http://tinycheck.local URL as security problem

[ropg]

Malware today often tests if it's running in a virtual machine or if debugging software like IDA-Pro is installed, and makes sure to not do anything suspicious or even destroy itself when it sees that's the case. If his project is successful, it won't be long until some of the software in question will check for a response on tinycheck.local.

Maybe only bring up the mDNS responder and web server when a hardware button is pressed? This way the malware cannot check it's talking to one of these.

[felixaime]

Hello ropg,

Yes sure, at this time the 80 and 443 ports are closed from the analyzed phone and there is a suricata rule which detects if the phone tried to query tinycheck.local. Maybe I need to completely disable the mDNS requests from the analyzed phone via an iptables rule but I need to check before if it doesn't break things.

Regards,
Félix.