Today I ordered the parts for my new virtualization server. The memory and motherboard was out of stock so it will take a few weeks before I get all the parts. Still deciding if I am going Xen or VMWare with it, but right now I am leaning towards VMWare as it is what I see at my customers datacenters.

On my way home from work I was reading the news on my phone and found one very odd news article on mobil.DN.se (Dagens Nyheter).

My guess that either their backend is having a fit, but more likely they have an unwanted visitor in their system. I’ve contacted the staff which will look into it.

I am looking at what components I’d like in a computer for running virtual machines. I have not yet made a definitive choice what virtualization product I will use but it is either VMWare ESXi or Citrix XenServer – the choice is primarily based on which of them will work on the computer (as it is a DIY project built from components the vendor hardware support documents are not very useful) followed by what products our sales people in the company hear most of (it is meant to be a competence enhancing project too).

Anyway, this is what I’ve put in the shopping cart right now:

• GIGABYTE GA-EP45-DQ6 S-775 ATX
• INTEL CORE 2 QUAD Q9550 2.8GHZ 12MB 1333MHZ S-775
• OCZ DDR2 GOLD XTC 16GB PC2-6400 (4X4GB)
• ASUS RADEON HD3450 256MB GDDR2 PCI-E VGA/DVI/HDMI LP
• 2 x WESTERN DIGITAL CAVIAR GREEN 1TB SATA/300 32MB
• SAMSUNG DVD-ROM 16X/48X INTERN IDE BULK (Need it to install the virtualization product, probably the only time it is ever used…)
• ACE RAW DEAL+ 620W ATX
• COOLER MASTER MIDITOWER CM STORM SNIPER ATX

If the virtualization products supports the onboard RAID then I will add some more drives (Not sure if I should run RAID 5 or RAID 1+0 in that case). I have also an idea of running the core OS from a Compact Flash [CF] using a SATA/CF adapter, but I am not sure about that yet.

If you have any experience of running either virtualization product on similar hardware do leave a comment with your feedback.

Since my last post I’ve joined the Malware Database project team of malware researchers, and is making good progress on building an infrastructure that collects and automatically analysis suspicious code.

The infrastructure is built upon Amazon AWS and is using the S3, SimpleDB and SQS components:

• S3 is used for storage of the suspected malicious software
• SimpleDB is used to store metadata about the samples
• SQS is used to trigger the different analysis components

It also uses Mediawiki to present the results and Wordpress to act as the comment engine (Mediawiki comment page isn’t as straight forward as one could hope).

As I am a big believer of the Open Source model I have made all the source code available at Google Code with a GPLv2 license.

The bad guys never stop producing new & variants of their malicious software (malware), and even though generic signatures and behavior-based analysis can catch many of them it is an arms race to find and write detection rules for them.

I have collected malware for some time now and doing it manually is quite time consuming, so here is how I do it in a more automated fashion.

Server honeypots

On the server honeypot side you can have more or less interactivity. More interactivity means getting more details out of the attacker, but also more administration. The opposite is true for low-interactive honeypots: less admin work, but the attacker can’t do very much with them either.

Personally I have low interaction server honeypots running all the time, while high-interaction honeypots are limited to when I have time to babysit them (like weekends etc).

Client honeypots

Client honeypots also comes in two sizes: one is working more or less like a spider, trying to go everywhere, download everything and run it against a detection engine (like ClamAV or Snort rules). High-interaction client honeypots are using a standard web browser (either Internet Explorer or Firefox) together with a file integrity monitor that spriders. Because of the more “live” client environment you tend to collect more malware that way.

I currently run low-interaction client honeypots and are building myself a high-interaction client honeypot. Reason is that it takes time to set the whole thing up, but with plentiful free virtualization software available it is getting easier and easier to create the required environments.

In a later installment I will describe the specifics of my honeypot environments, how they work and how to install them etc. Stay tuned.

Finally some judges over at the states are starting to get it.

“Although it is true that someone who copies a digital version of a sound recording has little incentive to purchase the recording though legitimate means, it does not necessarily follow that the downloader would have made a legitimate purchase if the recording had not been available for free,” U.S. District Judge James Jones of Virginia ruled (.pdf) in denying the RIAA’s motion to force convicted Elite Torrents admin Daniel Dove to pay tens of thousands of dollars in restitution.

Hopefully this idea will catch on here in Sweden too. Just because you get something when it is free doesn’t mean that you would have gotten it if you had to pay for it. This is true for both entertainment and software.

If I had to pay for Linux in the year 1997 (when I got my first PC) I would most likley have ended up as a Windows guy instead of a Linux guy. Lets face it:

• Solaris was fun, but the hardware was expensive (you needed to pay for Sparc stuff at the time). As a fresh member of the work force that wasn’t an option. Besides, I got employee discount on x86 hardware – not Sparc.
• Windows had all the software and games, but also a lot of problems. It ran on commodity hardware and wasn’t cost-prohibitive.
• Linux ran on commodity hardware and was free. And you had all the development tools on it as well, so you could start whacking C code without paying any extra money. And you get extra geek points for running it (look ma, no GUI).

I must say that I haven’t looked at that much software code over the years compared to the number of softwares I am running – but it feels good to be able to, and I have fixed bugs that way as well.

Would I have gone with Linux if I had to pay as much as Solaris for it? I doubt it. Actually, if it wasn’t because I worked at a computer company at the time and heard how the tech support guys was bitching about Win95 during their breaks, together with the lucky timing of my friend having a Redhat Linux installation CD, I would never had gone the Linux route at the time I did.

It has been about 24 hours since I completed the install of Windows 7 on my EEE 900, and here’s a quick review of my experiance with it so far.

I must say that Windows 7 feels very fast on the machine, although the fat installation doesn’t leave much space over to other things like an office package. It is safe to say that the netbooks available when Windows 7 is being released has enough storage space for it plus office package and other goodies, which will give the current set of OS choices some real compitition (although I personally think Easy Peasy, formally known as Ubuntu EEE, rocks).

A quick visit to the Windows update application and almost all of the missing drivers got installed (the webcam drivers are still missing IIRC). After installing/upgrading the drivers I wanted I was looking into getting a new Windows Experience Index score, but the system keeps hanging during the test. Hopefully there will be some updates for the Windows 7 beta that fixes the issue.

If it wasn’t for the space problem I wouldn’t mind using Windows 7 as the OS on the machine, it boots up amazingly fast and feels very responsive – but just being able to fit an OS without any applications is not enough for me – I need my apps as well, so after some more playing around with Windows 7 on the machine I’ll revert it back to XP Home (or something).

I was thinking of giving Windows 7 Beta (available as a free download) a spin on my Asus EEE 900, as Windows 7 is supposed to be able to run on Netbooks. I downloaded the beta ISO from Microsoft website, burned it to a DVD+R and booted the EEE 900 from an external DVD drive (if you have as many netbooks and slim laptops, like the Thinkpad X40, as I do it makes sense to invest in a USB DVD drive).

The installation steps has been documented at multimolti’s Techblog, but it fails to mention in the main article (but later mentioned in the comments section) that Windows 7 has to be installed on the second, larger (16 Gb in case of the Linux version), SSD drive as the first SSD drive (4 Gb) lacks the diskspace required.

Some pictures from the installation process:

The Asus EEE 900, which has been upgraded to 2 Gb RAM, gets an Windows Experience Index score of 1.0.

However it is to be noted that drivers for ethernet, video and yet to be identified device is not installed yet.

Once I have fixed that I will re-run the assessment to see if it scores any better (it should do, the scording of “graphics” and “gaming graphics” pulled down the total score).

Cybexin has done it again. Another excellent video instruction on how to generate Metasploit executables that is being undetected from antivirus software.

Check out his site, plenty of cool videos available and it seems to no end of his ability to upload new instructable videos.

From the Websense Security Labs:

We also found a network sniffer used to monitor the network traffic. The worm searched for special keywords in the network flow such as “RCPT TO:”, “MAIL FROM:”, the two keywords used for SMTP protocol. When the malware found one of these keywords in the network traffic, it would parse some useful information such as the email address, username, and password, then send the details to the hardcoded server: in this case, hxxp://91.[removed].57/cgi-bin/forms.cgi

Interesting with the sniffer capabilities of the malware, that isn’t something you see everyday (at least not yet). Hopefully it doesn’t catch on, but I guess it will. Now even the malware will start attacking your network (and not just the network nodes) in a serious way, and I guess that more intelligent sniffing is on its way.