The SysAdmin Network

No more hiding in the server room

Tossing a PC into 'A Shark Tank' Project

 This will be added to as my project progresses but here's the plan.

 

I have a PC I just mess around with here at work.

I have an old 40gb laptop drive that I don't need and an IDE adapter.

I have a pre-SP1 copy of XP.

I have an evil plan.

 

I am going to install pre-SP1 Windows XP onto this drive, no patches, no updates, nada.

I am going to Install Microsoft Security Essentials (if it'll let me, not sure as of this writing).

I am going to install Wireshark.

Then I'm going to assign it a static Public IP that we're not currently using, fire up Wireshark, and plug the sucker straight into our DMZ, no router, 'nothing but Net', and let it run for an entire weekend.

 

Let's just see how long this poor thing holds out. We'll see just how much cajones MSE really has.

 

Any bets on if it survives till Monday?

Views: 40

Reply to This

Replies to This Discussion

Permalink Reply by Mike Rigsby on January 28, 2011 at 6:13pm
Ok, first issue doesn't surprise me at all. Microsoft Security Essentials will indeed NOT install on a non-patched, pre-SP1 XP system.
I want some sort of AV to see just how badass it thinks it is so I am going to see if another freeware AV will install.
Permalink Reply by Mike Rigsby on January 28, 2011 at 6:34pm

AVG also wouldn't install but Avast did.

So as of 10:30am PST, this little slaughter is a go. Now we'll see how long Avast holds out against the hordes.

Permalink Reply by Noj on January 29, 2011 at 9:14pm
interesting...
I shall be watching this in interest, it's something I've always wanted to try.
Permalink Reply by Mike Rigsby on January 31, 2011 at 4:30pm

I was able to get Avast to install on plain, non-patched XP Pro so on Friday at 1030am PST I started my little experiment.

 

 With IE6 and Wireshark both just sitting open. Wireshark doing an activity scan on the network card and IE simply sitting on the MSN home page.

 2 hours into this, I got a 'blank' advertising pop-up on my desktop.

 By 3pm, IE was frozen Maximized (I hadn't maximized it, it just was that way when I checked it again) & would not minimize.

 Task Manager wouldn't open. Right-clicking My Computer to go to System settings froze up. Wireshark was locked up. Local Users and Groups was 'Locked Out' with a red X on it.

 

  At 3:20pm I did an Avast Quick Scan with nothing found. I then restarted the PC, and everything went back to normal with all of the above issues suddenly gone.

 I then re-opened IE & Wireshark and let it run all weekend.

Permalink Reply by Mike Rigsby on January 31, 2011 at 4:39pm

Today, I checked on the PC at 8:30am and it appeared to be running normally.

 I performed another Avast Quick Scan and it came back clean. I then rebooted into a Kaspersky Rescue CD to scan with it. The definition files were unable to be updated, returning a Bad Gateway error, even though internet was working fine. I did a Kaspersky scan with the outdated definitions and it came back clean.

 

 I checked the Hosts file, MSCONFIG, Regedit HKLM Run keys, all appear to be clean.

 I then went to Trend Micro Housecall's website and downloaded their installer. It, however, refused to install.

 I checked modified dates on files, starting Friday. Many .ini files, temp files, and various htm and photo files show modified dates over the weekend.

 The system is essentially behaving normally and even though I am unable to find any blatant signs of infection, something just isn't 'sitting right' with it.

 I still have the Wireshark scan that I exported into a csv to review but it is undoubtedly a huge file since it ran for the entire weekend.

 

 In true Mythbusters style I decided to 'go for broke' on it so I have uninstalled Avast and started this experiment over. Tomorrow let's see what it looks like again.

Permalink Reply by Mike Rigsby on January 31, 2011 at 6:02pm

Reviewing the Wireshark extract shows a whole lot of ARP packets and also a bunch of RTMP Unknown multimedia packets to a suspicious IP registered to a domain called akamaitechnologies.com.

 

There's definitely something malicious wandering around inside this PC but it's well hidden, whatever it is.

Permalink Reply by Noj on January 31, 2011 at 8:12pm
What processes does taskman show running?

also try rkill - http://www.bleepingcomputer.com/download/anti-virus/rkill
and Malwarebytes
Permalink Reply by Mike Rigsby on February 1, 2011 at 12:19am
There wasn't any odd services running but I had to cut my virus experiment short to fight a real one.
A user clicked on the "Your PC is infected. Click here to scan." Pop-ups and got a gnarly infection of the newest model of AntiVirus 2010.
Unfortunately no AV protects against Stupid.

I'll plug my experiment hard drive back in and check on it later.
Permalink Reply by Noj on February 1, 2011 at 8:13am
Yeah I've had a few of those. bleeping computer.com is a good resource for them.
had one today actually, but they're learning... sort of. now they call me instantly anything looks suspicious, so the last few times we've been lucky and they've not clicked the "ok run this file"
should move them off IE and onto firefox though, the last couple I found was a link in an email that got through the spam filters, clicking in FF just went to an online drug pharmacy thing, IE however gets a page that looks alot like My Computer, complete with drives, and devices, looks quite realistic. trying to close the page gives bunch of warnings and trys to get you to download and run the trojan.
fun stuff.

Oh, I found this the other day:
http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
cool but simple way of seeing if there's something blocking AV sites.
Permalink Reply by Stefan Pynappels on February 2, 2011 at 2:26pm
It would be interesting to do the same experiment with a Linux box and compare the results in some sort of graphic, although you would need to decide whether to use known vectors such as password protected SSH and VNC (of pretty much any flavour in default config)
Permalink Reply by Noj on February 8, 2011 at 11:56pm
Any updates on this experiment? or did it get thrown on the back burner in favour of so called "real work" :p
Permalink Reply by Mike Rigsby on February 9, 2011 at 12:23am
I'm still planning on at least plugging it back into the DMZ without any AV for longer to see how well it does. Currently it's been derailed by "real work" alas. Work always gets in the way of fun.

I did a similar project a year, or so, ago when we had a different ISP, with a non-Patched XP box. It lasted about 15 minutes before it showed obvious signs of virus infestation. This time, running just Avast, it actually seems to have done pretty well. So either Avast is effective, or our ISP now has decent protection at their level.

RSS

© 2012   Created by Elizabeth Ayer and Michael Francis.   Powered by

Badges  |  Report an Issue  |  Terms of Service

Sign in to chat!