Virus Network and Computer Research design notes
NOTE: 5-4-2012, This is a Virus Research not "Hacking" you might need to define your search better to find outbound research sites. This is all about inbound or as I call it "Passive" research. Where the Research comes to you or me in this case.
If you're been working in the IT industry for more than a few years I can almost guess you've setup a test environment to measure for your own knowledge your internal networks security levels and software configurations.
If you haven't setup a test system then my question is "Why Not?”
I don’t think I need to place a disclaimer detailing that research when I use the word is just that. You are researching an issue that you might have seen or you are like me and want to stay on top of a few things that the friendly internet offers us all.
When researching you need to plan out what you are going to be researching and put in some theories as well as hypotheses to what you might find.
Call it your science lab project with local LAN boundaries. You can use applications like MetaSploit, Trackback and others to simulate the Internet side of things but most of my labs are designed to simulate a normal computer user and their surfing habits.
If you’re going to learn how to remove a virus manually you need to know how the virus installs itself and what to look for. When you start finding patterns you’ll be better at resolving computer issues of the unknown category. (Unreported viruses)
This is only for your training labs, nothing here about outbound research. You can find hundreds of other sites that offer outbound research. I like to focus on why a person that only surfs the net and check their emails can get so many viruses and configuration changes. Our research is on a simple level of a normal computer user. (Not some SciFi Movie.)
I’ve often shared this information with other IT Pro’s and it doesn’t hurt to watch out for each other when profits aren’t the driving force. You’ll never hear me asking you for a dime if I inform you of a possible network issue I might have noticed.
This is a team effort and if you can setup to detect and monitor without launching a single data bit then you're on the right track to being a full IT Intercept and Monitoring person. (Call it the safe way, they come to you and you log them.)
First up are Viruses, drive by virus sites are easy to find and you'll need to start working with a system restore disk often. I'll show you how I have my system setup for the classical drive by infections.
Second after you've perfected getting your nice clean computer infected with viruses we'll work on some scripts that might be able to identify the most common issues we find in drive by virus sites. Most of the programming will be in VBS but as I become better with Visual Developer 2010 I'll start creating apps to do some local monitoring and recording for our tests.
Now before you begin anything you'll need to select an Antivirus application. I typically use AVG and Defender but you can use anything you would like. You'll also need a firewall based on the Tiny Firewall design. The old one doesn't run on core systems or dual xeon systems so if you have an old P4 D or Celeron that would be your best lab environment system for a couple of reasons that I'll get into later.
I'll look forward to your findings and as always when you find a drive by site report it to your antivirus software people like AVG so they can add the site to their control list.
TECH NOTE: Research Networks are also called Non Production Networks. This is the network you should be using when updating and patching software. Always keep in mind the NT 4 days of "Patch, Reboot and Test". You'll save yourself time if you follow that rule.
Your research network can be a virtual network but not on any production machine. I'll post some simple screen shots but you can connect the dots. You need a seperated network so not to corrupt your current production network. It's a Ying/Yang so keep things in balance.