The spam of the internet these days are totally controlled by botnets. Trojans specically built to hide themselves on unknowing users systems and provide all the resources of that system to the botnet controller.
Generally the drones (botnet single nodes) connect to an IRC server or p2p network such as edonkey.. Using a central hub design. This allows the botnet controller to issue a single command to control all the bots, sometimes in the hundreds of thousands. These drones spread via all methods including social engineering, email and scanning/exploiting of known security holes in the destination operating system.
I have decided in my spare time to build some infrastructure in virtual machines to capture drones, analyze drones and most importantly isolate them from the rest of my private network. Nepenthes is a great honeypot that captures all exploit attempts, this includes drone installation attempts.
I have designed the following virtual network to accomplish the task.
internet > smoothwall 3.0 > debian 4.0 r5 (running nepenthes)
> Windows XP SP3
I have setup firewall rules on the smoothwall to block both interfaces from my private network and only allow specific traffic back to the internet. For example we dont want to be analyzing the drone and get involved in a ddos attack by a command issued to all drones (my test drone included).
So now I sit and wait, my nepenthes box is sitting waiting for incoming exploit attempts. Finally a binary is downloaded and saved. At this stage I transfer the binary to my XP vm, I start my packet sniffers (wireshark) and something to monitor all the system changes its making (procmon). I launch the binary and monitor what happens.
The first binary I found I was able to trace back to an irc server and within a few hours found a botnet controller issuing commands to the botnet. One mass die command later and 500 hosts are virus free. While this was a very primative botnet it has been alot of fun analyzing how these run.. I will leave my nepenthes box running to collect more samples from the wild to analyze.
Saturday, December 6, 2008
My thoughts on Intel Atom performance
There has been alot of talk how powerless the intel atom cpu is..ESPECIALLY for multithreading, while I agree with this in some aspects I have also found it can be quite responsive.
I have been sent a MSI Wind U100 for review and am running a fairly streamlined XP SP3 installation on it. When I install my normal AV, symantec endpoint protection 11 it is almost unusable.. As soon as I remove it, the platform is very responsive.. with sessions of MSN, Word 2007, Photoshop elements and Opera all running simultaniously with good speed.
This cpu might be more suited to a desktop linux variant such as ubuntu, gentoo or fedora. I have been running fedora core 10 on the notebook for a few weeks and it really does work great. Obviously you need to remove functions and services you dont need.. but you do that on every machine you build right? optimization is life
I have been sent a MSI Wind U100 for review and am running a fairly streamlined XP SP3 installation on it. When I install my normal AV, symantec endpoint protection 11 it is almost unusable.. As soon as I remove it, the platform is very responsive.. with sessions of MSN, Word 2007, Photoshop elements and Opera all running simultaniously with good speed.
This cpu might be more suited to a desktop linux variant such as ubuntu, gentoo or fedora. I have been running fedora core 10 on the notebook for a few weeks and it really does work great. Obviously you need to remove functions and services you dont need.. but you do that on every machine you build right? optimization is life
server 2008 as desktop platform... works for me!
Over the past year I have gone from XP to Vista 32 to Vista 64 and back to XP and have no found the ideal workstation OS.
Ive got a fairly powerful workstation and want something I can virtual well on, I also like some of the features vista brings to the table, but its very bloated and has alot of unrequired features.
Solution? Workstation 2008...
Its obviously slimlined for server operations but includes all the features you need for a great power workstation. Optimized for speed, good feature set, good hardware support.
Only problem so far, no support for MSN.. Thats fine I use pidgin for its encryption support anyway ;)
I have found my workstation (for now at least...)
Ive got a fairly powerful workstation and want something I can virtual well on, I also like some of the features vista brings to the table, but its very bloated and has alot of unrequired features.
Solution? Workstation 2008...
Its obviously slimlined for server operations but includes all the features you need for a great power workstation. Optimized for speed, good feature set, good hardware support.
Only problem so far, no support for MSN.. Thats fine I use pidgin for its encryption support anyway ;)
I have found my workstation (for now at least...)
areca1220 raid controller issues? so i though!
For the past 3 months I have had alot of problems with my raid6, which is a problem as its my main storage medium that is used for backup and long time storage of my files. It consists of,
areca 1220 controller
8x wd 320gb aaks drives
in Raid6 configuration for a total of 1.9TB usable space.
I have done everything from rebuilt the array to reinstalling the operating system... I spent 4 hours last night trouble shooting it and it turns out to be bad sata cables. Put in 8 new DFI sata cables that have a tigher fit and the problem seems resolved, no more drivers dropping off the array!
I can rest peacefully now knowing my data is secure..
areca 1220 controller
8x wd 320gb aaks drives
in Raid6 configuration for a total of 1.9TB usable space.
I have done everything from rebuilt the array to reinstalling the operating system... I spent 4 hours last night trouble shooting it and it turns out to be bad sata cables. Put in 8 new DFI sata cables that have a tigher fit and the problem seems resolved, no more drivers dropping off the array!
I can rest peacefully now knowing my data is secure..
wrt150n + dd-wrt + sd card mod + freeradius = Secure Wireless
Decided to pick up one of these wrt150n for cheap because they can run dd-wrt. Advantages of this I guess are alot more options that linksys firmware, radius server, pptp/openvpn server and torrent client.
Added the sdcard slot and stuck a 1gb sd card in there to run some extra packages..
First thing I wanted to do was setup freeradius so I can setup wpa2 enterprise/aes PEAP mschapv2 authentication for my wireless network. Youve all seen how easy it is to even break wpa2 with hash tables of course..
Well it took a few hours to do the mod and get the certificate generation with freeradius right.. but its all working and its sweet now, I can sleep at night with my girlfriend using secure wireless =)
If you do this SDCARD mod, beware all the guides on the internet are wrong, they say the CLK gpio pin can be ground. This isnt right it needs an active gpio pin, so connect it to the front of the power LED and set it to 1.
Also little torrent client working on there saving to my SAN via CIFS.
So this is a cheap alternative for radius authentication for the security conscious, plus it doesnt use hardly any power to run.
Added the sdcard slot and stuck a 1gb sd card in there to run some extra packages..
First thing I wanted to do was setup freeradius so I can setup wpa2 enterprise/aes PEAP mschapv2 authentication for my wireless network. Youve all seen how easy it is to even break wpa2 with hash tables of course..
Well it took a few hours to do the mod and get the certificate generation with freeradius right.. but its all working and its sweet now, I can sleep at night with my girlfriend using secure wireless =)
If you do this SDCARD mod, beware all the guides on the internet are wrong, they say the CLK gpio pin can be ground. This isnt right it needs an active gpio pin, so connect it to the front of the power LED and set it to 1.
Also little torrent client working on there saving to my SAN via CIFS.
So this is a cheap alternative for radius authentication for the security conscious, plus it doesnt use hardly any power to run.
revised home network layout
Now for a home network I think our network here is preety slick.. I have done alot of work over the past two months while Ive been undergoing my treatment to build it into something I am proud of... Here is a little bit of information of what we have setup!
I wanted to be able to have a small footprint when we arn't home. What I mean by that is, low power consumption when devices that always stay on are online. These include modems, switches, routers and the SAN. I definatly wanted remote and secure access, and my requirement was at minimum certificate based wpa2 authentication on our network. I think minus the smoothwall box and IDS at perimeter I have achieved all my goals so far... smoothie is only a matter of time!
James Desktop - prodesktop
e6850 @ 3.6
asus maximus extreme
2gb cellshock pc14440 c7 rams
Sarahs Desktop - sarahdesktop
e7200 @ 3
dfi p45 jr
2gb gskill 6400 hz
8800GTS 512mb
server - imagine
fx60 @ 3
dfi lanparty sli-dr expert
4gb legend rams
8800GTS 512mb
areca 1220 1.9TB raid6 array
mediacenter - mce
9850 @ 2.2 (under clocked/volted)
biostar 790gx
ATI 3450 fanless
2x DNTV pci high def tuners
Thecus N1200 NAS
* Central media/backup storage
Billion BiPAC 7402(G)L R3
* 19Mbit sync ADSL2 sync
Linksys wrt150n with sdcard mod + ddwrt
* running openvpn server
* freeradius server for wireless authentication
* wpa2/aes certificate based, radius backend
Gigabit Lan
Only thing I gotta do now is get a small power consumption box to run a smoothwall server and I think were set =)
I wanted to be able to have a small footprint when we arn't home. What I mean by that is, low power consumption when devices that always stay on are online. These include modems, switches, routers and the SAN. I definatly wanted remote and secure access, and my requirement was at minimum certificate based wpa2 authentication on our network. I think minus the smoothwall box and IDS at perimeter I have achieved all my goals so far... smoothie is only a matter of time!
James Desktop - prodesktop
e6850 @ 3.6
asus maximus extreme
2gb cellshock pc14440 c7 rams
Sarahs Desktop - sarahdesktop
e7200 @ 3
dfi p45 jr
2gb gskill 6400 hz
8800GTS 512mb
server - imagine
fx60 @ 3
dfi lanparty sli-dr expert
4gb legend rams
8800GTS 512mb
areca 1220 1.9TB raid6 array
mediacenter - mce
9850 @ 2.2 (under clocked/volted)
biostar 790gx
ATI 3450 fanless
2x DNTV pci high def tuners
Thecus N1200 NAS
* Central media/backup storage
Billion BiPAC 7402(G)L R3
* 19Mbit sync ADSL2 sync
Linksys wrt150n with sdcard mod + ddwrt
* running openvpn server
* freeradius server for wireless authentication
* wpa2/aes certificate based, radius backend
Gigabit Lan
Only thing I gotta do now is get a small power consumption box to run a smoothwall server and I think were set =)
esx 3i on fileserver
Ive got a fileserver sitting here that is doing nothing.. its too special too waste
fx60
dfi lanparty sli-dr expert
4gb ddr1
2tb on areca 1220
So i decided to put it to use and do a dual install of esx 3i and debian 4.0 r5 etchnhalf..
This gives me the functionality of using the full system from my desktop to run virtual machines from or get use of the 2tb as a NAS via the debian interface.. Debian is no slouch either as is able to run vmware virtual server and do nearly a good a job as esx.. obviously without the all the performance allocation options!
well its done minus the debian box.. still having a bit of problem with the install crashing at the end.. shall keep at it!
fx60
dfi lanparty sli-dr expert
4gb ddr1
2tb on areca 1220
So i decided to put it to use and do a dual install of esx 3i and debian 4.0 r5 etchnhalf..
This gives me the functionality of using the full system from my desktop to run virtual machines from or get use of the 2tb as a NAS via the debian interface.. Debian is no slouch either as is able to run vmware virtual server and do nearly a good a job as esx.. obviously without the all the performance allocation options!
well its done minus the debian box.. still having a bit of problem with the install crashing at the end.. shall keep at it!
MSI Wind on LN2
yo! yeah its another stupid idea from Team Australia...
Get a msi wind notebook that has some preety nice overclocking abilities, a stick of ddr2 so-dimm and some ln2 and see what happens..
- pfffftSetup:
MSI Wind U100 Netbook
Kingston 2GB DDR2 667Mhz SO-Dimm
Astra!
First to remove the back... Putting new thermal paste and leaving the back off with pedistal fan blowing onto mobo takes my temps from 45~ to 19 idle and 29 loaded.
Alot of grease and a little plastik spray just to make sure..
my cpu temp measure point.. the pot is situated right on top of the gpu/chipset but cold transfer from the plate goes to cpu and also right next to the rams. the rams are covered in grease of course..
i needed a stand so (a) i could press the on off button, (b) i could get into bios if required..
no gains over about -15, chip must have been subzero at this stage.. realtemp reads 4 degrees since base of pot read about -4....
result? 2315mhz.. afaik its fastest speed of atom processor in notebook or desktop board.. also 2385mhz camera screens..
2315mhz Intel Atom N270
dont try this at home.. maybe warranty covers you changing your own rams but not this perhaps ;)
Subscribe to:
Posts (Atom)