Capturing and Analyzing a "Live" Virus - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Capturing and Analyzing a "Live" Virus

  1. #11
    Member
    Join Date
    Dec 2003
    Posts
    41
    Olly Debugger is a free one with source code available, and a GUI interface. I used it alot while trying to reverse engineer binary code.

  2. #12
    What I would do is have the virii run in a virtual environment, with a sniffer on the nic tracking all of the traffic in/out on the card, and have the gateway firewall drop all incoming/outgoing packets to the virtual machine....tcpreplay, ethereal, virtual pc/vmware are great tools for this..

  3. #13
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    For $DIETY's sake, if you're gonna go through with this, do it in a virtual environment running on a secured platform. For example, a Linux host with a Windows guest OS.

    Not to be offensive, but are you sure you know WTF you're doing? This is *NOT* a good idea, unless you are a skilled and competent code, network, and systems analyst. And even then, it's probably a bad idea. From the content of your posts in this thread, I don't get the impression that you are an uber-techno-wizard, so this sort of behavior is probably a BAD IDEA(C)
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  4. #14
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Zen:

    Give the guy a bit of a break here.....

    It sounds like he wants to learn....

    Sgt: You goal might be worthy but you need to know your virus before your start. It's not good enough to just get yourself a virus and fire it off in the hope that you can undo the damage. You need to get your virus, identify it, research _exactly_ what it can/will do and then come up with your mitigating techniques. For the most part this can be done on a standalone machine using the tools I pointed you at. Worst case you may want to connect this box to another with a crossover cable and a sniffer so that you can see what the virus sends out. In both cases I would have the drives imaged so that you can return the box to a "sensible" state.

    This isn't something you take on casually.... Think before you act... If you don't have a solution for a problem the virus would present you with then the exercise ends right there... you don't activate the thing..... capiche?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #15
    what is a competent idea(C)?


    simple rule:

    tools:
    disassembler
    Hunter tasks
    Surfase Memory Scanner
    Services Hunter (maybe integrated onto Hunter Task id or memset runtimer)
    Decrypter (just in case)

    scenario:

    Infected Enviroment of Course!!!

    NOTE: there tools not be need system dlls (or kernell)

    NOTE 2: make your own conclusion


    Best Wishes

  6. #16
    Member carenath's Avatar
    Join Date
    Jan 2002
    Location
    Carlisle, PA
    Posts
    42
    Originally posted here by zencoder
    For $DIETY's sake, if you're gonna go through with this, do it in a virtual environment running on a secured platform. For example, a Linux host with a Windows guest OS.

    Not to be offensive, but are you sure you know WTF you're doing? This is *NOT* a good idea, unless you are a skilled and competent code, network, and systems analyst. And even then, it's probably a bad idea. From the content of your posts in this thread, I don't get the impression that you are an uber-techno-wizard, so this sort of behavior is probably a BAD IDEA(C)

    Hey Zencoder; I have to say that when I started into the virus research field, I didn't know what I was doing. I started way back in 1991 - 92 and started by getting ahold of Michelangelo (at the time a rather nasty bug). I used softice to decompile it and read it's code, ran the virus on my system and debugged/traced its route through my 'puter and then cleaned it off. Back until about 2001 the only virus I ever was unable to get rid of - even with a lowlevel format - was the jackal virus. At that time I didn't know about virtual machines (I was running in DOS and Windows 3.11 for WorkGroups) and just ran it on my system. Of course I had backups, but they didn't help with a virus that infected everything... and I mean EVERYTHING

    So as far as being a technowiz, skilled code/network/systems analyst, that I wasn't. Noone gets to that point unless they are willing to learn and try things that - yeah - sometimes might just totally screw their system. Bad idea? what's so bad about wanting to learn?

    Originally posted here by Tiger Shark
    Zen:

    Give the guy a bit of a break here.....

    It sounds like he wants to learn....

    Sgt: You goal might be worthy but you need to know your virus before your start. It's not good enough to just get yourself a virus and fire it off in the hope that you can undo the damage. You need to get your virus, identify it, research _exactly_ what it can/will do and then come up with your mitigating techniques. For the most part this can be done on a standalone machine using the tools I pointed you at. Worst case you may want to connect this box to another with a crossover cable and a sniffer so that you can see what the virus sends out. In both cases I would have the drives imaged so that you can return the box to a "sensible" state.

    This isn't something you take on casually.... Think before you act... If you don't have a solution for a problem the virus would present you with then the exercise ends right there... you don't activate the thing..... capiche?

    Well, Tiger, I guess I failed your suggestion (see above).

    Seriously, though, you make a valid point. After being in the virus research field for the past 13 years, I would never do what I did back then to research viruses. I agree that you NEED to know exactly what it can/will do and have a plan to stop/block it if it appears to be getting out of control. Had I done that with Jackal, I would have saved a $2000.00 computer system that had to be trashed (at the time I didn't know you could just replace the HDD and such). Now I use a win98SE system crossed to my primary, with firewall and AV blocking to avoid infecting the primary. With the setup I have I can run it on my old system, and use the main to watch what happens.

    Blessings;

    Carenath
    [gloworange] Windows XP = Windows Xtra Problems[/gloworange]

  7. #17
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    I've done testing of viruses like netsky and bagle on old Windows boxes, mostly to study network behavior and testing cleaning tools. Spyware, too.

    You want to make sure your test machine is on your network's DMZ. I've used Smoothwall and IPcop for several years and both those gateways have solid DMZ's where the computer assigned to the DMZ is unable to reach back into the rest of the network. The DMZ's on some routers is a joke, specifically Belkins. Linksys's DMZ seemed OK, but I'm not sure I trust any DMZ that shares an ip address in the same range as the rest of the network. Fwiw.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  8. #18
    BIOS Bomber
    Join Date
    Jul 2003
    Location
    Michigan
    Posts
    357
    Is there a reason people like posting on old threads to make other people mad? at least make a new thread if you have new ideas or somthing..this just gets old and annoying.
    "When in doubt, use Brute Force."

    Never argue with an idiot. They'll drag you down to their level, then beat you with experience.

  9. #19
    Member carenath's Avatar
    Join Date
    Jan 2002
    Location
    Carlisle, PA
    Posts
    42

    Posting to old thread...

    Originally posted here by mandraketux
    Is there a reason people like posting on old threads to make other people mad? at least make a new thread if you have new ideas or somthing..this just gets old and annoying.
    1. Since the thread was originally posted in June of '05 I figured that by replying to the thread it would give people the opportunity to see what had come before.

    2. I really don't know how to reference a thread in another post, so I used this method to get my comment accross.

    3. while I can see your point in posting to old threads, giving negs for that seens to be a little extreme in getting [B/your[/B] point across since you can do the same by PMing the person involved and giving them a chance to either correct or learn from their mistakes.

    I will also be posting this into the same thread since you felt it important enough to not only neg me, but post in the same thread to try and get your pooint across. Seens a little hypocritical to me, but that is just MHO.

    God Bless;

    Carenath
    [gloworange] Windows XP = Windows Xtra Problems[/gloworange]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides