One example is the submit-norman module in nepenthes... when the
malware has anti-vmware techniques ( for example by looking for the
vmware tools registry key o a mac address) the report sended by norman
is useless...

In the near future could some one make a code to first inspect the
characteristics of the "sandhost" where the malware is run, and make
some DNS queries to a domain name where this information is
shown???...for example:

mac00-00-00-71-B4-AA.com
so.win2k.net
vmware.present.net
ip.192.168.1.2.com

this information is going to be sended to the bad guy by email and he
could map the all the information he needed

Do you know if It is posible?

2006/4/5, Mark Ryan del Moral Talabis <talabis (at) gmail (dot) com [email concealed]>:
> Interesting stuff! I haven't noticed this on our end so maybe their
> concentrating on commercial anti-virus firms rather than independent
> research organizations though there's always the possibility that it
> could happen in the future.
>
> Ryan Talabis
> Philippine Honeynet Project
> http://www.philippinehoneynet.org
>
> 2006/4/6, David Jiménez Domínguez <djdsecurity (at) gmail (dot) com [email concealed]>:
> > Hi list!!
> >
> > Yesterday ZDnet issued a note [1] about cybercriminals looking for
> > antivirus firm's honeypots in order to launch attacks against them,
> > specially those for malware collection. I've read some docs about the
> > same topic [2][3] some days ago...
> >
> > Have yout ever seen something like that within your honeynets?
> >
> > I think one of the reasons of this actions is to stop the botnet
> > hunting and botnet hijacking, not to be aware if they are being
> > watched mainly...
> >
> > What do you thing??
> >
> >
> > [1] http://news.zdnet.co.uk/internet/security/0,39020375,39261210,00.htm
> > [2] http://www.it-observer.com/articles/1101/honeypots_how_seek_them_out/
> > [3] http://ryan1918.org/viewtopic.php?t=1444
> >
> > --
> > ------------------
> > DJD
> > _
> >
>

--
------------------
DJD
_

[ reply ]