Hi!
Dan Kegel told me about this conference and I decided to go :) I want to know if any of you guys is interested on a talk about the newest verion of ZeroWine (zerowine.sourceforge.net), the patches I wrote for Wine, the problems I found with Wine's loader and malware, etc...
Best Regards, Joxean Koret
Am Dienstag 09 November 2010, 20:29:00 schrieb Joxean Koret:
Hi!
Dan Kegel told me about this conference and I decided to go :) I want to know if any of you guys is interested on a talk about the newest verion of ZeroWine (zerowine.sourceforge.net), the patches I wrote for Wine, the problems I found with Wine's loader and malware, etc...
I can't speak for the others, but personally I am interested :-)
On 11/09/2010 01:29 PM, Joxean Koret wrote:
Hi!
Dan Kegel told me about this conference and I decided to go :) I want to know if any of you guys is interested on a talk about the newest verion of ZeroWine (zerowine.sourceforge.net), the patches I wrote for Wine, the problems I found with Wine's loader and malware, etc...
Best Regards, Joxean Koret
I wasn't aware of the existence of Zero Wine until now, so you can count me in as another interested party. Speaking of which, I wonder how much relation there is with the virtual botnet research farm of Sandia National Laboratories, which apparently runs Wine on each instance for modeling purposes. The New York Times article (http://www.nytimes.com/2009/07/28/science/28comp.html) is annoyingly stuck behind a free login, though.
On Wed, Nov 10, 2010 at 5:46 PM, Andrew Nguyen anguyen@codeweavers.com wrote:
Speaking of which, I wonder how much relation there is with the virtual botnet research farm of Sandia National Laboratories, which apparently runs Wine on each instance for modeling purposes. The New York Times article (http://www.nytimes.com/2009/07/28/science/28comp.html) is annoyingly stuck behind a free login, though.
He gave several talks about the system, e.g. http://www.socallinuxexpo.org/scale8x/presentations/ten-million-and-one-peng... http://www.sandia.gov/ldrd/images/events/fy10_ldrd_day/posters/minnich.pdf He doesn't mention Wine, but it seems likely he's still using it. I'll ping him.
On Wed, Nov 10, 2010 at 6:25 PM, Dan Kegel dank@kegel.com wrote:
On Wed, Nov 10, 2010 at 5:46 PM, Andrew Nguyen anguyen@codeweavers.com wrote:
Speaking of which, I wonder how much relation there is with the virtual botnet research farm of Sandia National Laboratories, which apparently runs Wine on each instance for modeling purposes. The New York Times article (http://www.nytimes.com/2009/07/28/science/28comp.html) is annoyingly stuck behind a free login, though.
He gave several talks about the system, e.g. http://www.socallinuxexpo.org/scale8x/presentations/ten-million-and-one-peng... http://www.sandia.gov/ldrd/images/events/fy10_ldrd_day/posters/minnich.pdf He doesn't mention Wine, but it seems likely he's still using it.
BTW the audio talk at the first link talk about wine at about 50 minutes. He said wine worked great until he found malware that needed windows kernel modules. - Dan
Hi,
El mié, 10-11-2010 a las 19:28 +0000, Dan Kegel escribió:
BTW the audio talk at the first link talk about wine at about 50 minutes. He said wine worked great until he found malware that needed windows kernel modules.
Yep, Wine doesn't work for testing rootkits, unfortunately :( And I guess there is no plan to support execution of Win32's drivers, right? Because, except for malware analysis, I see no benefit for it.
On Wed, Nov 10, 2010 at 7:51 PM, Joxean Koret joxeankoret@yahoo.es wrote:
He said wine worked great until he found malware that needed windows kernel modules.
Yep, Wine doesn't work for testing rootkits, unfortunately :( And I guess there is no plan to support execution of Win32's drivers, right? Because, except for malware analysis, I see no benefit for it.
We keep adding little bits as required by real apps, but it's always going to be a small subset.
ReactOS, now, that uses Wine as a userspace, and it can run Windows drivers... - Dan
On Wed, Nov 10, 2010 at 08:51:55PM +0100, Joxean Koret wrote:
Hi,
El mié, 10-11-2010 a las 19:28 +0000, Dan Kegel escribió:
BTW the audio talk at the first link talk about wine at about 50 minutes. He said wine worked great until he found malware that needed windows kernel modules.
Yep, Wine doesn't work for testing rootkits, unfortunately :( And I guess there is no plan to support execution of Win32's drivers, right? Because, except for malware analysis, I see no benefit for it.
We run Win32 drivers in a very basic form (for some copyprotection stuff).
This can be enhanced, but there are limits of course. Rootkits probably want to hook the filesystem and there we will probably fail ;)
Ciao, Marcus
El mié, 10-11-2010 a las 20:51 +0100, Marcus Meissner escribió:
This can be enhanced, but there are limits of course. Rootkits probably want to hook the filesystem and there we will probably fail ;)
Rootkits typically want to hook filesystem, network and processes. They want all for them ;)
On Wed, Nov 10, 2010 at 8:08 PM, Joxean Koret joxeankoret@yahoo.es wrote:
El mié, 10-11-2010 a las 20:51 +0100, Marcus Meissner escribió:
This can be enhanced, but there are limits of course. Rootkits probably want to hook the filesystem and there we will probably fail ;)
Rootkits typically want to hook filesystem, network and processes. They want all for them ;)
Presumably, though, under Wine you could detect the attempt to hook those things, and thereby detect the malware?
El mié, 10-11-2010 a las 19:59 +0000, Dan Kegel escribió:
Presumably, though, under Wine you could detect the attempt to hook those things, and thereby detect the malware?
Is not that easy. For example, what if a rootkit tries to exploit a privilege scalation vulnerability in the kernel or any of the subsystems (i.e., win32k)? You may think it's something very uncommon, but is not.
Or, what if the malware tries to install a driver? I can see that a driver was installed or that a call to LoadDriver/ZwLoadDriver was issued but I can't get any other information.
On Wed, Nov 10, 2010 at 8:38 PM, Joxean Koret joxeankoret@yahoo.es wrote:
Is not that easy. For example, what if a rootkit tries to exploit a privilege scalation vulnerability in the kernel or any of the subsystems (i.e., win32k)? You may think it's something very uncommon, but is not.
I guess you may extend wine to detect those?
Or, what if the malware tries to install a driver? I can see that a driver was installed or that a call to LoadDriver/ZwLoadDriver was issued but I can't get any other information.
For the purposes of scanning websites to see if they are evil, that should suffice, shouldn't it? - Dan
On Wed, Nov 10, 2010 at 6:25 PM, Dan Kegel dank@kegel.com wrote:
On Wed, Nov 10, 2010 at 5:46 PM, Andrew Nguyen anguyen@codeweavers.com wrote:
Speaking of which, I wonder how much relation there is with the virtual botnet research farm of Sandia National Laboratories, which apparently runs Wine on each instance for modeling purposes.
He gave several talks about the system, e.g. http://www.socallinuxexpo.org/scale8x/presentations/ten-million-and-one-peng... http://www.sandia.gov/ldrd/images/events/fy10_ldrd_day/posters/minnich.pdf He doesn't mention Wine, but it seems likely he's still using it.
He replied, saying: "pass on our thanks to all wine developers for some pretty amazing software. I expect we'll be talking to you more in the next year than we have been ..."
Heck, maybe he'll even come to wineconf 2011... - Dan
Am 09.11.2010 20:29, schrieb Joxean Koret:
Hi!
Dan Kegel told me about this conference and I decided to go :) I want to know if any of you guys is interested on a talk about the newest verion of ZeroWine (zerowine.sourceforge.net), the patches I wrote for Wine, the problems I found with Wine's loader and malware, etc...
Best Regards, Joxean Koret
Hi, i would love to here that some Antivirus Companies are using zerowine.
El mié, 10-11-2010 a las 20:58 +0100, André Hentschel escribió:
i would love to here that some Antivirus Companies are using zerowine.
Eeehm... They are using.
-
Andrew Nguyen -
André Hentschel -
Dan Kegel -
Joxean Koret -
Marcus Meissner -
Stefan Dösinger