By Staff How to perform dynamic malware testing [for Hub testers]

L

LabZero

Thread author
I didn't know about testing offline mode, i only know now because i want teach myself for clean up the system infected.
The first objective is the safety of the tester and his data, but then everyone can decide how best to do.
The problem of data theft, such as multiple times said, concerns just SD because it's virtualized the current session and the data that may it contains.
Using the VM the problem does not exist because usually it does not contain personal data unless you add them, but this would not make sense: the VM should be just for testing purposes.
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Just some remarks :

Never test a script-based downloader with internet disconnected :D or don't test it with Shadow Defender :)
(I am sure some people have already made the mistake :p )

- How to know the script you want to test is a downloader ?
=> see the details on VT/Hybrid/etc,... before, or for an unknown sample, don't take the risk : consider it's a downloader :)

- Some script downloaders wait for a connection to be available (a loop) : always be sure the sample isn't running when you decide to stop the tests and connect back to internet.​
 
Last edited:

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
The dynamic test has to be run with an active internet connection for the reasons mentioned by @DardiM and for the fact that anti-malware technologies need server connections.
I strongly recommend to use a VPN in the virtual machine, which usually shares the host IP.
This is to avoid that the malware can process our real IP!
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
Hi! are tests reliable if I test on a PC partition? (multiboot)

(no personal information on pc)
Not sure I have correctly understood, but also on multiboot systems, it is necessary to use a virtualized environment.
Even if you have no personal data on that system, but you have a another homework multiboot system, there is risk that a specific malware such as bootkits, or advanced rootkits can infect this system.
 

Dirk41

Level 17
Verified
Top Poster
Mar 17, 2016
797
Not sure I have correctly understood, but also on multiboot systems, it is necessary to use a virtualized environment.
Even if you have no personal data on that system, but you have a another homework multiboot system, there is risk that a specific malware such as bootkits, or advanced rootkits can infect this system.

I never use it, I use it only to try programs before deciding if it worth to install them on my "official" devices.
so even if the malware coul infect another partition (with another OS , linux or W ) I don't care. I can't installa a VM there, poor hardware

it's a netbook that still works
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
I never use it, I use it only to try programs before deciding if it worth to install them on my "official" devices.
so even if the malware coul infect another partition (with another OS , linux or W ) I don't care. I can't installa a VM there, poor hardware

it's a netbook that still works
If the system is used only for testing then there is no problem, important is not to share personal data (due to error) with that system.
 

Dirk41

Level 17
Verified
Top Poster
Mar 17, 2016
797
If the system is used only for testing then there is no problem, important is not to share personal data (due to error) with that system.

sure, it is not even connected/share folders with other PCs.
anyway malwares could spread even on other partitions , even if there is a different OS in each partition? thank you

I suppose yes because I can move files
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
sure, it is not even connected/share folders with other PCs.
anyway malwares could spread even on other partitions , even if there is a different OS in each partition? thank you

I suppose yes because I can move files
Depending on the malware yes, that's why it would be better to always use a VM in this context as well.
Windows malware does not infect Linux, but Linux can become an infection vector if you insert the USB devices here and then insert them in Windows, for example.
 
Last edited:
W

Wave

Thread author
I suppose yes because I can move files
From Linux if the Linux malware can access the Windows files it can infect a file on that partition with that OS installation so you become infected on Windows when you use it, and vice versa. But the malware author would need to be knowledgeable on both Linux and Windows malware development to pull this off and it'd be tricky to do it correctly without mess up with a high chance of success.

For example the malware author patches a program present on your Windows installation from within the Linux environment which happens to be auto-started at boot on Windows (based on registry configuration), so when it runs the malicious code is executed since the Linux malware had accessed this file on the Windows system and patched it, so now the infection payload is executed (or in terms of a virus, it spreads on now when infected programs are ran, etc).

List can go on with scenarios.

But honestly I have never even seen this happen before :D I just thought of the theory and yes in terms of theory what I just said can be done but like I said you'd need knowledge on both Linux and Windows development to pull this off
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
sure, it is not even connected/share folders with other PCs.
anyway malwares could spread even on other partitions , even if there is a different OS in each partition? thank you

I suppose yes because I can move files

Pls remember that malware can infect other devices in the same network, IOT and your router.
How will you restore the system to the previous (clean) status?
 

Dirk41

Level 17
Verified
Top Poster
Mar 17, 2016
797
thank you for your interest :as said before not connected with other devices in the network. no IoT in my home.
the router: well I did not think about that :D thank you
is it enough to turn off wifi?

restore: image of the disk or recovery partition

I would put that netbook in the junk otherwise
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
thank you for your interest :as said before not connected with other devices in the network. no IoT in my home.
the router: well I did not think about that :D thank you
is it enough to turn off wifi?

restore: image of the disk or recovery partition

I would put that netbook in the junk otherwise
Yes it is enough turn off wifi if you have not connected also the network cable.
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
you turn off the wifi too? what you do? a vpn?with a vpn it would not infect a router?
Mainly I do static malware analysis so the problem doesn't exist.
In the case of dynamic analysis, it is necessary to have the internet connection active to identify domains, and packets related to malware, using in my case Cyberghost VPN.
I've never had router infections until now, but in the case I reset the router to the factory settings.

Edit: VPN does not protect your router from targeted malware infection.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top