Virus hunter

In order to test some security gear, I'm in the process of collecting samples of worms and viruses... which isn't as easy as you might think. It's simple enough to put an unprotected Windows XP system live on the 'net for a few minutes to catch any number of bugs, but to be able to handle them properly, they need to be distilled back into their transmitted form, which is easily done with Ethereal. Email-borne cr

In order to test some security gear, I'm in the process of collecting samples of worms and viruses... which isn't as easy as you might think. It's simple enough to put an unprotected Windows XP system live on the 'net for a few minutes to catch any number of bugs, but to be able to handle them properly, they need to be distilled back into their transmitted form, which is easily done with Ethereal.

Email-borne critters are a bit of a different story. In order to catch a few of these, I altered my MIMEDefang filter to quarantine any discovered viruses in email, which results in the message being dumped in the MD-Quarantine folder. In order to turn the base64-encoded files into a regular executable or zipfile, it's simplest to use openssl: openssl enc -d -base64 -in ./ENTIRE_MESSAGE -out ./test.zip.

Peeling out these files from a TCP stream is slightly more difficult, as you have to find the conversation that actually contains the bug, which could be a TFTP, FTP, or HTTP transaction, and using the "Follow TCP Stream" functions in Ethereal, decode the stream as raw and save it to a file.

Oh, and that unprotected Windows XP system I left out as a honeypot? It took all of 30 seconds to get hit, and about 5 minutes to catch three different viruses and two bot control programs.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies