Government Security
Network Security Resources

Jump to content

Photo

How To - Malicious Web Site Analysis Environment

- - - - - antivirus
  • Please log in to reply
No replies to this topic

#1 bspirovski

bspirovski

    Specialist

  • Sergeant Major
  • 118 posts

Posted 23 November 2009 - 12:55 PM

There are numerous sites and web-server side scripts which perform malicious attacks or simply unpleasant problems to their visitors.

The latest one that gained prominence, is the although not really causing much harm is the "Want 2 C Something Hot?". It is an elegant XSS hidden which just shares itself on the facebook profile of the visitor.

Posted Image
The careful visitor will simply steer away from such links. The careful but curious visitor would want to see what such code does, but in a safe environment. So, here is a sample environment for a safe preliminary analysis of a malicious web site:


  • The analysis computer - a Cleanly installed VMware Windows XP SP3 guest OS. The guest OS should be configured with a bridged networking. Configure your host OS firewall to block all communication from the guest OS IP address to the host OS IP address.
  • The protective shielding - The guest OS should have a latest updated antivirus software. We recommend AVIRA, with active heuristics scanning. Also, include an anti-malware software, like Spybot - Search and Destroy.
  • The analysis tools - Now is the time to fire up your arsenal:
  • Wireshark/Ethereal - all traffic should be captured with a network sniffer, so if the application level tools miss something, you can always revert to the packet capture. Set the sniffer to automatic saving of packet capture to disk, and start the sniffer before you start surfing!
  • Latest Firefox with Firebug Add-In - all request/reply communication will be tracked through the Firebug. This is the application tool that will help you start dissecting the communication to and from the browser, and what is actually received.
The results of a the "Want 2 C something hot?" through firebug is seen on the next image. From there you can start dissecting each request and reply to fully understand the sequence of events.

Posted Image

Please note that the results are not magical, and that by only using this toolset you won't become an instant securuty analyst or a hacker. This is just a safe environment for analysis of web sites.



Bozidar Spirovski
http://www.shortinfosec.net





Also tagged with one or more of these keywords: antivirus