9 Nov
2010
9 Nov
'10
7:29 p.m.
Hi!
Dan Kegel told me about this conference and I decided to go :) I want to
know if any of you guys is interested on a talk about the newest verion
of ZeroWine (zerowine.sourceforge.net), the patches I wrote for Wine,
the problems I found with Wine's loader and malware, etc...
Best Regards,
Joxean Koret
9 Nov
9 Nov
7:40 p.m.
Am Dienstag 09 November 2010, 20:29:00 schrieb Joxean Koret:
Hi!
Dan Kegel told me about this conference and I decided to go :) I want to
know if any of you guys is interested on a talk about the newest verion
of ZeroWine (zerowine.sourceforge.net), the patches I wrote for Wine,
the problems I found with Wine's loader and malware, etc...
I can't speak
for the others, but personally I am interested :-)
10 Nov
10 Nov
5:46 p.m.
On 11/09/2010 01:29 PM, Joxean Koret wrote:
Hi!
Dan Kegel told me about this conference and I decided to go :) I want to
know if any of you guys is interested on a talk about the newest verion
of ZeroWine (zerowine.sourceforge.net), the patches I wrote for Wine,
the problems I found with Wine's loader and malware, etc...
Best Regards,
Joxean Koret
I wasn't aware of the existence of Zero Wine until now, so you can count
me in as another interested party. Speaking of which, I wonder how much
relation there is with the virtual botnet research farm of Sandia
National Laboratories, which apparently runs Wine on each instance for
modeling purposes. The New York Times article
(http://www.nytimes.com/2009/07/28/science/28comp.html) is annoyingly
stuck behind a free login, though.
6:25 p.m.
On Wed, Nov 10, 2010 at 5:46 PM, Andrew Nguyen <anguyen(a)codeweavers.com> wrote:
Speaking of which, I wonder how much
relation there is with the virtual botnet research farm of Sandia
National Laboratories, which apparently runs Wine on each instance for
modeling purposes. The New York Times article
(http://www.nytimes.com/2009/07/28/science/28comp.html) is annoyingly
stuck behind a free login, though.
He gave several talks about the system, e.g.
http://www.socallinuxexpo.org/scale8x/presentations/ten-million-and-one-pen…
http://www.sandia.gov/ldrd/images/events/fy10_ldrd_day/posters/minnich.pdf
He doesn't mention Wine, but it seems likely he's still using it.
I'll ping him.
7:28 p.m.
On Wed, Nov 10, 2010 at 6:25 PM, Dan Kegel <dank(a)kegel.com> wrote:
On Wed, Nov 10, 2010 at 5:46 PM, Andrew Nguyen
<anguyen(a)codeweavers.com> wrote:
BTW the audio talk at the first link talk about wine at about 50 minutes.
He said wine worked great until he found malware that needed
windows kernel modules.
- Dan
Speaking of which, I wonder how much
relation there is with the virtual botnet research farm of Sandia
National Laboratories, which apparently runs Wine on each instance for
modeling purposes. The New York Times article
(http://www.nytimes.com/2009/07/28/science/28comp.html) is annoyingly
stuck behind a free login, though.
He gave several talks about the system, e.g.
http://www.socallinuxexpo.org/scale8x/presentations/ten-million-and-one-pen…
http://www.sandia.gov/ldrd/images/events/fy10_ldrd_day/posters/minnich.pdf
He doesn't mention Wine, but it seems likely he's still using it.
7:51 p.m.
Hi,
El mié, 10-11-2010 a las 19:28 +0000, Dan Kegel escribió:
BTW the audio talk at the first link talk about wine
at about 50
minutes.
He said wine worked great until he found malware that needed
windows kernel modules.
Yep, Wine doesn't work for testing rootkits, unfortunately :(
And I guess there is no plan to support execution of Win32's drivers,
right? Because, except for malware analysis, I see no benefit for it.
7:45 p.m.
On Wed, Nov 10, 2010 at 7:51 PM, Joxean Koret <joxeankoret(a)yahoo.es> wrote:
We keep adding little bits as required by real apps,
but it's always going to be a small subset.
ReactOS, now, that uses Wine as a userspace, and it can
run Windows drivers...
- Dan
He said wine
worked great until he found malware that needed
windows kernel modules.
Yep, Wine doesn't work for testing rootkits, unfortunately :(
And I guess there is no plan to support execution of Win32's drivers,
right? Because, except for malware analysis, I see no benefit for it. 
7:51 p.m.
On Wed, Nov 10, 2010 at 08:51:55PM +0100, Joxean Koret wrote:
Hi,
El mié, 10-11-2010 a las 19:28 +0000, Dan Kegel escribió:
We run Win32 drivers in a very basic form (for some copyprotection stuff).
This can be enhanced, but there are limits of course. Rootkits probably
want to hook the filesystem and there we will probably fail ;)
Ciao, Marcus
BTW the audio talk at the first link talk about
wine at about 50
minutes.
He said wine worked great until he found malware that needed
windows kernel modules.
Yep, Wine doesn't work for testing rootkits, unfortunately :(
And I guess there is no plan to support execution of Win32's drivers,
right? Because, except for malware analysis, I see no benefit for it.
8:08 p.m.
El mié, 10-11-2010 a las 20:51 +0100, Marcus Meissner escribió:
This can be enhanced, but there are limits of course.
Rootkits
probably
want to hook the filesystem and there we will probably fail ;)
Rootkits typically want to hook filesystem, network and processes. They
want all for them ;)
7:59 p.m.
On Wed, Nov 10, 2010 at 8:08 PM, Joxean Koret <joxeankoret(a)yahoo.es> wrote:
El mié, 10-11-2010 a las 20:51 +0100, Marcus Meissner
escribió:
Presumably, though, under Wine you could detect the
attempt to hook those things, and thereby detect the
malware?
This can be enhanced, but there are limits of
course. Rootkits
probably
want to hook the filesystem and there we will probably fail ;)
Rootkits typically want to hook filesystem, network and processes. They
want all for them ;)
8:38 p.m.
El mié, 10-11-2010 a las 19:59 +0000, Dan Kegel escribió:
Presumably, though, under Wine you could detect the
attempt to hook those things, and thereby detect the
malware?
Is not that easy. For example, what if a rootkit tries to exploit a
privilege scalation vulnerability in the kernel or any of the subsystems
(i.e., win32k)? You may think it's something very uncommon, but is not.
Or, what if the malware tries to install a driver? I can see that a
driver was installed or that a call to LoadDriver/ZwLoadDriver was
issued but I can't get any other information.
9:44 p.m.
On Wed, Nov 10, 2010 at 8:38 PM, Joxean Koret <joxeankoret(a)yahoo.es> wrote:
Is not that easy. For example, what if a rootkit tries
to exploit a
privilege scalation vulnerability in the kernel or any of the subsystems
(i.e., win32k)? You may think it's something very uncommon, but is not.
I guess you may extend wine to detect those?
Or, what if the malware tries to install a driver? I
can see that a
driver was installed or that a call to LoadDriver/ZwLoadDriver was
issued but I can't get any other information.
For the purposes of scanning websites to see if they are evil,
that should suffice, shouldn't it?
- Dan
9:46 p.m.
On Wed, Nov 10, 2010 at 6:25 PM, Dan Kegel <dank(a)kegel.com> wrote:
On Wed, Nov 10, 2010 at 5:46 PM, Andrew Nguyen
<anguyen(a)codeweavers.com> wrote:
He replied, saying:
"pass on our thanks to all wine developers for some pretty amazing
software. I expect we'll be talking to you more in the next year than
we have been ..."
Heck, maybe he'll even come to wineconf 2011...
- Dan
Speaking of which, I wonder how much
relation there is with the virtual botnet research farm of Sandia
National Laboratories, which apparently runs Wine on each instance for
modeling purposes.
He gave several talks about the system, e.g.
http://www.socallinuxexpo.org/scale8x/presentations/ten-million-and-one-pen…
http://www.sandia.gov/ldrd/images/events/fy10_ldrd_day/posters/minnich.pdf
He doesn't mention Wine, but it seems likely he's still using it. 
7:58 p.m.
Am 09.11.2010 20:29, schrieb Joxean Koret:
Hi!
Dan Kegel told me about this conference and I decided to go :) I want to
know if any of you guys is interested on a talk about the newest verion
of ZeroWine (zerowine.sourceforge.net), the patches I wrote for Wine,
the problems I found with Wine's loader and malware, etc...
Best Regards,
Joxean Koret
Hi,
i would love to here that some Antivirus Companies are using zerowine.
--
Best Regards, André Hentschel
4939
days inactive
4940
days old
14 comments
6 participants
participants (6)
-
Andrew Nguyen -
André Hentschel -
Dan Kegel -
Joxean Koret -
Marcus Meissner -
Stefan Dösinger