Virus hunter

In order to test some security gear, I'm in the process of collecting samples of worms and viruses... which isn't as easy as you might think. It's simple enough to put an unprotected Windows XP system live on the 'net for a few minutes to catch any number of bugs, but to be able to handle them properly, they need to be distilled back into their transmitted form, which is easily done with Ethereal. Email-borne cr

In order to test some security gear, I'm in the process of collecting samples of worms and viruses... which isn't as easy as you might think. It's simple enough to put an unprotected Windows XP system live on the 'net for a few minutes to catch any number of bugs, but to be able to handle them properly, they need to be distilled back into their transmitted form, which is easily done with Ethereal.

Email-borne critters are a bit of a different story. In order to catch a few of these, I altered my MIMEDefang filter to quarantine any discovered viruses in email, which results in the message being dumped in the MD-Quarantine folder. In order to turn the base64-encoded files into a regular executable or zipfile, it's simplest to use openssl: openssl enc -d -base64 -in ./ENTIRE_MESSAGE -out ./test.zip.

Peeling out these files from a TCP stream is slightly more difficult, as you have to find the conversation that actually contains the bug, which could be a TFTP, FTP, or HTTP transaction, and using the "Follow TCP Stream" functions in Ethereal, decode the stream as raw and save it to a file.

Oh, and that unprotected Windows XP system I left out as a honeypot? It took all of 30 seconds to get hit, and about 5 minutes to catch three different viruses and two bot control programs.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.
Related:
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.