Today I was hit with a very clever phishing attack.
Details can be found here. In short a customized email that was sent to large number of employees specifically addressed and personalized.The link was to a a site that looked like a Outlook Web Access page with a message telling that the IT support should click on the file to update your settings. Of course the file is a Trojan which does all kinds of nasty things as you can see on this report.
Now how is this connected to VMware? Well I knew this was a virus. But we needed to assess what it was doing, and the only to do that is to run the file. But knowingly infecting your computer with something like this is not the brightest idea to put it mildly, and who can predict what it will do?
But what if you had a machine that you could run the virus on, disconnected from the network, record the actions, export log files etc. and then return it back to the original state?
Do I hear anyone say a VM? Anyone?????
So this is how it went
- Workstation VM.
- Host-Only Network
- Snapshot VM
- Disconnect VM network card
- Import exe file (virus) with USB key
- Start up Wireshark
- Start up Procmon
- Run exe file
- Record all actions
- Stop Procmon and Wireshark capture
- Save captures for further analysis
- Export all to USB key.
- Revert VM snapshot to previous state.
- Repeat process twice more
Now if I wanted to I could have reverted the snapshot back the previous state before the virus had touched it, and continued to use it, But since this is a test VM that I use for these kind of incidents, I trashed it. Better be safe than sorry.
Logs were analyzed, virus activity was identified and measures were taken to protect the network. Report sent to AV Software provider to provide updated signature files that will identify and remove the virus.
You just gotta love the wonders of Virtualization, don’t ya?
Hope you enjoyed the ride!