juan Carlos Montes wrote: Shachar Shemesh escribió: I think you should be aware that Wine is no replacement for a security tool. If you run a malware using Wine, it is possible for this malware to interact directly with your Linux machine, bypassing your protection. Shachar I know it, but we can control all actions that the malware make. If the malware bypass the protection and infect the machine... no problem, format, image and new malware to check, :) But what good is a malware study tool if the malware can trivially detect it's there? What if it doesn't infect the machine, but just run differently? There are Windows tools that do similar things to what you need (check out the sys-internals web site), where the environment is much more close to the real thing. Actually, Dan's question is the more interesting here - did the malwares work under wine? Shachar
Re: Bow and question
Shachar Shemesh escribió: I think you should be aware that Wine is no replacement for a security tool. If you run a malware using Wine, it is possible for this malware to interact directly with your Linux machine, bypassing your protection. Shachar I know it, but we can control all actions that the malware make. If the malware bypass the protection and infect the machine... no problem, format, image and new malware to check, :) -- ___ Juan Carlos Montes Senra INTECO-CERT Instituto Nacional de Tecnologías de la Comunicación email: [EMAIL PROTECTED] | [EMAIL PROTECTED] Tlf. 0034 987 877 189 - ext. 532 ___
Re: Bow and question
Shachar Shemesh escribió: But what good is a malware study tool if the malware can trivially detect it's there? What if it doesn't infect the machine, but just run differently? There are Windows tools that do similar things to what you need (check out the sys-internals web site), where the environment is much more close to the real thing. Actually, Dan's question is the more interesting here - did the malwares work under wine? Shachar I know that in windows we can found similar things, but with wine we can make a first check, make a simple report, and send it to client. Later, we can make a good manual analysis. At the moment we can report quickly if a malware delete files, change registry... did the malwares work under wine? a lot of, :) Think... if we dont get results, we must made a manual analysis... -- ___ Juan Carlos Montes Senra INTECO-CERT Instituto Nacional de Tecnologías de la Comunicación email: [EMAIL PROTECTED] | [EMAIL PROTECTED] Tlf. 0034 987 877 189 - ext. 532 ___
Re: Bow and question
Juan Carlos Montes wrote: Hi all, I am new in this list, so... Hello!!! Well, I work in a CERT and we are create a automatic malware detection tool with wine. I think you should be aware that Wine is no replacement for a security tool. If you run a malware using Wine, it is possible for this malware to interact directly with your Linux machine, bypassing your protection. Shachar
Re: Bow and question
Dan Kegel escribió: So how well is Wine running the malware you're interested in? - Dan Thanks, I found a lot options in the web but didnt know DEFAULT_DEBUG_CHANNEL const, :) So, we only try a few malware, [ 3 files ], but all ran correctly. Two files was compiled in VisualC, and the last one in VisualBasic. We was needed to install the visualbasic runtime, but it was the only problem. Well, if you need anything, tell me it, :) thanks another time, ___ Juan Carlos Montes Senra INTECO-CERT Instituto Nacional de Tecnologías de la Comunicación email: [EMAIL PROTECTED] | [EMAIL PROTECTED] Tlf. 0034 987 877 189 - ext. 532 ___
Re: Bow and question
Dan Kegel escribió: So how well is Wine running the malware you're interested in? - Dan Thanks, I found a lot options in the web but didnt know DEFAULT_DEBUG_CHANNEL const, :) So, we only try a few malware, [ 3 files ], but all ran correctly. Two files was compiled in VisualC, and the last one in VisualBasic. We was needed to install the visualbasic runtime, but it was the only problem. Well, if you need anything, tell me it, :) thanks another time, ___ Juan Carlos Montes Senra INTECO-CERT Instituto Nacional de Tecnologías de la Comunicación email: [EMAIL PROTECTED] | [EMAIL PROTECTED] Tlf. 0034 987 877 189 - ext. 532 ___