toughbunny Posted October 8, 2014 Posted October 8, 2014 Hi all, I was reading through xkcd and came across this comic. It seemed like a good idea, and I was wondering if something like that might be possible, and if so, how. I would need specifics, like how to set up connections. Thanks! Quote
toughbunny Posted October 8, 2014 Author Posted October 8, 2014 Hi, I just realized that the image doesnt show up if you are not logged in. Here it is again, hopefully. I hoper this works! Quote
cooper Posted October 8, 2014 Posted October 8, 2014 For arguments' sake, let's assume you really do want this. You'd take a somewhat impressive machine, at least in terms of RAM. place it on a separate subnet and firewall the HELL out of it. Maybe a small amount of http/https/dns and of course the POP3/IMAP connection to ONLY the intended receiving mail server can come out but aside from that it's inbound traffic ONLY, Then, using some sort of virtual machine software (vmware, virtualbox, bochs, whatever), you create several virtual machines that start out from the same OS base image which would simply be a standard install of some OS. At this stage already, you can go wild with having old base-install CentOS, Windows, Free/Open/NetBSD images as starting points for these nodes. You'd designate one node as the mail reception node which would be able to acquire the crap you want to accumulate. You'd probably want a dedicated mail address for this aswell... All nodes would get their own unique IP within the vm's subnet (typically the vm software emulates a dhcp server for the nodes and just randomly assigns IPs. Don't use 'bridging' network otherwise each node will try to get an external IP address from the main network) which should also allow all of them to talk to one another. Get the main node to simply save all email attachments to a shared folder / exported samba/ftp directory and have the other nodes map that folder to a local drive letter. Then create a (power)shell script that would randomly select a file in that folder every... 30 minutes, and just run it. On the main machine, you'd have a process running that would randomly drop, wipe and recreate a node once per day or something. The only problem you'd have is visualising the infections running rampant on the machines. You'd only access the machine via direct connection, so you could, on the main machine, display the screen of any node and interact with the desktop to see what's up, but antivirus will either prevent you from achieving your goal (since it will prevent or remove any infection), or get disabled by the virus in an effort to protect itself. The only value for this would be to do forensics on the machine, but for that you'd only want 1 infection on a machine that is in an otherwise completely known state so you can really see what that virus does and how it does it. Quote
barry99705 Posted October 8, 2014 Posted October 8, 2014 I think I read on hackaday that someone has done this. Yep, here it is. http://wecan.hasthe.technology/ Quote
overwraith Posted October 9, 2014 Posted October 9, 2014 (edited) I have heard about the proverbial fish tank, sometimes called honeypots, etc. AV people will set up computers like this to collect malware. They use specialized software that allows them to roll back the computer at any point, and allows them to document API calls, registry keys, executables, files, etc. Edited October 9, 2014 by overwraith Quote
Ftb Posted October 13, 2014 Posted October 13, 2014 Sounds a bit like FireEye. http://www.fireeye.com/products-and-solutions/ Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.