Gojomo

2006-02-10
Joe Stewart, The Reusable Unknown Malware Analysis Net (Truman) @ CodeCon 2006, 4:45pm Friday

Continuing prejudicial CodeCon session previews:

Joe Stewart: The Reusable Unknown Malware Analysis Net (Truman), 4:45pm Friday @ CodeCon 2006

Truman can be used to build a "sandnet", a tool for analyzing malware in an environment that is isolated, yet provides a virtual Internet for the malware to interact with. It runs on native hardware, therefore it is not stymied by malware which can detect VMWare and other VMs. The major stumbling block to not using VMs is the difficulty involved with repeatedly imaging machines for re-use. Truman automates this process, leaving the researcher with only minimal work to do in order to get an initial analysis of a piece of malware.
It's nice for this to be the same day, but it really should have been adjacent to the SiteAdvisor talk -- perhaps even just before it, thus setting the technical stage for the overall SiteAdvisor process.

That a Linux boot image and set of (Perl!) scripts could reconstruct the entire running state of a Windows system, and switch over to it, without a usual full-fledged virtualization layer, seems impressive. But in a way, isn't that what the 'hibernate' feature of (for example) Windows XP accomplishes on resume? Could you do this more simply by just wrangling the 'hibernate' image of a Windows system around? (Is this in fact what Truman does? I can't tell -- my preview powers fail me, because of the thin level of description at the project home page.)

Certainly having free open-source utility boot images and scripts for these tasks is nice, and there might be other testing scenarios, besides catching malware, where this approach beats virtualization. (The SiteAdvisor presenter mentioned that licensing costs of virtualization systems were an issue at scale.)

Technorati Tags: , , , ,


Comments: Post a Comment