Security-related question
Matt Graham
danceswithcrows at usa.net
Tue Feb 22 08:45:27 MST 2011
> Jim March <1.jim.march at gmail.com> wrote:
>> I'm trying to figure out what a particular Windows piece of malware
>> does. To that end I built a brand new WinXP virtual machine via
>> Virtualbox (Linux host of course) and then infected the virtual
>> machine, which has Internet connectivity via a NAT router off of
>> the Linux host...in other words, guest OS traffic will be visible
>> in the host Linux system.
So, the 'Doze VM has an IP of 10.x.y.z according to the Linux box? And you
can run "tcpdump -s 0 -w file.pcap host 10.x.y.z" on the Linux box, right?
And then have a look at file.pcap with wireshark or your favorite packet
analyzer? This seems fairly obvious to me, but there could be something I'm
missing. It's been a while since I played with virtualbox to any great
extent, and it depends on how the thing does networking.
From: Jordan Aberle <jordan.aberle at gmail.com>
> Sysinternals can do everything you need, take a look specifically
> at Procmon http://technet.microsoft.com/en-us/sysinternals
> TCPVIEW also.
You'd trust a compromised machine to report on the traffic that some known
malware is sending out? I have this great deal on Florida swampland for
you.... :-) Also, Jim wanted to do the monitoring from the Linux side. But
if you're stuck on a Doze box, sysinternals is a reasonable substitute for
standard tools.
--
Matt G / Dances With Crows
The Crow202 Blog: http://crow202.org/wordpress/
There is no Darkness in Eternity/But only Light too dim for us to see
More information about the PLUG-discuss
mailing list