Fakebust provides a malicious exploit discriminator.
Fakebust is a program that assists with the rapid assessment and supervised execution of potentially malicious programs such as exploits or utilities of unknown origin, programs recovered during OS forensics, or acquired from a honeypot.
Fakebust is there to provide an ugly but viable compromise between extensive
analysis and blind execution. It is an interactive "bounding box" debugger,
under which the program is allowed to run for as long as certain boundary
I/O conditions are not violated.
Whenever the program attempts to gain access to a new, security-relevant resource, or tries to otherwise extend its permissions to a degree that would affect the system, the code is stopped, and the user is presented with an informative description and a choice what to do next. Typical choices are:
- Deny the request and abort the program - typically picked as soon as
you conclude it is malicious,
- Permit the program to perform action once - picked once the request
is deemed to be justified, and the resource does not yield any
- Permit this and future access of this type to this resource - when
accesses to a file or connections to a host are expected to recur,
- Deny the request, but do not abort the program; the syscall will
not execute, and a value closest to "success" will be passed back to
the program as a simulated result. A good option whenever it is
apparent that the program is misbehaving, but it is not clear yet what
its goal is.
In other words, under fakebust, you can finally run the elusive Apache 0-day
exploit and be automatically warned if it attempts to execute shellcode
locally rather than remotely, or attempts to dial a host in China with your
/etc/passwd in hand; or attempts to write to /etc/ld.so.preload; fiddles
with /dev/kmem, etc. You will be able to stop an undesirable action before
it is carried out.
What's New in This Release:
· proper handling of sigreturn;
· payload dumps on sendto/recvfrom.