Vaughn Of The Dead Pt II: Meet Vaughn
There’s something uncomfortable about setting up a machine to be as insecure as possible, but that’s what I’ve been doing today. Not being the sort to have sacrificial computers lying around, I settled for a virtual machine. So after a quick and easy installation of the VMare Workstation trial, I got straight to setting up Vaughn, my computer-within-a-computer.
The oldest non-biblical version of Windows I have is XP Pro SP1. While it isn’t that old, it’s still vulnerable to the RPC exploit responsible for the 2003 Blaster Worm epidemic, and is still one of the most popular avenues for the black-hat hacker. So after installing the OS, automatic updates were turned off and the bridged network connection was added to my router’s demilitarised zone, to make sure that Vaughn was fully exposed to the internet. XP SP1 didn’t distribute with a firewall, so that’s not a problem. Some essential pieces of software were installed including my full RCE toolkit and the excellent Wireshark packet analyser. Even though no outbound connections are made on the VM’s part, simply being on an active LAN is enough to invite some network traffic, so I had to set up a filter to remove the unrelated packets picked up by Wireshark. So as to prevent Vaughn participating in anything he shouldn’t, I installed an upstream-bandwith throttler and configured the connection to filter any known DoS traffic.
So now we wait, for as long as it takes. Maybe forever. Or at least until my VMware trial expires.
Can’t you go visit some dodgy sites with Vaughn to speed up the process. It seems like an ideal computer to infect for any virus, but does waiting really work?
Sounds like fun anyway… I can’t wait (though I may have to) for the results!
If things remain as quiet as they have been for the past two days then this may become necessary, but I’d rather not resort to that as I’m trying to keep things as unbiased as possible. Also, Vaughn has no means of detecting infection via a browser exploit whereas any unsolicited intrusions from cyberspace would be an instant red flag on Wireshark’s traffic log. Let’s not mention the fact that leaving Vaughn unattended means absolutely no work on my part
Can you get one of these going?
Also, any luck yet?
Other than a few unsuccessful attacks on protocols I haven’t bothered to look up, activity has been near zero. This is a very low-priority project, but I’ll probably sign Vaughn up for some spam sooner or later, unless a new epidemic emerges.
Hi Greg, I check your feed as often as I check my email.
“Storm versions also differ in their implementations of checks to detect debuggers, virtual environments such as VMware and Virtual PC, that lead the code into an infinite loop whenever such environments are detected.”
http://www.cyber-ta.org/pubs/StormWorm/SRITechnical-Report-10-01-Storm-Analysis.pdf
Don’t read too much!