Didier Stevens

Thursday 4 September 2008

Pocket Virus Lab

Filed under: Hardware,Malware,nslu2 — Didier Stevens @ 18:57

Slugs are versatile little machines. I installed Slugos on my NSLU2, followed by the tools I used in my sampling video.

Unfortunately, it’s too small for my sticker 😉

When I access it with SSH, I see no difference with a shell account on a regular machine.

My Python programs work unmodified, and I can compile my C programs like SpiderMonkey.

As a virus lab, it has a couple of advantages:

  • no malware is targeting this platform (yet), so you can use it to sample and analyze malware without risking infecting the lab
  • the OS is stored on a USB storage device, providing easy swap and imaging (e.g. rollback) capabilities
  • you can connect infected harddisks to it (via a USB adapter) and inspect them without risk
  • it’s a full Linux distro (no GUI, of course): you can find many pre-build (security) tools or compile your own

For an Howto:

Installing Slugos as per these instructions.

Installing a C compiler (not essential for a virus lab):

Installing the Optware feed as per these instructions.

Installing the Optware toolchain:

  • /opt/bin/ipkg-opt install optware-devel

Linking /usr/bin/python to the python2.5 executable

Now if I could just get my hands on a small biohazard sticker…


  1. Welcome to the NSLU2-Linux community.

    — Rod Whitby
    — NSLU2-Linux Project Lead

    Comment by Rod Whitby — Friday 5 September 2008 @ 10:18

  2. Thanks for the warm welcome Rod!

    Comment by Didier Stevens — Friday 5 September 2008 @ 12:44

  3. Small biohazard stickers:

    http://www.stickergiant.com/BIOHAZARD_rps8531c.html (3″ x 3″)

    http://www.hlthedu.com/shop_smbio2.htm (2″ x 2″)

    Comment by Dave — Friday 5 September 2008 @ 17:36

  4. Thanks Dave.

    Comment by Didier Stevens — Friday 5 September 2008 @ 17:47

  5. I have one of these devices installed with Unslung, debian derived distro. I also use a Soekris net4801, installed with Gentoo. The potential for these devices is huge 🙂 You’ve just reminded me that I could probably do more with the Slug. I’ve never actually tried the nslu2 with usb wifi, but on the Soekris it is configured with Snort, Kismet, aircrack-ng, Apache, nmap, nessus and mysql. Suitably setup to run ACID. It also works with wifi and GPS 😉 Ideal for performing network analysis, security assessments. When I get a chance I’ll probably replace the net4801 with a more up to date model.

    Comment by echo6 — Saturday 27 September 2008 @ 14:04

  6. I’ve been told about the Soekris devices before, but have not yet had the opportunity to play with one.

    For my personal use, the nslu2 has more potential than the wrt5gl, just because of the USB port. I want to experiment with hardware sensors and actuators build by Phidgets. And I also have an Alpha networks USB WiFi adapter that I want to try on the nslu2.

    Comment by Didier Stevens — Sunday 28 September 2008 @ 9:21

  7. […] took a cue from Didier Stevens and bought an NSLU2. Didier’s recent blog post, Pocket Virus Lab, is a neat concept. I’ve been looking for a compact and versatile platform for […]

    Pingback by n0where.org » Blog Archive » Carrier Slug — Monday 12 January 2009 @ 14:07

  8. […] the Linux version is open-source (in a next post, I’ll show it running on my nslu2) […]

    Pingback by A Hardware Tip for Fuzzing Embedded Devices « Didier Stevens — Monday 12 January 2009 @ 21:23

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.