snaphat (Myles Landwehr) Member Posted December 30, 2013 Member Share Posted December 30, 2013 I know flame used to spread via windows update... Yeah, that was a method of propagation once installed within a network. The initial/primary infections are done via USB. Remember, these were supposedly state sponsored malware designed to sabotage systems that aren't connected to the Internet. Link to comment Share on other sites More sharing options...
snaphat (Myles Landwehr) Member Posted December 30, 2013 Member Share Posted December 30, 2013 I do have an extra computer, but it's OS is messed up. Not by viruses, but by my mom closing it when it was installing. Anyone know how to fix this with a Win XP iso and a USB? Start a new thread if you want help with that (and be more detailed in your description) as to not completely derail the topic here. goretsky 1 Share Link to comment Share on other sites More sharing options...
Dick Montage Posted December 30, 2013 Share Posted December 30, 2013 The more I read, the more I feel that you shouldn't be offering such information as you are still very much learning yourself. You don't even have a properly setup dedicated testing environment - so what do you feel puts you in the position to be the person to impart advice, when you clearly have areas you don't yet understand? This isn't meant negatively, I genuinely am worried that you will lead someone into a false sense of security with half-tested theories. pairughdocks and goretsky 2 Share Link to comment Share on other sites More sharing options...
XerXis Posted December 30, 2013 Share Posted December 30, 2013 I thought stuxnet had a time bomb in it anyway. You'll have to turn back the time on your VM's ;) goretsky 1 Share Link to comment Share on other sites More sharing options...
snaphat (Myles Landwehr) Member Posted December 30, 2013 Member Share Posted December 30, 2013 The more I read, the more I feel that you shouldn't be offering such information as you are still very much learning yourself. You don't even have a properly setup dedicated testing environment - so what do you feel puts you in the position to be the person to impart advice, when you clearly have areas you don't yet understand? This isn't meant negatively, I genuinely am worried that you will lead someone into a false sense of security with half-tested theories. I feel he is likely to infect himself because he still doesn't appear to have the foggiest how these actually spread. Tell him over the network and he says he didn't know, tell him USB and he counters with them spreading over the network. It's bizarre to say the least considering this is the most basic and readily available information about these... goretsky 1 Share Link to comment Share on other sites More sharing options...
goretsky Supervisor Posted December 31, 2013 Supervisor Share Posted December 31, 2013 Hello, If you are serious about learning how to work with malicious software, let me provide you with three resources to help you on that path: The SANS Institute. They provide a lot of information on their web site about computer security, and even offer courses in how to analyze malware. The Reverse Engineering Stack Exchange, where you will find some very helpful discussions. The Reverse Engineering Subreddit on Reddit. Like Stack Exchange, lots of good discussions there. Look through popular mesage threads and read some messages before you start asking some questions. While none of the sites are filled with particular curmudgeonly people, many questions asked by new people have already been answered and archived in stickied posts, FAQs and the like. With a little luck, and a lot of hard work on your part, you may one day be able to work at a computer security company, or even start your own. Regards, Aryeh Goretsky Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted December 31, 2013 MVC Share Posted December 31, 2013 So do you use dedicated external hardware to record your videos? Because I would highly recommend that to the OP... The moment you plug in a flash drive to copy off the video, that flash drive is potentially compromised. Well you could always boot into a Bart PE environment or a Linux live environment and grab the video assuming the video itself is not infected. I've heard some cases of malware that can escape a vm via them knowing they are running in a VM and exploiting bugs in the Virtual machine software. One time I saw a video on youtube where a guy double clicked an exe inside a virtual machine and mspaint opened up outside the VM. If you STILL want to release malware inside a VM running on your machine I would first start by making sure you can NOT ping any of the IP addresses on your network. I would also make sure you cannot connect to the network shares. Also make sure your router is not setup with the default password. We don't want the malware logging into your router and configuring stuff. I would also make sure UPnP is disabled in your router. Other wise malware running in the VM could start opening ports on your router. So to summerize 1) Make sure you can't ping the ip's of machines on your local network from inside the VM 2) Make sure you cannot access local shares of machines on your network (which shouldn't be possible if you can't ping them) 3) Make sure your router is not using the default password 4) Make sure UPnP is disabled in your router. If you need help with any of the 4 things listed above, you probably shouldn't be doing this. Link to comment Share on other sites More sharing options...
CryptoHAX0R Posted December 31, 2013 Author Share Posted December 31, 2013 Well you could always boot into a Bart PE environment or a Linux live environment and grab the video assuming the video itself is not infected. I've heard some cases of malware that can escape a vm via them knowing they are running in a VM and exploiting bugs in the Virtual machine software. One time I saw a video on youtube where a guy double clicked an exe inside a virtual machine and mspaint opened up outside the VM. If you STILL want to release malware inside a VM running on your machine I would first start by making sure you can NOT ping any of the IP addresses on your network. I would also make sure you cannot connect to the network shares. Also make sure your router is not setup with the default password. We don't want the malware logging into your router and configuring stuff. I would also make sure UPnP is disabled in your router. Other wise malware running in the VM could start opening ports on your router. So to summerize 1) Make sure you can't ping the ip's of machines on your local network from inside the VM 2) Make sure you cannot access local shares of machines on your network (which shouldn't be possible if you can't ping them) 3) Make sure your router is not using the default password 4) Make sure UPnP is disabled in your router. If you need help with any of the 4 things listed above, you probably shouldn't be doing this. Hey. I got an extra computer, and an WIN XP iso. Will that make this safer? Link to comment Share on other sites More sharing options...
snaphat (Myles Landwehr) Member Posted December 31, 2013 Member Share Posted December 31, 2013 Hey. I got an extra computer, and an WIN XP iso. Will that make this safer? Why would having an extra computer on the same network or an ISO make this in any way safer? :dontgetit: Link to comment Share on other sites More sharing options...
riahc3 Posted December 31, 2013 Share Posted December 31, 2013 Hello, I see next year's first topic: "Help! I hax myself and my files and they are all encrypted" Sorry but like someone said: If you truely do not know how the network stacks work with the viruses your are trying to show, I recommend you do not play around with this. snaphat (Myles Landwehr) 1 Share Link to comment Share on other sites More sharing options...
+John Teacake MVC Posted January 1, 2014 MVC Share Posted January 1, 2014 Try it and let us know how you get on. Setting your network card to NAT mode is the least of your worries. You don't know the attack vectors. Alot of these have subroutines to pick up if they are in a VM and will sometimes kill themselves off if they think they are been sandboxed. Link to comment Share on other sites More sharing options...
Torolol Posted January 1, 2014 Share Posted January 1, 2014 I believe Mark Russinovich, already made videos about Stuxnet, just about few years ago. The stuxnet was in VM. But i don't remember he open the NAT connection between guest and the host. Link to comment Share on other sites More sharing options...
Arachno 1D Posted January 1, 2014 Share Posted January 1, 2014 I know flame used to spread via windows update... Dont believe everything you read not all of the problem can always be found due to the nature of the beast and 100% of the ways and what fors behind such devices are never publicly disclosed. I do have an extra computer, but it's OS is messed up. Not by viruses, but by my mom closing it when it was installing. Anyone know how to fix this with a Win XP iso and a USB? Id suggest given your inexperience that you stick with the theory of how these devices are constructed and react within a system and network environment.A basic level of programming,network systems and hardware would help you understand how they are constructed and diagnosed.Maybe you should research Ethical Hacker courses at local establishments and learn from others instead of treading the same paths again and again.. Link to comment Share on other sites More sharing options...
Lant Posted January 3, 2014 Share Posted January 3, 2014 If you want to show something useful use the Cuckoo Sandbox to run the malware. You get a nice report out at the end of what processes were involved, what API functions were called and info on network access.Anyway it might be worth not playing with a network enabled VM until you know for real what you are doing.Also running these VMs on a Linux (or other) OS would be a good idea, to prevent accidental infection of your Windows host machine (if it is one). Link to comment Share on other sites More sharing options...
Recommended Posts