Jump to content

Virus Fish Tank


Recommended Posts

For arguments' sake, let's assume you really do want this.

You'd take a somewhat impressive machine, at least in terms of RAM. place it on a separate subnet and firewall the HELL out of it. Maybe a small amount of http/https/dns and of course the POP3/IMAP connection to ONLY the intended receiving mail server can come out but aside from that it's inbound traffic ONLY,

Then, using some sort of virtual machine software (vmware, virtualbox, bochs, whatever), you create several virtual machines that start out from the same OS base image which would simply be a standard install of some OS. At this stage already, you can go wild with having old base-install CentOS, Windows, Free/Open/NetBSD images as starting points for these nodes. You'd designate one node as the mail reception node which would be able to acquire the crap you want to accumulate. You'd probably want a dedicated mail address for this aswell...

All nodes would get their own unique IP within the vm's subnet (typically the vm software emulates a dhcp server for the nodes and just randomly assigns IPs. Don't use 'bridging' network otherwise each node will try to get an external IP address from the main network) which should also allow all of them to talk to one another. Get the main node to simply save all email attachments to a shared folder / exported samba/ftp directory and have the other nodes map that folder to a local drive letter. Then create a (power)shell script that would randomly select a file in that folder every... 30 minutes, and just run it.

On the main machine, you'd have a process running that would randomly drop, wipe and recreate a node once per day or something.

The only problem you'd have is visualising the infections running rampant on the machines. You'd only access the machine via direct connection, so you could, on the main machine, display the screen of any node and interact with the desktop to see what's up, but antivirus will either prevent you from achieving your goal (since it will prevent or remove any infection), or get disabled by the virus in an effort to protect itself.

The only value for this would be to do forensics on the machine, but for that you'd only want 1 infection on a machine that is in an otherwise completely known state so you can really see what that virus does and how it does it.

Link to comment
Share on other sites

I have heard about the proverbial fish tank, sometimes called honeypots, etc. AV people will set up computers like this to collect malware. They use specialized software that allows them to roll back the computer at any point, and allows them to document API calls, registry keys, executables, files, etc.

Edited by overwraith
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...