Feeds:
Posts
Comments

Archive for July, 2010

I’m starting with my malware lab but before you read maybe you are interested in REMnux a Linux Distribution for Reverse-Engineering Malware that offers many analysis tools.

My lab will consist in two virtual hosts, one of them will be the victim where all the malware will be executed and the other will act as a server offering “Internet” services to the victim. The hosts will be placed in the 192.168.10.0/24 network (Server 192.168.10.1 and Client 192.168.10.2)

The first service I’m going to configure is DNS and for this task I’ll use DJBDNS. Two years ago I started to hear about D.J Bernstein DNS which wasn’t affected by Dan Kaminsky‘s DNS flaw announce. I like security, so why not use tinydns for this task? The DNS server will be configured to answer queries for the malware.lab domain and it’ll act as a fake root name server.

You can install Tinydns using aptitude but I like to compile things 🙂 These are the steps I’ve followed.

  1. apt-get install build-essential
  2. useradd Gtinydns -s /bin/false
  3. useradd Gdnslog -s /bin/false
  4. mkdir -p /package
  5. chmod 1755 /package
  6. cd /package
  7. wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
  8. tar xvfz daemontools-0.76.tar.gz
  9. rm -f daemontools-0.76.tar.gz
  10. cd admin/daemontools-0.76/
  11. echo gcc -O2 -include /usr/include/errno.h > conf-cc (don´t forget this!)
  12. cd src/
  13. echo gcc -O2 -include /usr/include/errno.h > conf-cc (don´t forget this!)
  14. cd ..
  15. package/install
  16. cd /package
  17. wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
  18. tar xvfz ucspi-tcp-0.88.tar.gz
  19. rm ucspi-tcp-0.88.tar.gz
  20. cd ucspi-tcp-0.88/
  21. echo gcc -O2 -include /usr/include/errno.h > conf-cc (don´t forget this!)
  22. make
  23. make setup check
  24. cd /package
  25. wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
  26. tar xvfz djbdns-1.05.tar.gz
  27. rm djbdns-1.05.tar.gz
  28. echo gcc -O2 -include /usr/include/errno.h > conf-cc
  29. make
  30. make setup check
  31. reboot
  32. tinydns-conf Gtinydns Gdnslog /etc/tinydns 192.168.10.1
  33. ln -s /etc/tinydns /service/tinydns
  34. sleep 5
  35. svstat /service/tinydns
  36. cd /service/tinydns/root
  37. ./add-ns . 192.168.10.1 (this server will answer all DNS queries with the same address 192.168.10.1) If you have problems be sure you add this entry to the /etc/tinydns/root/data file  (   +*.:192.168.10.1    )
  38. ./add-host server.malware.lab 192.168.10.1
  39. ./add-host client.malware.lab 192.168.10.2
  40. ./add-ns 10.168.192.in-addr.arpa 192.168.10.1 (It will resolve inverse queries)
  41. make

And that’s it (41 steps!), I have a DNS server running… If you need more information visit DJBDNS page.

DJBDNS has been designed to be secure and it’s very easy to manage it (at least compared with BIND)

See ya!

Read Full Post »

Thanks to Kippo SSH Honeypot and those who generously have donated their rootkits and bot software, now I have six interesting malware samples to play with.

I’ve examined three of these files on an isolated machine and these are my first impressions:

  1. People from Western Europe are really bored so they like to write amusing programs
  2. The programs contain funny messages like “We are ROOT, we are deleting the logs,  let’s download evil files…”
  3. They love IRC channels and writing their own versions of ps, top, netstat, ls…

Now I’m preparing my first malware lab to analyze these samples seriously in a protected environment and that’s why I’m testing Samhain Host IDS and working on a network server with DNS, SMTP, HTTP and IRC to simulate a real network, so stay tuned! Any suggestions for this lab are welcomed.

P.S: I’m preparing a new version of the Suricata How-To. I hope you’ve found it useful.

P.S #2: I can´t believe we won the Fifa World Cup! 🙂

Read Full Post »

On July 1, 2010 the Open Information Security Foundation released the first stable version of Suricata IDS. I’m a long time Snort user but I want to know more about this IDS so I’m going to write a howto for Suricata installation and configuration on Debian 5.0. Suricata is ready for using PF_RING the new network socket that, according to the ntop’s web (what a great tool ntop is…), dramatically improves the packet capture speed.

Suricata installation is not difficult but it needs a little time if you want to use PF_RING. This howto uses the INSTALL and INSTALL.PF_RING files that comes with Suricata but with some mods on my own.

Updated 2010/07/08:  the howto now covers a basic configuration section. Enjoy!

Download the HOWTO in PDF format

Read Full Post »