Home » Story links » Param's story links

Playing in the Sandnet - Evil Bits

Link: http://www.darkreading.com/blog.asp?blog_sectionid=447&d...
Points: 254 views User: Param Comments: 1 Comments Tag:

Last week in my “Analyze This Malware” article, I mentioned a tool called TRUMAN that was created by Joe Stewart of SecureWorks. TRUMAN is a sandnet -- it lets you analyze malware in a closed environment that emulates the Internet so the malware can’t tell it’s being monitored. (It’s best to use physical machines for analyzing malware because much of today’s malware can detect virtual machines, and therefore change its behavior knowing it’s being watched.)

People often assume a sandnet is a type of honeynet, but not so. A sandnet has one major difference -- its connectivity to the Internet. Honeynets are connected to the Internet for the purpose of getting hacked, while the honeynet administrator monitors the activity to learn about the attackers methods and motives. Sandnets are closed networks, where the focus is on malware analysis. At least one host intercepts and responds to queries from the victim host -- making the victim think it has access to the Internet. Plus the focus of a honeynet is on individual attackers, while sandnets are focused on the malware itself.

The victim in a sandnet may be infected with malware that wants to connect to a Web server or IRC server to receive additional downloads, or commands on what to do next. The security analyst can use information he gathers to configure a host in the sandnet that responds in such a way to test how the malware reacts. You can get information on what servers the malware wants to connect to, its purpose, and methods of identifying it and mitigating its spread.

You can use TRUMAN with only two machines and a crossover network cable connecting the two. One system acts as the controller that emulates the Internet, with several scripts included to impersonate Web, DNS, IRC, SMTP, SMB, and MySQL servers. One caveat is that the victim must support PXE booting. When the victim boots up, a small boot image is downloaded from the controller to perform different actions, such as imaging the victim host’s hard drive for offline analysis.


Email: Email this Story to a Friend

Link to Truman -

Submitted by Param on Fri, 2008-03-14 00:45.

Link to Truman - http://www.secureworks.com/research/tools/truman.html

Has anyone used Sandnet ?

»

Post new comment

  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <h1> <quote> <img>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Copy the characters (respecting upper/lower case) from the image.