deepgeek

Malware Zoo, a learning experience

5 posts in this topic

Wow! What an interesting couple of days.

Well, as I said before, I am preparing for a Linux SIG lecture next month, and I wanted a dramatic virus for the demo, to show a way to quickly rid such stuff from a virtual machine (by deleting the virtual machine and leaving it's backing file in place.)

It's a good news and a bad news thing. Good news is this, you can delete a virus and all it's effects by deleting a well constructed virtual machine and invoking it's backup :roll: .

Bad news is, and this is for my fellow newbs out there. Like, all the viruses collected at offensivecomputing.com are not what they are named. I was trying to get a simple virus to do something dramatic like spamming out IE on a virutal windows machine, but I invariably got some Javascript Generic Botnet thing :wacko:

So, don't just question what authority figures say, question also what hacker sites say also. :ATTN:

yours,

---

Deepgeek

0

Share this post


Link to post
Share on other sites

Removing viruses isn't always quite that simple. If you're familiar with the redpill and bluepill concepts you will see that it is possible to detect when running inside of a virtualized environment and from that take different actions. There also is a risk of software breaking out of virtualization due to bugs in the virtualization system where malware may be able to infect the host machine or spread to other virtual machines. I'm not sure if this has ever been done but it is a possibility.

0

Share this post


Link to post
Share on other sites

Thanks, Lininded,

[bTW, your artwork is really impressive!]

Not sure what you mean by the green & red pill concepts, I might be drawing the wrong analogy, but all I can think of is "The Matrix."

However, one thing I did not predict, and only found out later, was this. Once the botnet virus is on your side of the firewall, it can more easily attack other machines. Fortunately, I am all Linux.

So, my situation was this (assuming you're curious,) I'm running Qemu under linux, and running w2k under that, and I unleash a botnet virus on the VM. Now, what firewall protects what from what? I am behind my hardware firewall on my modem, and the infected machine is behind the virtual firewall on the virtual network on Qemu. Interesting problem, maybe I am playing with Matches by playing with this stuff.

Well, thought you would like to know, thanks again for responding.

---

Deepgeek

0

Share this post


Link to post
Share on other sites

check out some of the honey projects mwcollect nepenthes honeytrap

0

Share this post


Link to post
Share on other sites

I've noticed an interesting bleeding of windows to linux and vice verse.

When O'Reilly press released Knoppix Hacks, they included a modified distribution of Knoppix (three nine, I think) that had a built in windows virus scanner and windows registry editor. While conceptually, this is great, and it is, the computer builds a ramdisk, downloads the virus defs from a web server, plops them into the ramdisk, and scans the hard drive without having to boot into windows. Pretty neat.

However, this does lead to some interesting points about how similar SOME open source code is to proprietary code, as well as how much access the software has to the hardware. Make sure your virtual machine does not have certain ports open, don't let it know the location of your NIC, keep it away from devices it can use to transfer itself.

This is speculation, but if you can use a virtual machine to scan for infections, edit the registry and use wine to run an os within an os, it's not out of the realm of possibility that a windows binary could execute instructions to an OS neutral device, such as a network card.

Before I make even less sense (I'm REALLY tired), I would make an outlandish (on these boards) suggestion, if you're afraid of using the wrong virus, you could actually use some skiddy warez and make your own if you don't feel comfy writing your own mmc from scratch. If you design the payload yourself and the means of delivery as well, you know what to block off, and your lecture should go well. Kinda wierd how that could work, actually...

- alienbinary

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now