Using Potentially Dangerous Files

Discussion in 'other security issues & news' started by wildermark, Nov 29, 2006.

Thread Status:
Not open for further replies.
  1. wildermark

    wildermark Registered Member

    Joined:
    Nov 3, 2006
    Posts:
    30
    Alright, so... I'm wondering exactly what type of setup would be most secure for using potentially dangerous files just for laughs and giggles, a "I'm not sure about this" testing bed or whatever one may wish.

    I have given some thought to this lately and come to the conclusion that it would be more safe and less complicated in considering whatever needs testing will not need internet access. So, here's what I've been pondering on:

    Take some virtualization software like VMware with no internet setup in it.. install some sandboxing software like Sandboxie.. and then from within this sandboxing software that is within this virtualization software, use these potentially dangerous files and simply observe them by whatever means.

    :doubt:

    This is just an idea I had and in the process I figured one could simply 'throw away' this testing bed after they were done. I'd like to hear more ideas of how to go about 'relaxingly' using potentially dangerous files. I'd also like comments on how secure and viable a setup like the one I described would actually be and if there could still be damage done to one's real OS install or potential complications one may encounter.
     
  2. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    You will need to get those files into the testbed somehow.
    I think the absolute safest would be a separate computer isolated from the rest of your LAN.
     
  3. wildermark

    wildermark Registered Member

    Joined:
    Nov 3, 2006
    Posts:
    30
    Well, let's say there are no other computers.
     
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Next most isolated would be 2 separate hard drives in mobile racks.
    Only one hard drive in computer at a time.
    One hard drive "tray" has your normal OS and the other your testbed.
    Only method of cross contamination is removable media like floppy, CD/DVD, USB drives.
    There is also the myth of the system and video card BIOS root kits, but that is just a myth.

    An alternative to the mobile rack for this purpose would be a hard drive switch.
    I think it is called Trios.
     
  5. wildermark

    wildermark Registered Member

    Joined:
    Nov 3, 2006
    Posts:
    30
    Well, let's say that you only have one hard drive and one partition. What sort of complications or risks would one face then.

    Nice tip on the hard drive switch btw..

    I found a review of the Trios II, but it appears the manufacturer's website has expired. http://www.tweakhound.com/reviews/drives/trios2/index.htm
     
  6. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Well then I think you have already found what you are looking for: VMware.
    I don't think sandboxie is needed as you said there will be no internet setup and besides anything that gets loose in the VM will be terminated on closing the VM session.
    Complications would be anything shared between the VM and the real computer like shared hard drives, media, etc.
    If you go this route, you will probably want the VM to have an internet connection. Otherwise how will you get the files in question on the testbed?
    If the VM is infected, then your IP address will be sent to the malware's owner.
    This IP address can be attacked after the VM is closed. This could include anything from a DOS or DDOS attack so you can't access the internet to port scans and attempts to infiltrate your real OS.
    Your router could be attacked from the inside as well if it has a weak or no password.
    If the router has remote WAN management enabled, then that is a vector as well.
    If you use any personally identifiable info within the VM OS (sending/receiving email, personal files, typing in passwords, etc.) that could expose your real computer to attack.

    Playing around with malware should not be taken lightly and is best left to the experts. There are a lot of ways that your real computer could get infected with only one small slip up. There is no way to do it "relaxingly".
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Hello,

    Safest way I can imagine?

    Linux
    Vmware Server in Linux
    Windows as guest
    Potentially dangerous files in Windows

    That's it.

    Mrk
     
  8. wildermark

    wildermark Registered Member

    Joined:
    Nov 3, 2006
    Posts:
    30
    For simplicity sake about information leaks and such, let's say in these solutions that the computer is not connected at all to any networking.

    Correct me if I'm wrong, but sandboxing software is supposed to stop all changes/damage to existing files/etc, excluding something that could damage hardware, or in other words it's supposed to contain all changes that involve hard drive writing (including registry) within a collection of emulated files. Then you delete these 'sandboxed files' that contain any changes made by the executions within the sandbox.

    So, the real question is... where does these sandboxing softwares fail?

    I suppose something could remain in memory until after sandboxing ends then do something. Although, maybe some of them emulate a memory environment... I'll have to look into that.

    Could some people please add to this list of possible failures?
     
  9. herbalist

    herbalist Guest

    Wildermark,
    Did you have anything specific in mind that you want to test, study, etc? Effectiveness of security programs under actual conditions, against real threats? Studying specific malware behavior or delivery methods?
    A separate PC is the ideal way to go. The separate hard drive idea is good too, as long as you don't run into any malware that directly attacks your BIOS. Another alternative to switching hard drives would be to use drive imaging-restore software to switch operating systems on your existing hard drive. I use the recovery CD Acronis makes to back up my regular system, then load a test operating system onto my regular PC. I used to use CDRWs to store the system backups and the test operating systems. They worked well, but it's slow. Now I use an external hard drive for this, which gets unplugged during any testing that uses live malware.
    I would be better if you could keep your data on a separate drive, away from your actual operating system. Besides getting your data out of harms way, it makes the system backups smaller and faster to switch and restore.
    Rick
     
  10. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,524
    Location:
    USA - Back in a real State in time for a real Pres
    I don't know what I'd do without my hard drives in mobile racks. It's very convenient. I would never want to go back.
     
  11. wildermark

    wildermark Registered Member

    Joined:
    Nov 3, 2006
    Posts:
    30
    Well, right now I'm simply trying to learn where sandboxing fails.. where are the weak points in it... What prevents me from safely unplugging the network and going buck wild in a sandbox?
     
  12. herbalist

    herbalist Guest

    I wish I had such a setup. Then again, even newer hardware would be an improvement. I used to leave the outer case off so I could easily switch drives. One day, my cat knocked over a table lamp, which landed right inside the PC, smashing the bulb into the circuit board while it was still lit. The outer cover stays on now. I'll live the a bit of inconvenience.

    Wildermark,
    I did similar testing with the pre-release beta versions of SSM. After using the Acronis CD to copy my regular system to CDRWs, I set up a new operating system, equipping it with just the necessities (updates, patches, alternate browser, etc), then added specific system monitoring and testing software. Good free items to add to a test setup include Filemon, Regmon, Process Explorer, TCP View and many others. Give the Sysinternals site a good look thru. Lots of good stuff there. On an NT based system, you'll want rootkit tools as well. When you get your basic test setup made and equipped, make an image of it. It makes a lot of testing easier when you can quickly start with a clean install of a system with all contents known.
    The focus of my testing was to see if SSM could prevent unwanted changes to my system when faced with viruses, exploits, malware, etc. Inctrl5 is an excellent tool for this type of work. It takes and compares snapshots of your file system and registry. It can be used to monitor individual installs, browser sessions, etc. When I was testing SSM, I'd take a snapshot, then do the testing, which was anything from visiting a CWS site to opening virus infected e-mail. After the test run, I'd run Inctrl5 again. It would take another snapshot, then report all file and registry changes. If you're testing how well a sandbox contains what runs in it, this type of setup should work for you. Unless you run into a malware that attack your BIOS (and escapes from the sandbox) you should be pretty safe with this type of setup.
    If you decide to go with something like this and plan on doing a fair amount of testing or research, consider making several test configurations. I have several setups. One has the security apps I test most, SSM in my case. Another has no security software, useful for comparing HIPS, sandboxes, firewalls, etc. Before I bought an external hard drive, I kept everything on CDRWs. My data and personal files were moved to a separate internal drive, which I unplugged before doing testing, leaving the primary drive for just the operating system and software. Now I use an external drive to hold personal files, with test and backup images on a separate partition. It gets unplugged during malware testing.
    One other word of caution. Software and malware testing can be very addictive. Once you get started, you might not want to stop. There's all kinds of testing you can get lost in. There's so much malware material out there that you'll never run out. Enjoy!
    Rick
     
  13. wildermark

    wildermark Registered Member

    Joined:
    Nov 3, 2006
    Posts:
    30
    yeah, it sounds fun and addicting.
     
Loading...
Thread Status:
Not open for further replies.