Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Capturing and Analyzing a "Live" Virus

  1. #1
    Junior Member
    Join Date
    Jun 2005
    Posts
    9

    Capturing and Analyzing a "Live" Virus

    Im interested in the ability of catching a "live" virus and then analyzing the contents of it. But the only question is how to do it safely without it killing my home network and then the second question would be what decompiler program would be really good for such a thing (without forking over my kids college money). The only thing I can think of is to run different VMWARE builds, but that is as far as I have gotten. So any input would be great and not only to me but for everyone else who reads this board. Thnx.

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    first find the infecting file. change the file extension. move it to some sort of secure ROM media (cds are nice) Then put them on a "controled" box not on the network. from there decomplie to your hearts content, and you dont need to worry about the file goint nuts on the network.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  3. #3
    Junior Member
    Join Date
    Jun 2005
    Posts
    9
    Im trying to catch on in the act, with out it spreading to my other machine. Also keep in mind that im trying to do this with as little machines as possible......its my home were talking about and not some Server Farm........and then what Decomiler program would be good for this...free programs are always good, but I know that if you want a good one your going to have to pay up (which i dont mind as long as it isnt the same price I pay for my car)

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Do you need a decompiler because you want to actually look at the code or because you think you need it to help analyze the virus.

    If it's the latter you can see much of what the virus does if not everything by using this.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Junior Member
    Join Date
    Jun 2005
    Posts
    9
    Im deffently looking to decompile the whole Virus, but do you have any info of catching the "live" virus in a contained enviroment, sort of like in a VMWARE build.?

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ooookay.....

    What do you mean by "capturing"?

    Catching a virus is really rather easy.... Take a look through your email, there will probably be a couple in there if your email isn't pre-filtered - if it is find an email account that isn't.

    Now, if you are talking about trying to catch a worm the game is a little different.....

    Which is it?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Junior Member
    Join Date
    Jun 2005
    Posts
    9
    Okay sorry for not clarifing, but catching a worm is what im looking for. And what can I use to pick it apart to find out how it works, what does it effect and so forth.

  8. #8
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    I've done a bit of virus analysis and I employ the techniques that TigerShark is discussing...

    I'll give you a run down on two different scenerios..

    1)

    Just recently there was a post on a virus that turned out to be the latest Beagle variant... There wasn't much available at that point so I decided to play a little on my own... I had a copy in one of my work email accounts, so I saved it to the machine (in it's original zip) and then zipped it again with a password... I posted the file on here, feel free to dig up the thread and make use of the file.. Then I transfered the file over to VMWare and removed VMWare from my network.

    This is where the tools came in...

    I ran FileMon and RegMon (both are available for free from Sysinternals.
    I also ran ethereal to see if any data was transmitted and also the fake DNS server provided with the Malcode Analysis Pack.

    The results that I came up with are located in the thread that surrounded the discussion -- here

    2)

    At work we were having a problem with a number of worms and also network aware spyware... This time a physical machine was used (VMWare could be subsituted) and an unpacked Windows XP was placed on the network... I left it open to absorb everything that was spreading... I still have the ghost image laying around (I believe) with all the malware on it.. It's for a IBM R51 laptop... but XP should be smart enough to be ghosted onto anything.. If I can find it and have the space somewhere to post it, I can throw it up for you.. might give you the live catch you are looking for..

    You can read more about what I did with the infected image in this thread.

    Peace,
    HT

  9. #9
    Junior Member
    Join Date
    Jun 2005
    Posts
    9
    Thats exactly what im looking for. I guess my whole reasoning behind my mdaness is kind of weird. Which is that I figure the more I can understand the viruses and worms and the internal workings, the better I can grasp a way to protect from it. Plus the more I know what my enemy know's the better off I will be.

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by SGT-Zer0
    Plus the more I know what my enemy know's the better off I will be.
    As Sun Tsu said: "Know thy enemy"

    As for disassembling have a look at IDA Pro.. IIRC there's a console only free version..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •