Netjail is a user-space mechanism for restricting
the socket connection attempts that a process
makes. This makes it very useful for studying
and/or foiling spyware and other software that has
covert "home-calling" features. It is implemented
as a shared library which is preloaded when
launching the suspect program (via the LD_PRELOAD
mechanism available in most moderm Unix systems).
This library intercepts socket() and connect()
calls to the standard socket library and logs the
attempts. Based on environment variables, detailed
rules can be put in place about which addresses
will be allowed to connect. Connections that are
disallowed will return the ECONNREFUSED
(Connection Refused) error, which is most likely
to be gracefully handled by hidden spyware
functionality.
