Printable View
hi there
Well I decided to infect a machine of mine with this malware so I can get some samples.
Nihil please check your private and your email.
If anyone else would liek sampels of these infected files please let me know via pm.
Panda didnt even blink at this. ./sad
Great advice brokencrow
virtual machine is one of my fav new technologies.
seems it is always the same people giving the good advice these days ;)Quote:
You must spread some Reputation around before giving it to brokencrow again.
MLF
I've been wrestling with VM's for a couple of years now. Finally got some decent
hardware to run 'em on. VMWare seems to write the best apps. Haven't used
Xen or any of the open source stuff yet. MS's VM isn't worth a hoot in my book.
VM 2007 is slow even on this dual proc w/ 2 gb's ram. Haven't tried HyperVisor
yet though, as I'm not running MS's latest server.
Now I seem to be spending all my time building OS's. This laptop tri-boots XP,
Vista, and Ubuntu, not to mention one W2K server VM build and more to come.
Right now I'm running DSL (damn small linux) is VM Player. Works well and is
quick. It's just about bulletproof, but lacks the bells and whistles (which I don't
mind).
IF you are running a VPC on your PC and the VPC gets infected, will that affect your system?
Also how do plugging in flash drives work? As both your system and the vpc will pick it up?
It's conceivable, but not very likely. Essentially a VMQuote:
Originally Posted by Cider
is pretty much segregated from the host. VM's are
used for honeypots, so what's that say? Never say
never though.
Flash drives work fine. VM hosts grant access to USBQuote:
Originally Posted by Cider
devices. You're going to have problems with legacy
devices like LPT dongles though.
There are ass't hardware issues with VM's, like sound
or video cards that may or may not load. I had problems
on a Win98 VM that wouldn't pickup an Audigy I card,
even if I tried the Win98 driver from Creative's site.
The W2K server VM I run now wouldn't load a video
driver until I ran VMWare Tools, then it was fine. I
built Fedora v8 on VM Workstation 5.5 today and the
display settings won't hold anything other than 800x600.
VM Player (a freebie!) runs DSL linux fine but chokes
on Puppy linux (both run from an .iso).
So VM's do have issues. Nice thing is you can clone
them and start over much easier than reloading an
OS on a PC (generally!).
Hey there BC
Thanks for the info.
Stupid question. How do you use VM in a corporate world? Is it possible for a PC jsut to run VM software on it or does it require a OS behind that?
Our corporate software can be used on a VM and we cant charge the customer for this... I'm sure that will change in the furture.
Edit - We have virtual licencing :P Just asked sales.
ANyway, towards the original malware.
I used malware bytes along with Spybot.
Why do I need resident AV ????? Hmmm, only reason I will keep it will be for the firewall plugin.
Its quite hard to support a product you dont believe in.
VM's are widely used to consolidate servers. As for how you mightQuote:
Originally Posted by Cider
use it, that basically depends on your privileges and your company's
AUP. Obviously I don't know anything about the company you work
for, or who admins their servers, but you may well already have virtualization
in place. VMWare's ESX is commonly used in enterprise environments.
Both. ESX, a widely used product (expensive, too), runs as a dedicatedQuote:
Originally Posted by Cider
host. I think it's referred to as a hypervisor. I've used VMWare Workstation,
their Virtual Server (free!), their VM Player (also free), and MS's VM,
both 2004 & 2007. All of those run on top of a host OS, which can be
Windows, Linux or Mac. Wikipedia's got several pieces on VM's, along
with tons of links.
Hmmmm, "curiouser and curiouser" said Alice.
Cider, I got your e-mail, but my provider uses Norton, and Norton says "no!" So if Norton can detect it and Panda doesn't, I think that you have a problem. Basically I cannot access the attachment, and even if I try copying the whole message I hit problems:
WormGuard doesn't like it either:eek:Quote:
Risk Assessment: MAXIMUM - EXTREMELY VULNERABLE SITUATION.
*> Contains suspicious string: infect
LINE=...
*> Suspicious strings detected.
WormGuard has found a few strings in this file that are suspicious.
*> Contains suspicious string: virus
LINE=.........
*> Script Analysis: Security risks detected.
WormGuard Script Analysis:
> Sends email.
It may be using email to propogate.
> Contains suspicious string: "infect"
> Writes data to file(s).
Whilst VM is one way to go, it isn't my personal choice because they are not really for the computer illiterate, and do need some serious resource to perform well.
For my lot, I tend to go for the virtual sandbox like Sandboxie or Fortres Grand.Quote:
I've been wrestling with VM's for a couple of years now. Finally got some decent hardware to run 'em on.
VM loves resources.....and depending on the OS you are running it on...and the OS you are runnning in the VM.....oh and lets not forget the applications and services on both machines.....you need a lot of fricken resources
I have one to play with an app....that takes at least a 1\2 hour to load...I havent really timed it yet. It runs on a laptop.
All MS Oses........and far too fricken many services and applications running on both....can be tweaked. (I didnt configure it...would like to though :) )
Dedicated VM....thats what I want...eeerrrrr need...yah thats it.
Just have to convince the powers that be :)
MLF
Ain't that the truth. I finally sprung for a $2G's of new hardware, a dual-coreQuote:
Originally Posted by morganlefay
desktop and a laptop, the same. 2GB's RAM each. Nothing extraordinary by
today's standards, but after running other people's throwaways for years
(philosophical choice), I no longer "wrestle" with VM's as I once did.
For now, I'm running Workstation v.5.5 on a ThinkPad T61. I can run two VM's,Quote:
Originally Posted by morganlefay
say Fedora and W2K, on top of the XP host and this thing does not skip a beat.
Linux makes a better host than Windows though, but I'm not there yet. When
I told one of my co-workers I'm running VM's on Windows, my character apparently
came into question (not the first time!).
Well im running 4gigs at home on vista and dont seem to have a problem running VM with mandrake.
Still figuring out how to isntall anything on linux. Why do you okes make it so hard :P
Nihil Panda should detect the malware now due to the files I sent however I think they are randomized so I dont know so much.
I am actually considering taking off Panda GP 2009 at home and get something that can detect this.
Is there something I an run in conjunction with this ? Worm Guard?
EDITNihil can you give me a link to WG as all the ones I tried, softpeadia etc gets corrupted on downloading.
Was trying to get the 4.0 trial but any version that works would be great.
Alternatively, zip and send to me :)
Thanks.
Please go here and have a look around. Don't forget to check out the free stuff as well, there are some interesting little utilities;)
http://www.diamondcs.com.au/
Make sure that you get RegistryProt.
The problem is with machines at the 1Gb level. That was a typical configuration for an XP home use machine, and still is for bottom end Vista boxes. Less than that and you should not even think about VM and performance unless you are running older OSes for research or legacy support.Quote:
Well im running 4gigs at home on vista and dont seem to have a problem running VM with mandrake.
Please remember that VM was never designed to be a security measure, unlike sandboxes.
Well the file names certainly seem to be randomly generated. That is why an internet search doesn't come up with anything.Quote:
Nihil Panda should detect the malware now due to the files I sent however I think they are randomized so I don't know so much.
I don't know about the rest of it though. Some malware is polymorphic, and changes its code with each iteration to obfuscate it from anti-malware scanners. It should still be detectable though, either because parts of the code must remain constant for it to work, or because of what it tries to do.
The latter should be picked up by behavioural or heuristic scanning.
If I was purchasing stuff I would buy SpyBot and/or A-Squared. Wormguard is a bit too specialist, although ideal for some of my clients.
Thanks, phoe - that's a very nice write-up!
I just submitted the "thing" to Virustotal, and there's still (after how many months now???) AV software that doesn't pick it up... And yes, Panda is one of the ones that doesn't pick it up...
http://cwflyris.computerworld.com/t/3500456/121494203/134662/0/
THanks Phoe -
Anyone going to attend the below ?
http://www.theregister.co.uk/Page/security200803/