vertigo

Level 2
I'm trying to test various forms of malware to see both how they act and to test out different programs, but of the ~20 or so I could actually run from the couple batches I downloaded from repositories, only a few actually did anything, and even then it wasn't anything spectacular (moderately high CPU and/or disk activity without actually doing anything noticeable). I don't know if it's because they were VM-aware, because they're old and crippled by OS patches that have occurred since they're time, if Windows Defender was blocking them (I disabled it, but even disabled it still seems to take action, which is frustrating), or a combination of these or other factors. Of course, I'm running other programs, since I'm testing, but AFAICT none of them are stopping the malware once I allow it. I was running SecureAPlus, VoodooShield, Software Restriction Policy (disabled), Malwarebytes Anti-Exploit Beta, and OSArmor. SAP, VS, and OSA would all throw up warnings, but I would bypass them to try and get the malware to run, and eventually it either would or, more often, it would seemingly do nothing or even disappear.

So I have a few questions. First, am I missing something? Why am I having such a hard time getting anything to happen? The one I got the most action out of was ZeroLocker, which I got to run and it was showing fairly heavy disk usage, but none of my files were encrypted and after a while it crashed the VM. I'm just astonished at how difficult it's proving to infect myself. Second, does anyone have a recommendation of somewhere I could get some more effective malware to test? ViruSign looks promising but I don't see a way to sign up, so I'm guessing it's for researchers only. I'd even be happy with (and would actually prefer) fake malware, perhaps a "ransomware" that would only encrypt files in "c:\ransomware test directory" so that it wouldn't be in any signature databases and would be safe and easy to test. I also want various forms (pdf, doc with macros, scripts, etc). Anyways, I'm not sure if this is something anyone would even be willing to answer, but I figured I may as well ask. I've spent hours trying to get something working so I can test things.

By the way, before anyone asks or offers a warning, I'm testing in VirtualBox with the network, shared folders, clipboard, and drag-and-drop all disabled and guest additions uninstalled, and all the data on the host is backed up so even if the worst happens and something gets out it wouldn't be the end of the world (though it would still suck, of course).
 

JM Safe

Level 38
Verified
Hello.

There are many malware samples that detect a VM or a sandbox and so they don't run. Ransomware sometimes take some minutes to start with the encryption process. I remember one time I tested a ransomware sample in a VM and it took about 5-10 minutes to encrypt files on desktop. However keep in mind to use also a VPN and a firewall during your tests to be more secure. If you want to share your testing passion with us you could be an AV-Tester and make posts and threads in the Malware Hub, you can contact @Jack or @Solarquest.
I also suggest to you to make a CLEAN snapshot of your VM, so when you finish to test, you can simply revert back to a clean VM.
 
Last edited:

vertigo

Level 2
Thanks. No need for a VPN or firewall, since I just completely disabled the VM's network adapter, closing it off to the outside world, though this also caused at least one or two samples to not run, presumably because they couldn't access their payload. I also have to install .NET to get a few of them to run, which is both sad that the malware authors had to rely on that and telling of how much more exposure having it installed provides. And I gave most of the malware plenty of time to act, running/installing one after another and giving them ample opportunity to run rampant. In fact, the only one that didn't get more than probably ~5 minutes or so was the one that seemed to do the most (ZeroLocker) due to it crashing the VM. I tried it in Sandboxie, which kept it from crashing the system, but that should have also restrained it, making it ineffective anyways. I expected some to not act due to detecting the VM, but I find it unlikely that most/all of them could do so.

And I am aware that it is possible for malware to escape a VM, but I also know it's very rare, and I made sure to update my backups beforehand just in case. And I did make a snapshot right before beginning. Cuckoo sandbox doesn't seem like it would be any more effective, since I may as well just run it locally since it's in a VM anyways, not to mention then it has some files to actually affect. Though perhaps malware that won't run in a VM would run in Cuckoo. Unfortunately, I've not had any luck yet actually getting Cuckoo to work.

I actually checked out the malware hub before posting here, but it says members can't post there. Also, while I'm trying to do some limited testing to better understand the malware and the capabilities of various software, I don't think I'm capable enough to do legitimate testing, nor would I feel comfortable doing so while providing network access, as I'm not confident in my abilities to adequately protect myself in that case.
 

JM Safe

Level 38
Verified
Thanks. No need for a VPN or firewall, since I just completely disabled the VM's network adapter, closing it off to the outside world, though this also caused at least one or two samples to not run, presumably because they couldn't access their payload. I also have to install .NET to get a few of them to run, which is both sad that the malware authors had to rely on that and telling of how much more exposure having it installed provides. And I gave most of the malware plenty of time to act, running/installing one after another and giving them ample opportunity to run rampant. In fact, the only one that didn't get more than probably ~5 minutes or so was the one that seemed to do the most (ZeroLocker) due to it crashing the VM. I tried it in Sandboxie, which kept it from crashing the system, but that should have also restrained it, making it ineffective anyways. I expected some to not act due to detecting the VM, but I find it unlikely that most/all of them could do so.

And I am aware that it is possible for malware to escape a VM, but I also know it's very rare, and I made sure to update my backups beforehand just in case. And I did make a snapshot right before beginning. Cuckoo sandbox doesn't seem like it would be any more effective, since I may as well just run it locally since it's in a VM anyways, not to mention then it has some files to actually affect. Though perhaps malware that won't run in a VM would run in Cuckoo. Unfortunately, I've not had any luck yet actually getting Cuckoo to work.

I actually checked out the malware hub before posting here, but it says members can't post there. Also, while I'm trying to do some limited testing to better understand the malware and the capabilities of various software, I don't think I'm capable enough to do legitimate testing, nor would I feel comfortable doing so while providing network access, as I'm not confident in my abilities to adequately protect myself in that case.
If the connection is OFF the malware cannot perform some actions, as you mentioned it cannot download the payload from the malicious server for example.
 

vertigo

Level 2
Dedicated VM on my main computer, hence my reluctance to enable the network on it, even though I realize keeping it locked down limits at least some malware (and maybe a lot more than I would have suspected). I'm just being extra cautious, since I basically know enough to be dangerous (i.e. enough to play around with this stuff) but perhaps not enough to take all necessary precautions, which is why I backed everything up just in case. After all, even though I knew enough to run it in a VM, I didn't realize until right before doing it that I shouldn't have the guest additions installed. And I'm hoping simply uninstalling them is enough, as opposed to creating a new VM and not ever installing them, which I didn't feel like doing at the time.
 

ticklemefeet

Level 24
I hope you are using a complete imaging program. Also I just could never use Vbox without the guest additions. Was just too annoying.
What I do when testing malware is have my host in shadow mode and running my VPN along, with a very hardened host. I also use a third party firewall on my host and so even if the malware breaks out of the VM a reboot will kill it.
 

vertigo

Level 2
No imaging program. While it wouldn't be ideal, if the very unlikely situation were to occur where it broke out, I'd just have to reinstall Windows and possibly reload my data from backups. Obviously that would suck, but it wouldn't be devastating. Though imaging software is one of the things I've been testing in the VM, so hopefully in the near future I'll reinstall, which I need to do anyways, and start off using that. As for Shadow Defender, I tested that briefly in the VM and frankly was unimpressed, and one of the links above states that malware could potentially survive a reboot and infect the non-shadowed system, so I'd rather stick with a VM. And yeah, VB without GA sucks, but it's bearable for this. I just wouldn't want to do it for other stuff, like all the other testing I've been doing of various software.
 

ticklemefeet

Level 24
As long as you don't do any banking or ordering online that should be fine. I know of one good malware writer that is a white hat and she tested Shadow Defender against Petra and was impressed. she seems to have vanished but her nick was cruelsister. I am impressed with Shadow Defender. the only downside is if you need to do a restart after installing a program. Hey Marcium is free and works great.
 

vertigo

Level 2
I know of cruelsister, though didn't know she wasn't around anymore. I do banking and shopping on my main/host computer obviously, but of course I wouldn't if an infection escaped until reinstalling. I also use KeePass, so while not impossible, it's much less likely my login info would be compromised. As for SD, I'm sure it works great, I just wasn't impressed with its design and non-protective performance. For example, I didn't like that you can't protect specific folders, instead having to protect an entire drive then exclude all folders except the one(s) you want to protect. I realize that's not really the typical way of using it, but it's how I would prefer to use it. Also, committing the changes doesn't just process them, it processes the entire drive, which takes forever. I'm sure it works great for malware testing and for public computers and computers of people that only use them to check their email, but it just flat out doesn't suit my needs at all, which is especially frustrating since it probably wouldn't take much to do so. Ideally, I'd just want to use it to protect the folder containing images, and only process changes, not all files in that folder or on the drive. Anyways, I don't want to veer too far off-topic, but suffice it to say I abandoned the idea of using it as part of my strategy pretty quickly.
 

Solarquest

Moderator
Verified
Staff member
Malware Hunter
I use a dedicated PC and router ... in my opinion it's too risky/ doesn't make sense to run malware on the main PC, even if in a VM or in SD.
Without internet many samples won't work (many want to "call home").
Do you check your samples on VT and on hybri- analysis?
What tools do you use to check for infections?
 

vertigo

Level 2
Yeah, unfortunately I'm not able to set up something like that right now, though I definitely am seeing that would be the best approach, since cutting off the connection impedes their real-world actions.

I didn't check the samples, since they're known malware, so I didn't see any need to. As for tools to check for infections, mostly just watching for files to be encrypted and watching CPU/memory/disk usage. I suppose I could try again and run the various samples then run some scans, I just didn't bother before since nothing seemed to happen with almost all the samples. I realize some are designed to fly under the radar, but even the ones that shouldn't didn't do anything. Anyways, still figuring this stuff out, since it's the first time I have messed with stuff like this.
 
Top