2013-11-13

Co.Labs

How To Kill A Computer Virus Yourself

A programmer solves the age-old question: How do I analyze a computer virus without it infecting my local network?



When viruses infect personal computers, most folks will shell out $100 to McAfee to just make it go away. But why let a bloated antivirus app have all the fun, and all your money? For the adventurous DIY virus exterminator comes a mini-firewall to keep your computer connected to the Internet--but safely isolated from your local network--so you can freely study dangerous infections on your machine.

The mini-firewall, named Isowall, is essentially a diagnostic tool to analyze how your computer is erroneously trying to poke at your local network. As creator Robert Graham explains in his blog post, the mini-firewall, named Isowall, is pretty much a tool “for the paranoid,” but it’s better to be sure than inadvertently infect your network.

Graham's Isowall setup from his blog post: "As you can see, the laptop has a direct Ethernet link to the Raspberry Pi running isowall (short purple cable to white USB Ethernet), which then links to the rest of my home network (grey cable)."Photo by Robert Graham

Isowall uses an external processor to run interference between the (possibly infected) computer and your home network--Graham used a Linux-equipped Raspberry Pi, but anything with an OS that supports the libpcap C/C++ library for network traffic capture should work. The machine should be set up with three network interfaces--the first as normal, with a TCP/IP stack to SSH to it, and the other two completely blank (no TCP/IP stacks, no IP addresses--nothing). Restrict the process to IPv4 and ARP packets, set the appropriate conditions to inbound/outbound packets (found on Isowall’s GitHub page), and run it. As Graham explains on the Github page:

“The security rests on the fact that there is no IP stack bound to adapters. What that means is that the infected targetted cannot touch the firewall machine in any way, except as allowed within the is_allowed() function. That function represents the majority of the attack surface for the firewall machine. And, as you can tell from reading the function, it contains almost no functionality, meaning that the attack surface is very small indeed.”

While Graham admits that his solution won’t offer 100% security, it’s refreshing to see a programmer give us a relatively simple way to play doctor on infected machines.

[Image: Flickr user JD Hancock]