Getting infected on purpose

[colonydata]

i have yet to have a client come in with some of the big rouge security software infections. (thinkpoint, Antispyware 2010 etc.)

i want to get some practice removing them so i have windows xp pro sp2 setup in a virtual machine that i have snap shotted and can revert back to a totally clean configuration after i am done.

running ie6 with no av or anti spyware, yet i can not seem to get infected with any of these.

what am i doing wrong?

 

[iisjman07]

Go to http://www.malwaredomainlist.com and run every exe you can find.

I ran accross an infection yesterday that took a while to track down - scanners detected the dropped files fine but not the dropper, so every reboot it came back . It's not a fake antivirus (I don't think) but worth a play with: http://www.mediafire.com/?hocpes9ndjco1p4 (password is 'technibble')

 

[KM@ Dave]

'Offensive Computing'...

Amen to that.

You want Rougeware then there you go, password is technibble.

 

[colonydata]

before i get to far in there isnt anything out there that can bust its self out of the hyper visor and onto my host machine? or is doing it inside a isolated vm enough?

 

[ATS]

It will stay inside the VM, unless it gets across your network just like any other computer could. Don't put it on your file share or email it and open it on your host machine.

 

[MobileTechie]

Even then 99% of current rogueware infections are not going to transfer via shares. They are designed to get injected via a web browser drive-by and then extract money from the victim. They're not worms or viruses in the strict sense of the words.

 

[ATS]

Right, I was basically saying on't open it up on your host machine and you will be okay.

 

[KM@ Dave]

Yes, me and my partner discussed this issue. Worms will spread via your VMs network. But Rougeware is specifically disigned, and will not spread via the network. But then again some Rougeware comes packed with Trojan downloaders (TDL) rootkits and other Malicious code sometimes. So be careful. If you have an up-to-date AV you should be fine. I've never had this problem.

 

[Vicenarian]

Safest Setup:

- Linux Host Machine with Firewall + AV (Optional) Installed
- Virtualbox as Virtualization Software with Guest Addtions disabled/not installed at all (no shared folders, etc.)
- Various Windows Guest OS's with Networking Completely Disabled
* - Install Flash, Java, .NET, etc. on guest machine so malware can run properly
* - Take snapshot of guest machine BEFORE infecting it so you have something to revert to!

Download malware via offensivecomputing, place in a folder, make ISO out of that folder (imgburn e.g.), load ISO file into Guest Machine, infect, done.