Comments on: Malware Behavior Analysis: Zero Wine

By: Samiam

Samiam — Fri, 10 Jul 2009 15:47:23 +0000

Intriguing. I found this page while searching for information about analyzing (actually confirming) suspected exploited web sites from a VM. I need what ZW can do, but I also need that capability. If I installed one or more additional AV tools (ones that detect Trojan Droppers, etc. on web pages) into the ZW VM, could I do both tasks from this tool? Thanks.

-SAM

By: Forensics

Forensics — Tue, 16 Jun 2009 21:57:00 +0000

Great work! Great setup and tool! Very good start to this project. Just a thought of something perhaps to add to the project…

It would be very neat too if you incorporated Volatility and their python scripts into the project and allow you to parse through a lot of information on memory dumps too. Processes any malware that might only be persistent in memory. Just a thought! Keep up the good work.

By: Zero Wine | PenTestIT

Zero Wine | PenTestIT — Thu, 26 Feb 2009 17:07:16 +0000

[...] Malware Behavior Analysis: Zero Wine [...]

By: Zero Wine: Malware Behavior Analysis

Zero Wine: Malware Behavior Analysis — Sun, 04 Jan 2009 22:21:07 +0000

[...] A new malware behaviour analysis tool called Zero Win has poped up. The tool was developed by Joxean Koret and released under GPL v2.0. Zero Wine uses [...]

By: joxean

joxean — Tue, 30 Dec 2008 18:24:53 +0000

@Dinesh

Oops, sorry! For the user “malware” the password is “malware” and the root’s password is zerowine.

By: Ian Starkc

Ian Starkc — Tue, 30 Dec 2008 15:53:01 +0000

Cool work !!

By: joxean

joxean — Tue, 30 Dec 2008 09:32:20 +0000

@w0lf.

I think that it’s possible, as well as it’s possible with CWSandbox or Norman. However, you should run zerowine in a virtual machine in an isolated environment. Even if a specific and targeted malware finds a way to bypass the sandbox and exit from Wine, the malware must also exit from the virtual machine exploiting a 0day flaw with a low level (unprivileged) user so, it’s highly unlikely.

However, it might be possible.

By: Dinesh

Dinesh — Tue, 30 Dec 2008 09:00:17 +0000

Hi, What is the login id and password for the image?

By: w0lf

w0lf — Tue, 30 Dec 2008 06:09:48 +0000

Nice work!!! But if the malware is able to bypass the sandbox restrictions, then the whole of the web server may be compromised. Targeted attack worms may be out where the attacker may upload them to zero wine website and then compromise the whole webserver. This may be a future scenario. Correct me if I am wrong.

By: New Sandbox - spamversand

New Sandbox - spamversand — Mon, 29 Dec 2008 14:36:25 +0000

[...] Honeypots Additionally to well known sandboxes like norman or CWsandbox there is a new one out: Zero Wine. A Python written malware analyzing tool, doing: ” 1. Report: The complete raw report of all [...]