Malware Analysts - Safety Note - Please Read

[WinXPert]

a different question now.

What makes one qualified?

Right now I'm teaching someone about malware removal. I started with an easy to remove vbs worm, then a shortcut virus and last was brontok. So far they guy have still difficulty with the last one. But I make sure that he is doing it on a stand alone PC (he have Deep Freeze) Until I believe he is competent enough to handle those, I won't be giving hime more samples than he can chew.

I use password hasher add for Firefox

 

[Cowpipe]

a different question now.
What makes one qualified?

My interpretation is someone who can demonstrate that they understand the risks and that they also understand how to protect themselves against it. For example, their malware analysis configuration could reveal a lot about how much they know. It's not about how skilled they are at analysis or reversing binaries, but simply how well they know how to protect themselves (at least that's the point for me)

 

[WinXPert]

My interpretation is someone who can demonstrate that they understand the risks and that they also understand how to protect themselves against it. For example, their malware analysis configuration could reveal a lot about how much they know. It's not about how skilled they are at analysis or reversing binaries, but simply how well they know how to protect themselves (at least that's the point for me)

Rightly said.

I like to add someone who can reverse the effect brought about by the malware. Removal is easy, you can use an updated AV Boot CD or slave an infected HDD on a clean system an scan.

 

[FreddyFreeloader]

People who have a track record of scanning pack included in the future group? Also, how do newbies get experience if it's a restricted forum? Thanks.

 

[WinXPert]

how do newbies get experience if it's a restricted forum? Thanks.

This is a great suggestion. My personal opinion of course.

I think at the very least, members wanting to access the virus exchange should go through some basic training in dynamic analysis

 

[Cowpipe]

People who have a track record of scanning pack included in the future group? Also, how do newbies get experience if it's a restricted forum? Thanks.

Well one remedy perhaps is that once I have my course in dynamic analysis up and running, they could take that (to learn how to properly configure a secure test environment and keep their computer safe etc) and after that they will have the knowledge. Just one possible solution though

 

[Ignacio]

There have now been two attacks on member accounts here, one confirmed another possible and it seems likely from analysing both cases that the cause was a local infection, that is a malicious file on the members computer has sent passwords to a remote server.

................................................

* Comodo Sandbox Configuration Tips

* Application Paths
Navigate to the Comodo Sandbox menu at Tasks > Sandbox Tasks > Open Advanced Settings > Security Settings > Defense+ > Sandbox and review the list of programs configured to automatically run in the Sandbox. Ensure that all of the programs here are set to "Full Virtualised" under the Restriction Level column. This will ensure complete separation between your computer and the program that is running. It is unwise to allow unknown files to run in anything other than Fully Virtualised mode.

* Do not virtualise access to the specified files/folders
Ensure this option is checked and click the blue text to open the "Manage Exceptions" menu. See above under the Sandboxie config for a list of folders to deny access to.

* Do not virtualize access to the specified registry keys/values
Ensure this option is checked and click the blue text to open the "Manage Exceptions" menu. See above under the Sandboxie config for a list of registry keys to deny access to.

................................................

Thanks for reading

Hi, thanks for the guide, i think is very usefull, i will change the settings for Sandboxie based on your advices.

But, with the due respect, i believe there's a little error.

I have installed version 7 of Comodo Firewall and in Sandbox "Do not virtualise access to the specified files/folders" gives full access to this files/folders for virtualized applications

Same thing for "Do not virtualise access to the specified registry keys/values".

Comodo's online help (http://help.comodo.com/topic-72-1-522-6308-Configure-the-Sandbox.html) says this
"To define exceptions for files and folders
....
Files - Allows you to specify files or applications that sandboxed applications are able to access
Folders – Specify a folder that can be accessed by sandboxed applications"


For deny access to certain folders to the sandboxed applications, you must use Protected Data Folders

Comodo's online help (http://help.comodo.com/topic-72-1-522-6384-Protected-Data-Folders.html) says:
"Protected Data Folders
The data files in the folders listed under the Protected Data Folders area cannot be seen, accessed or modified by any known or unknown application that is running inside the sandbox."

I don't know how to protect specific registry keys to be accessed for sandboxed applications.

 

[Cowpipe]

@Ignacio Thanks for pointing that out! Will correct the guide accordingly.

 

[MrExplorer]

Thanks, LastPass do save Passwords on Cloud But Even if i am not connected to Internet, I am able to access & see my passwords.
I gues so Malware can steal password through lastpass.

 

[Cowpipe]

Thanks, LastPass do save Passwords on Cloud But Even if i am not connected to Internet, I am able to access & see my passwords.
I gues so Malware can steal password through lastpass.

Thank you for pointing this out MrExplorer, I will add this note to the guide. To disable offline access for LastPass you must first enable two factor authentication and then set the option for "Permit Offline Access" to "Disallow". Like I said in the post, it's just one suggestion, I will add some alternatives a little later when I wake up some more. Thanks for pointing that out

 

[juhful]

The best way to learn how to handle malware is to get a nasty infection!

 

[WinXPert]

The best way to learn how to handle malware is to get a nasty infection!

That how I learned. I intentionally infect my system with random strains of malwares then tried to removed them.

Others can start with low threat viruses on a controlled virtual environment to be on the safe side plus taking into account @Cowpipe original post about configurations (which I never thought of really, thanks for pointing that out and now I know )

 

[Solarquest]

Cowpipe,
thank you for the guide! It will help for sure many members and not members!
There are many threads and posts about this subject and people might get lost.
I' m not sure if limiting access to the malware hub will help since people might/will get malware from other (more dangerous) sources and then post results/ask for help if they get infected here anyway.

What about adding in the Malware hub page after the "warning message" a link to a guide on "how to create and setup a machine to test malware" and to a "guide on common mistakes to avoid when testing malware" ?
A course in dynamic analysis would help even more people...where will it be available?
A "how to protect/detect/undo changes (as far as possible) in BIOS, MBR, Router" would also help....just ideas...
Who wants to test will test anyway, at least they will be more aware and better prepared.

 

[donetao]

Hi! I surfed MT forum and I saw the warning and I got out of there. No place for me to be.
Not all suffers will leave like I did, so some restrictions need to be implemented.
Not a place for me to be! I'm sure I could recover as I'm not a complete newbie, but for now that section is off my surfing.
Won't even click on that section.
Not even sure it has a place here on MT. Even though that's what this forum is all about.

 

[ahmad123]

thank you for the guideI think at the very least, members wanting to access the virus exchange should go through some basic training in dynamic analysis There are many threads and posts about this subject and people might get lost There are many threads and posts about this subject and people might get lost

 

[NullPointerException]

Why am I thinking...

 

[ahmad123]

If this is what this forum

 

[NullPointerException]

If this is what this forum

What do you mean?

 

[nsm0220]

That how I learned. I intentionally infect my system with random strains of malwares then tried to removed them.

Others can start with low threat viruses on a controlled virtual environment to be on the safe side plus taking into account @Cowpipe original post about configurations (which I never thought of really, thanks for pointing that out and now I know )

i always test malware in a vm or with sandbox

 

[NullPointerException]

i always test malware in a vm or with sandbox

Sandboxes are unsafe. VMs are better.