> Jim March <1.jim.march@gmail.com> wrote:
>> I'm trying to figure out what a particular Windows piece of malware
>> does. To that end I built a brand new WinXP virtual machine via
>> Virtualbox (Linux host of course) and then infected the virtual
>> machine, which has Internet connectivity via a NAT router off of
>> the Linux host...in other words, guest OS traffic will be visible
>> in the host Linux system.

So, the 'Doze VM has an IP of 10.x.y.z according to the Linux box?  And you
can run "tcpdump -s 0 -w file.pcap host 10.x.y.z" on the Linux box, right? 
And then have a look at file.pcap with wireshark or your favorite packet
analyzer?  This seems fairly obvious to me, but there could be something I'm
missing.  It's been a while since I played with virtualbox to any great
extent, and it depends on how the thing does networking.

From: Jordan Aberle <jordan.aberle@gmail.com>
> Sysinternals can do everything you need, take a look specifically
> at Procmon http://technet.microsoft.com/en-us/sysinternals
> TCPVIEW also.

You'd trust a compromised machine to report on the traffic that some known
malware is sending out?  I have this great deal on Florida swampland for
you.... :-)  Also, Jim wanted to do the monitoring from the Linux side.  But
if you're stuck on a Doze box, sysinternals is a reasonable substitute for
standard tools.

-- 
Matt G / Dances With Crows
The Crow202 Blog:  http://crow202.org/wordpress/
There is no Darkness in Eternity/But only Light too dim for us to see

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss