Q&A First Time Looking At Malware

kappo

New Member
Apr 2, 2021
4
Hello,

I have recently found myself becoming very interested in *secret* world of malware. So I am new with zero experience. I recently downloaded VMWare as I really want to get hands on and start taking a look at malware. I initially wanted to look at Cryptolocker but couldn't find a sample, and then I stumbled across this forum and thought it would be a good idea to ask for suggestions for the first malware I look at. Maybe cryptolocker isn't a good first sample? What do you guys suggest?

Thanks, Kappo
 

venustus

Level 58
Verified
Trusted
Content Creator
Dec 30, 2012
4,744
Hello,

I have recently found myself becoming very interested in *secret* world of malware. So I am new with zero experience. I recently downloaded VMWare as I really want to get hands on and start taking a look at malware. I initially wanted to look at Cryptolocker but couldn't find a sample, and then I stumbled across this forum and thought it would be a good idea to ask for suggestions for the first malware I look at. Maybe cryptolocker isn't a good first sample? What do you guys suggest?

Thanks, Kappo
You could shoot @upnorth a PM and see what he can suggest.
If you have no experience in this area you really need to be careful about malware analysis
Cheers :)
 

kappo

New Member
Apr 2, 2021
4
You could shoot @upnorth a PM and see what he can suggest.
If you have no experience in this area you really need to be careful about malware analysis
Cheers :)
Thanks for the reply, I will shoot him a pm now. :)

It appears as if I can't directly PM @upnorth so I will paste my message here:

Hello,

I was told to ask you about the best way to get into playing with malware. I am currently reading a book about reverse engineering malware and it suggests to download a VM and just start looking at it and trying to figure out what's happening. I have VMWare I am just looking for some malware to begin with. Any suggestions would be awesome.

Thanks, Kappo
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,360
You could shoot @upnorth a PM and see what he can suggest.
If you have no experience in this area you really need to be careful about malware analysis
Cheers :)
Thanks mate, but I can try suggest here in this thread some basic pointers one can or should start with. I do fully agree with the careful statement. (y) Samples we deal with for example in the Hub here on MT is for sure not for everyone.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,360
Thanks for the reply, I will shoot him a pm now. :)

It appears as if I can't directly PM @upnorth so I will paste my message here:

Hello,

I was told to ask you about the best way to get into playing with malware. I am currently reading a book about reverse engineering malware and it suggests to download a VM and just start looking at it and trying to figure out what's happening. I have VMWare I am just looking for some malware to begin with. Any suggestions would be awesome.

Thanks, Kappo
Great start, with a book!

I'm not 100% sure on your previous knowledge, but since it sounds like you never dealt with malware samples before, finish read the book and I would also strongly suggest you simply keep learn the basic of that Virtual Machine ( VM ) and do some basic install of ordinary softwares. VMWare is normally a very good tool, but as with most tools it helps to know them. Test also a service called AnyRun. This is for sure no " secrets ", but a Online test environment platform.

AnyRun also got access to samples. My advice on that specific part is, run/test them there! It's great to learn the basics on how some samples work. If you download them, you do automatic risk your own main/host system. There is of course disclaimers about this, but AnyRun itself is way more safe and secure then your own system.

Start learn how to use/interpret results on VirusTotal. That will help later on. Good luck! (y)
 

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
406
Hello,

I have recently found myself becoming very interested in *secret* world of malware. So I am new with zero experience. I recently downloaded VMWare as I really want to get hands on and start taking a look at malware. I initially wanted to look at Cryptolocker but couldn't find a sample, and then I stumbled across this forum and thought it would be a good idea to ask for suggestions for the first malware I look at. Maybe cryptolocker isn't a good first sample? What do you guys suggest?

Thanks, Kappo

Hello kappo,

Cryptolocker is dead since at least 5 years. I recommend that you look at something more recent.
Generally for a beginner you might want to get samples that are:
  • well known and documented, so you can check if your analysis is correct
  • not packed, because unpacking can be a difficult challenge at the start
  • no viruses, no worms and no file encrypting ransomware; reason: if you leave anything in your lab setup accessible or vulnerable, these will spread to other systems, or encrypt files, e.g., a common mistake can be to leave an accessible drive attached, or use a writeable shared folder; or getting accessible network devices infected via a worm. So these malware types are not beginner-friendly.
Some books and labs provide safe samples for your first analysis. E.g., you can download the samples for the book Practical Malware Analysis by Honig and Sikorsky (google for them).

I also recommend MalwareBazaar: MalwareBazaar | Browse malware samples
You can register there for free and search, e.g. for tag:unpacked to get some non-packed samples.

If you want ransomware, prefer screenlockers for your first try. They give you something to look at ;). After that checkout tag:HiddenTear samples. These encrypt files but most HiddenTear samples have reversible encryption (just in case something goes wrong).

I also recommend to try to find analysis reports that provide malware hashes and go alongside those reports while analysing the same sample. That way you will know if your analysis result is correct.
 

kappo

New Member
Apr 2, 2021
4
Practical Malware Analysis is the book that I am currently reading! Thank you all for the tips. I will certainly take on board everything that was said, and refer back to these comments to continue my studying. This is an awesome forum. :)
 

SecureKongo

Level 21
Verified
Malware Tester
Feb 25, 2017
1,051
Practical Malware Analysis is the book that I am currently reading! Thank you all for the tips. I will certainly take on board everything that was said, and refer back to these comments to continue my studying. This is an awesome forum. :)
Just know that a VM isn't the only thing that you need to isolate malware from the rest of your system/network. You should always have a VPN enabled on either your host or VM (Host recommended). As upnorth already shared above, AnyRun is a really nice service where you can run samples and see what it does to a test system.

Sites to get some samples:

1. VX Vault

2. MalwareBazaar | Browse malware samples

Just take care and don't run anything where you are not sure about what it could do to your system. Enjoy testing! ;)
 

kappo

New Member
Apr 2, 2021
4
Just know that a VM isn't the only thing that you need to isolate malware from the rest of your system/network. You should always have a VPN enabled on either your host or VM (Host recommended). As upnorth already shared above, AnyRun is a really nice service where you can run samples and see what it does to a test system.

Sites to get some samples:

1. VX Vault

2. MalwareBazaar | Browse malware samples

Just take care and don't run anything where you are not sure about what it could do to your system. Enjoy testing! ;)
Awesome thank you.
 
Top