How do I figure out how a given malware works? - virtual-machine

I need to see the working of a malware (stuxnet) as a course reading assignment. I have its source code in C, but I don't know how to see its working. I though of running it in a virtual machine in Ubuntu but I am not sure if it will infect my computer or not.
How should I run, rather, test it?

Too see how it works, you don't need to be an expert in C, but it will help if you are familiar with the language.
To test the file, compile it to a windows or linux binary and then run it from inside a virtual machine (VM). Malware can break out of the VM and infect the host machine, so backing up your data or using a separate computer might be a good idea.
If I recall correctly, stuxnet had a very specific start routine and wouldn't start unless a number of hardwareIDs existed.

Related

How to Install Things off Command Line in Computer we are SSHed to

so my general problem right now is that I'm SSHing into another computer and would like to download Java, however a lot of what I would need to get things set up can only be accessed, from what I can tell so far, from a download off the web browser. Of course there are likely several solutions to this, such as ways to download the environment and language outside of a web browser, but at the same time I'd like to know the general strategies one would take in downloading new languages and environments on a computer they are SSHed into, or don't have as much utility in its use. Thank you!

Connecting to tty port through C++ fails unless you've connected through screen first

I picked up an AUPS-A10-R11 DC UPS, and am working with their API to build some monitoring software for my xen host. Their API runs over the USB connection on the device, which presents itself as /dev/ttyUSB# on the host.
I've got things working fine except for one thing that's puzzling me. When I first power on or reboot the host it's connected to, I can't communicate with the device. However, if I open up a screen connection to it:
screen /dev/ttyUSB0 9600
and then close it (ctrl+a, k) then it will work perfectly fine until the next time that you reboot the host.
Does anyone have any idea as to why I would have to connect to the device over screen first? I've pasted my code here: http://susepaste.org/0b8bb37f . When connecting on a fresh reboot, it stops at the "Read Nothing" section of the if...else clause. After connecting to the device with screen, it works fine.
Any thoughts??
Does anyone have any idea as to why I would have to connect to the device over screen first?
Such behavior is almost always related to incomplete termios initialization by your program.
The ideal program would configure a serial terminal for its purposes, and on exit restore the termios configuration back to the way it found it.
But most programs, including terminal emulation programs such as minicom and apparently screen, simply leave their termios configuration instead of restoring it.
Fortunately for you, this leftover termios configuration fills in the missing pieces that allows your program to access the serial terminal as expected.
Review of "your" code suggests that it was copied from the accepted answer of this question. Based on the number of up-votes, this code apparently works for a lot of people. However the author admits it was written before POSIX standards, and therefore the code should not be considered portable. In other words, your mileage may vary.
Apparently you overlooked the alternative answer which is POSIX compliant. A tested termios configuration for blocking non-canonical mode is in that program.
If you prefer to simplify with the use of the cfmakeraw() macro, then here's another code example.

Distribute windows virtual machine images

We use some virtual machines at work for testing. For example, if someone reports some weird bug that only happens on a specific OS we can just fire up the machine and debug it. Problem is that we may be outsourcing part of our testing workflow and we were discussing if it is legal or not to have Windows VM images available for third party download.
I would think that if we just set them and then remove the Key it is fine, but I cannot find somewhere were this is written explicitly. Has anybody had any problem like this before?

For quick testing, portable Linux or portable programming language?

My current role requires me to setup environment which mimics the customer's and perform various checks to replicate and then analyze the problem.
Chances are, I often find working with Windows environments such like XP, Server 2003, Server 2008 is a bit painful without having the handly linux-based shell and some command-line progamming languages such as Perl.
Of course I can just install everything onto the new system and then start working, but it is a bit time-consuming and boring.
So I am wondering which is a better way of working around this?
I can for sure use Qemu to create a portable linux image which doesn't require any host system interference, even without the need of rebooting so to use it. The weakness of this is I have to figure out a way to transfer the files between hosting Windows and embedded Linux. The good part is that I can use all the weapons in Linux's arsenal.
Or I can start looking for a proper portable progamming language such like Movable Python, some variant of Perl or even Lua as a embedded language. Pros: familiar with the language; Cons: have to use scripts to do everything.
My day-to-day activities envolves but not limit to :
Checking the text logs and/or xml.
Grepping important sections from logs for further analysis.
some automate process like application server configuration etc...
automated functional testing - and result comparison
some system admin's job, networking diagnostics, checking process and services, etc...
Any good ideas? Thanks a lot in advance!
While I am a die-hard Linux fan I would recommend in your case to look at Cygwin, preferably on a USB drive or similar. It can live in a single directory, be started with a simple script and end up with (almost) all the Unix goodness, but still being able to access all of the host platform resources.
There are the usual warts related to / vs \ and even worse the case insensitive but case preserving filenames with lot's of spaces in them, but that's equally obnoxious on any other command line.
There is also Mingw but it's scope is more limited I found. It works exceedingly well in a couple of selected target areas, but less so for a GP wide unix-like environment.
I have had a cygwin folder on all my windows machines (and the ones I had to use/repair/maintain) for a very long time now.

Sharing Files between VM and Host using Virtual PC 2007

I know that I can share files using Shared Folders in Virtual PC, but this method seems to have pretty poor performance. Is there another method to share files that provides better performance? (Besides using something other than Virtual PC)
The best way to do it is probably set up proper bridge network connection between host machine and VM.
Using VirtualBox, I had problems setting up shared folders (I tried setting it up, and it wasn't working intuitively right away, so I got fed up with it). Thus, I just ftp'ed to the host OS (which I already had set up since I was on Linux), and transfered the file that way.
I would suggest timing transferring a reasonably sized file via shared folders, and then time it again using FTP... if it's faster, that's your solution :-)
Sorry I can't give actual performance metrics on that!