I caught something fun in the wild on one of the servers that I manage. I haven’t had time to dissect it, but, I’ve saved a copy of it should anyone want to mess around with it.
It’s a php-based malware (which was easy to spot when the servers run perl code), so, it’s base64_encodes from here and back, but, it’s up for the taking if anyone wants it – just fire me an email and I’ll send it your way.
I’d be curious to see it and compare it to some of the live malware I’ve caught. Mine was php too. We can exchange germs perhaps?
Add it to the capture the flag lab.
We should probably have a discussion on how to analyze malware before we just post it somewhere. Dave, does the network have a malware segment still? What we basically need is one that does not have a normal connection to the outside world but one that is closely monitored. For instance, the malware runs, a DNS request happens but it blocked by the firewall. The reviewer looks at the request and deems it OK then allows that one request to go through, next it a tcp connection, process repeats.
I know we don’t have a VM for auditing malware…yet. This could be a good excuse to set one up. Do we want to get together at some date/time to build this out?
I’d love to get together to build something like this out. It’s currently running inside a VMWare fusion container on my MacBook with no network connections at all, but, I think there’s a great opportunity to build a simple environment to play around with these things at the hive in a safe manner.
My memory may not be accurate, but was this not the purpose behind the hacklab_hostile access point that Chris Anderson set up?
Yes the hostile network was designed for this but I don’t know if it survived the network restructuring.
Ok so xkcd can be really funny sometimes.
if we are taking requests for stuff to put on a lab segment, i’d like to recommend a stock consumer wifi device (like the venerable linksys wrt54g) so people with wifi related shenanigans can do them in an environment that is a) likely to work, and b) not likely to interfere with a “real” wifi network.
I would be happy to join the effort and talk about analyzing malware. I do that every day.
I’d be game to come out and play with this kind of stuff as well if we have a time and day planned ?!?!