Author Topic: Using Linux  (Read 6413 times)

0 Members and 1 Guest are viewing this topic.

July 14, 2008, 10:22:06 pm
Read 6413 times

bookmarc

  • Jr. Member

  • Offline
  • **

  • 18
I use a Linux computer to look at the potential malware sites we find on my system. I am admittedly not very technical and I would like to know if there is a downside to this strategy. So far, it seems to work fairly well, but I am just wondering if it is the thing to do.

July 14, 2008, 10:51:56 pm
Reply #1

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
AFAIK all the issues you're going to run into will be browser related.

Sometimes malicious sites will behave differently based on your browsers UserAgent. If you are using Firefox, there are some great plugins that let you spoof the user agent in order to make malware sites think you're coming in via IE on a windows box. Further, some malware sites will try to exploit ActiveX or other 'IE-Only' functionality which you'll have a hard time working through without an actual machine to infect.

A mitigation to these issues is to actually run an instance of Windows as a guest to your linux host using virtual machine technology (ex. VMware, Bochs, QEMU, VirtualBox, etc). Ideally you will install your virtual machine, install all your analysis tools, patches, etc and take a snapshot or backup. You will revert back to this backup (also known as you 'clean state') after each case. You need to be careful with your network configuration though-- the machine will need internet access and thus will have to be on your network. I suggest that you configure your firewall to prevent this system from talking to any other machine on the network (you can firewall machines or put it on a seperate subnet..)  On the subject of networking, you should never leave a case open-- if you need to take a break, either use state suspend feature or turn the virtual machine off and try again when you have more time. If you get owned, you don't want to let the "bad guys" use your network resources.

The advantage to having a windows guest on a linux box is to try and mitigate against an unlikely scenario where some 0day will be vm aware, notice that you're using vmware (for example) and use a 0day vmware exploit to gain remote code execution rights on the host which it will then infect. People constantly talk about this scenario, but i'm yet to find a single sample that attempts this. The closest i've gotten is malware that will behave very differently on virtual machines in order to thwart analysis.

The very last point i'd like to make is analysis tools. Most malware today is written for win32. Most analysis tools (disassemblers, debuggers, memory dumpers, packer detection, etc etc) run in windows only... So you may want a windows box to do analysis if you intend on doing more than just collecting the stuff. I suggest you create another snapshot or virtual machine profile for analysis. Ideally your analysis machine will not be network-enabled at all (you can always drag/drop or copy paste files in and out of guest machines).

TJS

DISCLAIMER: This is just my personal advice on how to set up a slightly more secure malware collection/analysis environment than the one you have today. Don't blame me if you get owned or if anything bad happens to you. You really shouldn't play around with this stuff.. No one should.

July 15, 2008, 12:06:10 am
Reply #2

bookmarc

  • Jr. Member

  • Offline
  • **

  • 18
I work for a very big organization and I do not really have to do all of the work when it comes to malware. I guess I am really more the canary in the mine. I see this stuff and pass it on to the techs. I have the capability of installing windows on my Linux computer, but I am not sure that I need to. I guess I am more concerned about the potential vulnerability of my Linux computer. I am particularly concerned about the browser and what can be done to corrupt it.

July 15, 2008, 05:51:32 am
Reply #3

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Contrary to popular belief, malware exists for linux too. The 'rootkit' phenomenon was actually born on posix-based systems. I suggest that you do all your malware experiments in a virtual machine-- at least you will be able to contain them if sh!t really hits the fan.

Check out my post on virtualbox:
http://www.malwaredomainlist.com/forums/index.php?topic=1864.0

It's free and somewhat open source.