Building your Drive By Virus Research Desktop
Now the fun begins. Expect to spend time surfing where you might not normal surf.
First up you'll need to setup your research computer to be the victim of a drive by advertisement or malware website. Plan on formatting this system after all the data you can collect has been taken.
I need to point out two types of systems that you can use.
- OS with no AV software
- OS with AV software
Option 1: I run Windows 2000 Pro and Win7 32Bit on a P4 D platform with TinySoftware Personal Firewall (Pf2.exe) which is hard to find today but it allows me to monitor outbound and inbound connections better than most other software firewalls on the market. Now, if you have a really good logging firewall / router you can use that as well. The key is to identify every connection inbound and outbound on your system. This is how I track malware servers and corrupted advertisement servers.
Option 2: When running AV with Tiny firewall I can only go to Windows XP before I start seeing the OS causing issues with my setup. I'm sure there are newer applications that will do the same but in my test environment I need to have a firewall log that's detailed and a AV that will detect but not stop the virus. I use AVG running as an Alert only application and disable the virus protection.
It's best to setup your system as a forward system. This means make your computer connect directly to the internet and not behind a firewall or router. You'll have faster results this way. Which reminds me of when we tested Windows Server 2000 online facing out of the box. It was timed at 35 seconds before the first exploit hit. Unpatched OS testing always requires forward facing configurations and a good stopwatch.
So how does all this come into play when you're search the web for a malware site? You can use AVG's safe search and set it to allow unsafe sites in your search results. Just follow the links that warn you it's a bad site.
In this test we are looking for a drive-by virus infection not a user downloaded virus so you might spend a few hours if not days on and off looking for a unknown virus (or known).
You'll figure out the sites that offer the best in drive-by infections soon enough.
Your first warning will always by your firewall when it comes to connections. You'll need to use www.network-tools.com or some other IP look up site to identify the IP to the Domain. We are focused on all IPs not related to the actual domain name.
Say you're at www. my site com and it uses IP 192.168.5.11 you'll set your firewall to temporarily allow that connection during your session. Don't allow it as a trust just yet.
As you surf most times advertisement servers will show up as different IP addresses from your firewall. As they appear stop and look them up. Identify each network as you go.
Like I said, it's not as easy as you think and it can take time.
One of my tracking efforts started with a flight schedule website where they showed US flights. The advertisement server that the website used was from Brazil and it was corrupted and planted a virus on my computer. (Lucky it was my test system) I then setup to track that specific type of drive by infection and over a 2 month research project found it go from a single server in Brazil to a server in France. Not a big deal until the advertisements it compromised where from one of the largest social sites in the UK. Then it was noticed. I'll link to that article later.
Now keep surfing and keep taking notes. You'll look for your AV warning to hit just after you allow a connection. When that happens you're infected. But because we are also looking for unknown viruses you'll need to keep refreshing your temporary internet file folders and monitor for registry changes. Your AV should take care of that for you.
I'll follow up with some old research project notes to show you how detailed you need to be. It's very important to document everything because when you find that infected advertisement server you'll need all the data you can think of to make them act on it. I'll show you just what they need to see and show you how fast they will take a site down if the liability is on them.
Have fun and be safe with your infections!