Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

How Should Network Access Be Limited? > Create a "Victim" That Is as Close to R... - Pg. 148

148 Chapter6·MalwareAnalysis malware you were researching were able to escape the sandbox environment in which it was being tested and infect other computers in the corporate network. And even if the malware only has access to the Internet, you could still face liability issues for allowing the malware to propagate from your machine and infect others. More information regarding creating a sandbox environment has been presented in Chapter 3. The Researcher May Get Discovered Rumor has it that malware authors have begun collecting lists of "antimalware" researchers and labs. When a malware organization sets up a Web site for malware distribution, they may include the functionality to provide differing content based on which Internet address has created the request. If a network known to be affiliated with malware research makes contact, a different version of malware is served. The goal is to prevent the malware researchers from obtaining the latest versions of the malware. Create a "Victim" That Is as Close to Real as Possible In order to research the malware you should have as close to a realistic target as possible. The ideal target would probably be an actual image of someone's com- puter with any confidential data removed or at least scrubbed. As we will discuss in the following sections, there are a number of advantages to putting such an image into a virtual machine. There are also some disadvantages. Untargeted malware is created to run on standard user-oriented machines. These pieces of software often are designed to discover their environment and capture data (sometimes including information such as the keystrokes of the user). Sometimes they relay that data back to a collection point immediately. In other cases the malware packages things up, and awaits a collector process connection to retrieve the packaged data. In some cases documents will be searched in an effort to collect sensitive information. Often there is a replication function that leverages the credentials of the user to probe other servers on the network. You Should Have a Variety of Content to Offer One of the key aspects of current malware is the behavior it exhibits when certain types of files are encountered. Often malware scans files for e-mail addresses to be