The Deep End | Paul Venezia » Virus hunter

May 03, 2006 | Comments: (0)

Virus hunter

TAGS: Networks, Systems

In order to test some security gear, I'm in the process of collecting samples of worms and viruses... which isn't as easy as you might think. It's simple enough to put an unprotected Windows XP system live on the 'net for a few minutes to catch any number of bugs, but to be able to handle them properly, they need to be distilled back into their transmitted form, which is easily done with Ethereal.

Email-borne critters are a bit of a different story. In order to catch a few of these, I altered my MIMEDefang filter to quarantine any discovered viruses in email, which results in the message being dumped in the MD-Quarantine folder. In order to turn the base64-encoded files into a regular executable or zipfile, it's simplest to use openssl: openssl enc -d -base64 -in ./ENTIRE_MESSAGE -out ./test.zip.

Peeling out these files from a TCP stream is slightly more difficult, as you have to find the conversation that actually contains the bug, which could be a TFTP, FTP, or HTTP transaction, and using the "Follow TCP Stream" functions in Ethereal, decode the stream as raw and save it to a file.

Oh, and that unprotected Windows XP system I left out as a honeypot? It took all of 30 seconds to get hit, and about 5 minutes to catch three different viruses and two bot control programs.

Posted by Paul Venezia on May 3, 2006 07:54 PM

RATE THIS ARTICLE: