I caught something fun in the wild on one of the servers that I manage. I haven’t had time to dissect it, but, I’ve saved a copy of it should anyone want to mess around with it.
It’s a php-based malware (which was easy to spot when the servers run perl code), so, it’s base64_encodes from here and back, but, it’s up for the taking if anyone wants it – just fire me an email and I’ll send it your way.
We should probably have a discussion on how to analyze malware before we just post it somewhere. Dave, does the network have a malware segment still? What we basically need is one that does not have a normal connection to the outside world but one that is closely monitored. For instance, the malware runs, a DNS request happens but it blocked by the firewall. The reviewer looks at the request and deems it OK then allows that one request to go through, next it a tcp connection, process repeats.
I know we don’t have a VM for auditing malware…yet. This could be a good excuse to set one up. Do we want to get together at some date/time to build this out?
I’d love to get together to build something like this out. It’s currently running inside a VMWare fusion container on my MacBook with no network connections at all, but, I think there’s a great opportunity to build a simple environment to play around with these things at the hive in a safe manner.
if we are taking requests for stuff to put on a lab segment, i’d like to recommend a stock consumer wifi device (like the venerable linksys wrt54g) so people with wifi related shenanigans can do them in an environment that is a) likely to work, and b) not likely to interfere with a “real” wifi network.