BBC Honeypot: what happens when malware gets in your computer

[ahhaa]

The BBC set up a computer using VMware hosting XP to analyze malware attacks. Here's what happened (part of an ongoing Beeb series):

Sneakily this was an image rather than a Windows dialogue box so clicking anywhere on it, even the "cancel" button, got the download going. The download installed automatically and kicked off a tsunami of background downloading. The forensic software we had installed on the honeypot saw it connect to three or four other sites and start downloading from them - one was from a Thai hospital that was doubtless acting as an unwitting host.
The software was so sneaky that it tried to stop this traffic being seen by injecting it into the processes usually used by the Internet Explorer. We knew this was the case because IE's homepage had been set to be blank - ie when it was running there would be no net traffic.

The result of the installation was new toolbars on the IE browser, a whole list of new unwanted favourites, all web searches were hijacked and redirected plus pop-up adverts populated the desktop.

The machine was becoming unusable because it was so busy so we were forced to cut the net connection. The bogus download went into overdrive trying to get back online. The meter clocking processor usage zoomed to 100% as it desperately tried to drag more stuff into the PC. The machine became hard to shut down and we could only shut it off by pulling the virtual plug.

more at: http://news.bbc.co.uk/2/hi/technology/6035455.stm

[lordsmurf]

I did this recently myself. I installed Windows into VPC, and then made a backup copy of the hard drive file. I simply visited a certain site known to be harmful, and within 5 minutes the OS was trashed. I spent an hour trying to recover it, to no avail. The test was using WinXP Pro SP2, full MS updates, with IE6 as the browser. No other software was installed on the system. I pulled the power cable from my router, and the system went absolutely berzerk. I had to CTRL_ALT_DELETE and force VPC to close because the VPC session was eating about 99% of the CPU, and it had maxed out the allowed session RAM too.

I recently switched everybody in the family over to VPC/WindowsXP for browsing the Internet. If (or rather, WHEN!) they make a mistake, I can simply go and delete the virtual hard drive and replace it with the clean backup. Browsing is not CPU-intensive anyway, and with the speed of modern systems, it works fine.

[ahhaa]

LS- if you get the time someday, it would be great if you could do a full description of how to do the basic install of a virtual machine on a home PC. VMware is free, but they assume a level of network expertise that few of us have. There are some very interesting uses of the appliances- like running multiple WinOSs, or Linuxes, and several home control apps like smart heating thermostats, security, etc that aren't otherwise available at the consumer level...

I just tried the Scandoo interface the BBC recommended, its kinda cool: http://www.scandoo.com/

[lordsmurf]

STEP1: Download VPC2004 (free!). Then install it.
http://www.microsoft.com/downloads/details.aspx?FamilyId=6D58729D-DFA8-40BF-AFAF-20BCB...displaylang=en



STEP2: Start VPC. Click "NEW" and create a new virtual machine, using the wizard. Name it whatever, specify the OS type, adjust RAM if you want (I suggest 160-192MB minimum, 512MB if you have 1GB or more). And then I also suggest you create the new virtual hard drive on your C: drive, but OUTSIDE of the My Documents heirarchy.

STEP3: Put the Windows install CD in your computer. Your host computer (the "real" computer) can be a pest if you have autorun enabled. Anyway, start the virtual machine, and it should auto-run and install Windows.

NOTE: The virtual machine has its own BIOS, which can be a pest too, as it by default captures your floppy and CD/DVD drives for boot. After OS install, I go into the BIOS (hit DEL fast when the machine boots), and make the hard drive the only bootable device.

STEP4: Install Firefox, go do the WindizUpdate.com thing. It's easier and faster than the rigamarole via the MS site.

STEP5: Go to the toolbar on the active VPC session, and install the Virtual Machine Additions.

STEP6: Go make a backup copy of the virtual hard drive file (on the host system). I leave it as "Copy of Windows XP Hard Drive", where the original name was "Windows XP Hard Drive", in the same folder. You can call it backup or whatever. Just be sure to make one and not lose it.


I didn't like VMware as much. VPC was easier to deal with.

You can also do Linux in VPC. You can even make a blank virtual machine (don't use the hard drive file you create), and load a CD-booting distribution. Very convenient when you're trying to make guides and experiment without sacrificing the host hardware to foreign software.

I run my Virtual Machines at 1024x768 inside my 1280x960 host system. I do not like to run them fullscreen. Also do not be stupid and install the same desktop background on both machines. Confusion is not your friend.

And if you want to PM me, I'll send you a link to a site that will basically incinerate the virtual computer in a few minutes tops. Just be sure to copy the hard drive file beforehand, so you can delete the damaged one afterwards, and make a fresh copy from the backup copy.

[ahhaa]

Lordy!:] You make it sound simple!:]

Will d/l the VPC next trip to the coffeeshop hotspot!

If I get it working, I ain't about to incinerate it...

what about Com? will winmodems & all work without sweat to get a VPC machine online?

[lordsmurf]

I'm on a LAN, so I don't really know. I know that you can access COM1 and COM2, so if you have a modem located there, it may work. Modems are mentioned by the COM settings. You'll have to read around.

You also might be able to set up the Internet sharing thing on your computer, and then tell it the virtual machine is another computer. I think this is possible too. Look at the virtual machine settings, the networking options.

And the faster your computer, the better VPC will run. Also, do yourself a favor and disable unused Windows services. Find a guide on Google, there are many. Look at 3-4 of them for ideas on what to turn off. Keep a minimalist system virtualized.

[redwudz]

I went to a site a couple of years ago and a pop up wanted me to download some sort of 'helper' program. I knew better, so I went to click the 'close' button and hit 'yes' by accident.

I immediately got 17 of the worst, nastiest trojans, viruses, adware and every other type of crap imaginable. I had 2 or three browser toolbars, my home page turned into a porn site, and my CPU usage went to 100%. This all happened in about 5 seconds. One problem with a high speed connection.

I ran Spybot. It had been disabled. Same with AVG. A reboot brought nothing but popups filling the screen. I booted in safe mode and began to rip the crap out piece by piece. I finally got it all, along with a large chunk of the OS, rendering the computer unusable.

I repartitioned and reformatted and installed XP. I had saved my favorites file from IE. Immediately I got 80% of the malware back. Somehow it had installed something in my IE favorites, though nothing showed. Reformatted again and used an old favorites file. Everything gone.

I keep backups of all important files and programs, so I lost nothing.

Now I use Spybot, Spyware Blaster, Stopzilla, AVG and Protowall, along with a hardware and software firewall on that computer. And I stay away from those type of sites.

[ahhaa]

LS- I'm definitely gonna check into this, thanks! Mebbe someday there will be a Virtual Machine subcategory here!:]

Red- I look back with some nostalgia to my Vic20- it had 'immune' ROM cartridges for the software, and honestly I got my stuff done just about as fast as I do today!:]

[ahhaa]

STEP1: Download VPC2004 (free!). Then install it.
http://www.microsoft.com/downloads/details.aspx?FamilyId=6D58729D-DFA8-40BF-AFAF-20BCB...displaylang=en



STEP2: Start VPC. Click "NEW" and create a new virtual machine, using the wizard. Name it whatever, specify the OS type, adjust RAM if you want (I suggest 160-192MB minimum, 512MB if you have 1GB or more). And then I also suggest you create the new virtual hard drive on your C: drive, but OUTSIDE of the My Documents heirarchy.

STEP3: Put the Windows install CD in your computer. Your host computer (the "real" computer) can be a pest if you have autorun enabled. Anyway, start the virtual machine, and it should auto-run and install Windows.

NOTE: The virtual machine has its own BIOS, which can be a pest too, as it by default captures your floppy and CD/DVD drives for boot. After OS install, I go into the BIOS (hit DEL fast when the machine boots), and make the hard drive the only bootable device.

STEP4: Install Firefox, go do the WindizUpdate.com thing. It's easier and faster than the rigamarole via the MS site.

STEP5: Go to the toolbar on the active VPC session, and install the Virtual Machine Additions.

STEP6: Go make a backup copy of the virtual hard drive file (on the host system). I leave it as "Copy of Windows XP Hard Drive", where the original name was "Windows XP Hard Drive", in the same folder. You can call it backup or whatever. Just be sure to make one and not lose it.


I didn't like VMware as much. VPC was easier to deal with.

You can also do Linux in VPC. You can even make a blank virtual machine (don't use the hard drive file you create), and load a CD-booting distribution. Very convenient when you're trying to make guides and experiment without sacrificing the host hardware to foreign software.

I run my Virtual Machines at 1024x768 inside my 1280x960 host system. I do not like to run them fullscreen. Also do not be stupid and install the same desktop background on both machines. Confusion is not your friend.

And if you want to PM me, I'll send you a link to a site that will basically incinerate the virtual computer in a few minutes tops. Just be sure to copy the hard drive file beforehand, so you can delete the damaged one afterwards, and make a fresh copy from the backup copy.

OK I got it d/l'd; reading up on it. Did you prep the HD in any particular way?

MS's info isn't a big help, mostly reads like this statement:

Virtual PC creates a virtual machine that virtualizes the desktop's physical hardware in a virtual machine and the OS is installed in that virtual machine.

[TBoneit]

I went to a site a couple of years ago and a pop up wanted me to download some sort of 'helper' program. I knew better, so I went to click the 'close' button and hit 'yes' by accident.
Snip:

For future use you can normally find that sort of junk at the bottom of your screen along with other running programs. never click close it could be set to be "YES", just right click on the bottom and choose close. Alternatively ALT+F4 and close things out safely. Then just to be really sure depending on your paranoia level reboot the PC.

It's a jungle out there!

[lordsmurf]

ahhaa, I didn't do anything special not mentioned on the quickie guide I wrote above. When I installed Windows XP Pro into it, it sees a 16GB hard drive, and I let the Windows installer format the drive for NTFS. I did the full format, but quick probably would have worked. The drive file is not actually 16GB, btw, it's only as big as what you put in it. Mine is maybe 4GB at most. And if you make it big, then delete stuff, there are ways to compact it again.

[ahhaa]

thanks LS- btw, the free 2007 beta is now available