Re: Security-related question

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Matt Graham
Date:  
To: Main PLUG discussion list
Subject: Re: Security-related question
> Jim March <> wrote:
>> I'm trying to figure out what a particular Windows piece of malware
>> does. To that end I built a brand new WinXP virtual machine via
>> Virtualbox (Linux host of course) and then infected the virtual
>> machine, which has Internet connectivity via a NAT router off of
>> the Linux host...in other words, guest OS traffic will be visible
>> in the host Linux system.


So, the 'Doze VM has an IP of 10.x.y.z according to the Linux box? And you
can run "tcpdump -s 0 -w file.pcap host 10.x.y.z" on the Linux box, right?
And then have a look at file.pcap with wireshark or your favorite packet
analyzer? This seems fairly obvious to me, but there could be something I'm
missing. It's been a while since I played with virtualbox to any great
extent, and it depends on how the thing does networking.

From: Jordan Aberle <>
> Sysinternals can do everything you need, take a look specifically
> at Procmon http://technet.microsoft.com/en-us/sysinternals
> TCPVIEW also.


You'd trust a compromised machine to report on the traffic that some known
malware is sending out? I have this great deal on Florida swampland for
you.... :-) Also, Jim wanted to do the monitoring from the Linux side. But
if you're stuck on a Doze box, sysinternals is a reasonable substitute for
standard tools.

--
Matt G / Dances With Crows
The Crow202 Blog: http://crow202.org/wordpress/
There is no Darkness in Eternity/But only Light too dim for us to see

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss