By Staff How to perform dynamic malware testing [for Hub testers]

[LabZero]

Hello.

As already mentioned, the only malware scan does not represent the actual detection capability of an antivirus/antimalware.
Because all security technologies are enabled, it is necessary to launch the malware.

Many things here are already known but it's always better to remember them.

Before we begin, we need to create a complete image of the system to recover quickly and smoothly the initial state if malware bypass the virtual machine (extremely difficult, but prevention is better ).

Some good backup/restore apps.

Aomei
Paragon B&R Free

I will not explain how to backup because it is not the reason for this thread.

To be able to test safely it is necessary to have a dedicated PC without data or personal information that might be shared by maware.
Alternately it is necessary to use a virtual machine like VirtualBox or VMware.

Virtual Machine

A virtual machine is a PC emulated within a host operating system that can run another system.
Example: I can use Windows 10 as native host system, and start a virtual machine running Windows XP; so XP is the guest system. The advantage: you really see the effects of a malware while remaining within the virtual operating system.

However the best results are obtained in the real/physical system.

My favorite is Virtualbox

Once installed the system, extensions and guest additions (driver) be careful not to create links (network drives or otherwise) between the host system and virtualized (guest).

To avoid having to clean up, or at least not risk leaving any traces of malware, you can create a snapshot of the virtual disk so you will be sure that the virtual system will always return in the initial state : How to Save Time by Using Snapshots in VirtualBox

Light virtualization

Shadow Defender create a virtual copy of the system partition (light virtualization) where you can test malware and applications ... on reboot it will be as if it never happened.

Warning: I highly recommend, in lightweight virtualization, to disconnect the internet or hide and encrypt your personal data (for example using Wise Hide Folder) during your malware test in order to avoid loss of data that may be shared by the malware itself.

Testing

Many samples are in. bin extension (short for "binary") and the best antivirus should detect the malware in this extension but it is better to rename the file with the correct extension: .exe, .doc, . vbs, . js, etc.
For example on Malwr you can see the actual extension on the samples:

Other important information: hash to uniquely identify a file, which is important to avoid duplicate samples in Hub.
Many malware have "dropped files", then it is very important to start the malware because the primary file may not be recognized but if the file appears to be designed to install (or ' drop ') a second file, the skipped file could trigger a detection.

So, the next step is to launch the malware running the dynamic detection of antivirus.
If the antivirus does not detect any threat during the scan or the malware starts, it is possible to start a scan of the infected system to determine if security problems are found at this level.

So, good testing

 

[Rishi]

Very nicely explained.. bookmarked it for any reference needs. Thanks.

 

[SloppyMcFloppy]

Also, i recommend you buy a separate router for testing malware as well, and DO NOT USE YOUR PRIMARY ISP ROUTER USE THE 3RD PARTY ROUTER.
By the way, if any of you are going to do this. Two things you will needs, 1) a computer that will be use for MALWARE TESTING ONLY and a separate router for TESTING MALWARE ONLY.

 

[LabZero]

Also, i recommend you buy a separate router for testing malware as well, and DO NOT USE YOUR PRIMARY ISP ROUTER USE THE 3RD PARTY ROUTER.
By the way, if any of you are going to do this. Two things you will needs, 1) a computer that will be use for MALWARE TESTING ONLY and a separate router for TESTING MALWARE ONLY.

As I said, to be able to test safely it is necessary to have a dedicated PC (or VM, etc) without data or personal information that might be shared by maware.
And I highly recommend to disconnect the internet during your dynamic malware test : if you don't run malware there is no danger.

Edit: disconnect the internet is for light virtualization systems like Shadow Defender because of data loss.

 

[SloppyMcFloppy]

As I said, to be able to test safely it is necessary to have a dedicated PC (or VM, etc) without data or personal information that might be shared by maware.
And I highly recommend to disconnect the internet during your dynamic malware test : if you don't run malware there is no danger.

Well, my recommendation above is for AV testing.

 

[illumination]

Very nice "How To"! If i may add an extra step i utilize, and that is hardening the Virtual Machine from the host. By this i mean, one of the very few things you would have to worry about the with Malware escaping the VM would be either Memory or the Network. As the network was discussed somewhat above, but mentioned here again, a simple solution for memory would be adding either a paid for product or free one "Appguard or Emet", and placing your Virtual machine in one or the other with memory protection enabled for the VM.

You can actually use both products together to protect the VM. Just make sure that if you have your VM guarded by appguard, that if you place it in EMET to disable Emets memory protection, so as to not over lap. I have run VMware this way with both hardening it, and it works quite well.

I would like to add also, if you try these two products to harden...
With Appguard: once the VM is placed into Guarded apps and the exclusion folders set for the VM, you can then set Appguard to lockdown mode while testing.

With EMET, once your VM is set in Emet, change DEP from application Opt-in to Always on while testing.

If running both, place Emet in the Power Apps section of Appguard so you can then place appguard in Lockdown mode with Emet running DEP "always on" and you are pretty much bullet proof from anything even thinking about escaping on to the host.

 

[jamescv7]

@user102: Well it maybe acceptable in the case but not practical cause with proper configuration at all with VM or other products, there will be no any leaks especially worms to jump out on network.

 

[SloppyMcFloppy]

@user102: Well it maybe acceptable in the case but not practical cause with proper configuration at all with VM or other products, there will be no any leaks especially worms to jump out on network.

Well, better be safe than sorry. I rather test on separate machine and a separate router that I'm not going to use other than testing malware. So that way I don't have to worry about spreading from the machine nor the router, because nothing is bullet proof.

 

[Solarquest]

Well, better be safe than sorry. I rather test on separate machine and a separate router that I'm not going to use other than testing malware. So that way I don't have to worry about spreading from the machine nor the router, because nothing is bullet proof.

I completely agree and do the same when running malware in my VM (unfortunately not all ISP allow to use another router or hide the posdibility to the user).
Soho routers are full of security holes, many not patched (I posted about this some months/1 year ago).
I also suggest to disconnect all other devices from the router (disable wifi on devices/ unplug them from router)....and yo be really safe/paranoid, I also reset the router after running the samples and turned of the pc.


I also suggest to run programs to monitor memory as system changes before+after running samples and at the end, to run 2nd opinion scanner (s) after a dinamic test.

E.g, to check for changes:
How to detect system changes/ dropped files?

+Process Explorer, ExeWatch, Phrozen WinFile Monitor

Last, when making a backup, don't forget to save the MBR...

 

[TheMalwareMaster]

How can malware bypass a virtual machine and enter the main system? Why should we disconnect the Internet in dynamic tests also if testing in a virtual machine?

 

[LabZero]

How can malware bypass a virtual machine and enter the main system? Why should we disconnect the Internet in dynamic tests also if testing in a virtual machine?

Using NAT, the virtual machine receives a private Ip address. With this configuration, the VM will have access to the internet, but the other hosts on the network cannot access the VM.
In the shared folders section we can set a folder that will be visible from the VM and the host system. This allows us to exchange files between hosts and VM even without the appropriate network configuration and that's why we must NOT set the sharing folders.

If you well read my thread, you know that the advice to disconnect the internet is reported for light virtualization systems like Shadow Defender and Sandboxie where your personal data are virtualized but present in the session and then read and shared by the malware.

In the VM does not exist sharing data between guest and host if you don't allow It.

Anyway all is possible...

 

[TheMalwareMaster]

Ok, understood. I don't have any shared folder between the VM and host machine because i directly type the download link in the VM browser

 

[nclr11111]

Not a thread used lately but i´ve got 2 questions.
Background: I´d like to do some "lite" malwaretesting in a virtual machine (Virtualbox with Win7sp1x86) that in all aspects besides the os architecture is a mirror of my own securityconfig.
The reason for testing is kinda obvious, i want to see that my protection and settings is adequate!

Q1: Due to the fact that i´m testing in a VM-box on my secondary machine (C2D E7400) that does not support virtualization i have no choice but to go with the x86 OS architecture.
Will the results differ much between x86 and x64 in a testing environment??

Q2: There is talk above about having a separate router for malwaretesting. But say i download the samples, disconnect from network before any dynamic testing and then restore the VM machine before reconnecting. Should´nt that keep the router safe from any eventual infection??

I understand this might interfere with the ability to study the malwares trying to connect, but that´s not my main interest here either. Just want to see that my protection can contain the threats!

 

[LabZero]

Not a thread used lately but i´ve got 2 questions.
Background: I´d like to do some "lite" malwaretesting in a virtual machine (Virtualbox with Win7sp1x86) that in all aspects besides the os architecture is a mirror of my own securityconfig.
The reason for testing is kinda obvious, i want to see that my protection and settings is adequate!

Q1: Due to the fact that i´m testing in a VM-box on my secondary machine (C2D E7400) that does not support virtualization i have no choice but to go with the x86 OS architecture.
Will the results differ much between x86 and x64 in a testing environment??

Q2: There is talk above about having a separate router for malwaretesting. But say i download the samples, disconnect from network before any dynamic testing and then restore the VM machine before reconnecting. Should´nt that keep the router safe from any eventual infection??

I understand this might interfere with the ability to study the malwares trying to connect, but that´s not my main interest here either. Just want to see that my protection can contain the threats!

I tested malware on x86 and x64 both systems and you assume that the test is always subjective and it depends on many factors, the architecture, the used tools, the testing method so basically the difference is not significant.

I do not say that it is necessary to use a dedicated router.
You should turn off the connection if you are testing malware in dynamic way and you use just Shadow Defender that virtualizes the current session, including any personal data that it contains, which can be object of sharing by malware stealer.
If you run network analysis there is the risk that a particular piece of malware can change DNS infecting the router, BUT if you analyze malware offline, interrupting the network connection, this risk does not exist.

 

[nclr11111]

I tested malware on x86 and x64 both systems and you assume that the test is always subjective and it depends on many factors, the architecture, the used tools, the testing method so basically the difference is not significant.

I do not say that it is necessary to use a dedicated router.
You should turn off the connection if you are testing malware in dynamic way and you use just Shadow Defender that virtualizes the current session, including any personal data that it contains, which can be object of sharing by malware stealer.
If you run network analysis there is the risk that a particular piece of malware can change DNS infecting the router, BUT if you analyze malware offline, interrupting the network connection, this risk does not exist.

What i thought!
Thx for confirmation.
//NCLR

 

[nclr11111]

Another Q!
Is Rollback RX with unplugged network allowed to participate in the testing? I mean it´s no virtualization software so the testing is on a real system but w/o the risk of spreading. Just asking since there are no mention of this software regarding malware testing.

Since i´ve got no key for Shadow Defender and my piece of **** computer don´t support virtualization this is my only option atm!

 

[Lord Ami]

Another Q!
Is Rollback RX with unplugged network allowed to participate in the testing? I mean it´s no virtualization software so the testing is on a real system but w/o the risk of spreading. Just asking since there are no mention of this software regarding malware testing.

Since i´ve got no key for Shadow Defender and my piece of **** computer don´t support virtualization this is my only option atm!

Unfortunately unplugged network leaves out cloud detection. This is quite vital part in the tests

 

[LabZero]

Also I have no info if RRX protects HDD boot sectors from bootkit or Petya similar ransomware, Shadow Defender and VM do this and they are the only approved containments.

 

[Anker_by]

As I said, to be able to test safely it is necessary to have a dedicated PC (or VM, etc) without data or personal information that might be shared by maware.
And I highly recommend to disconnect the internet during your dynamic malware test : if you don't run malware there is no danger.

Edit: disconnect the internet is for light virtualization systems like Shadow Defender because of data loss.

So i need to turn off my internet to test random malwares?

 

[Mr.X]

Well, better be safe than sorry. I rather test on separate machine and a separate router that I'm not going to use other than testing malware. So that way I don't have to worry about spreading from the machine nor the router, because nothing is bullet proof.

I'm not an expert but the few times I actually did run some malware tests I used a spare HDD. Ideal is to have a spare machine and else, like you very well said. But at least a spare HDD, I mean I'd never use my main personal HDDs/SSDs with important data to conduct malware tests, even though I use SBIE or Shadow Defender.