Thanks for your suggestions. I appreciate it
I've a old pc Dual core 1.8ghz only one gb ram there is nothing important in it so I'm thinking to make it my testing machine. by doing this i can secure my laptop as most of important files are in my laptop.
I'm really sorry if you find it effortless mate. i'm collecting malware from every source,as i don't have much knowledge of these malware sources thats why i asked for pre-packed packs and some urls people here having very good knowledge about these stuff
In that case, virussign may seem to be the best place. You can sign up for a free account easily and download malware packs (around 500 each) that are updated everyday. Also from my experience, the malware inside those packs have low detection ratios as they are very fresh, the closest you can get to zeroday malware without having your own honeypots and web crawlers. Just be sure to have patience when downloading them.
Thanks for your suggestions. I appreciate it
I've a old pc Dual core 1.8ghz only one gb ram there is nothing important in it so I'm thinking to make it my testing machine. by doing this i can secure my laptop as most of important files are in my laptop.
Well, its refreshing to see someone testing with real machines. That can be your differentiating factor from other reviewers as certain antivirus technologies may not work in VMs.
Well, its refreshing to see someone testing with real machines. That can be your differentiating factor from other reviewers as certain antivirus technologies may not work in VMs.
If you want zero-day samples you may have to manually search and analyse samples. This is because, let's say there is sample B which is zero-day, however it is also FUD since it is encrypted through a FUD crypters. Therefore, you would have to analyse sample B to find malicious components, and if so, include it in your test (if it is malicious after all).
Of course, there are zero-day samples posted all the time. You could grab those on the day of your test and use them. It really depends how you want this test to be.
Even whilst using a Virtual Machine, if you are connected to a network once the sample is executed it will be able to gain and file your IP address. This can then be forwarded to e.g. the malware writers. Then, this could be used to... Maybe, DDOS/Target you. Therefore, always make sure you are using a VPN ("Virtual Private Network").
MALWARE ANALYSIS:
If you find malware analysis tricky (keeping track on each process and what is doing, and manually checking the logs), you could try using a sandbox on the Virtual Machine to make logging the information easier. For example: what files it creates, reads, deletes; the registry keys is reads and creates and if so, removes; if it executes a process and injects code into it/unpacks itself. List can go on forever.
Maybe the Malc0de Analysts pack may come in handy for you. Same for Qunpack, IDA Pro.
A good idea you could attempt if you have programming knowledge, I shall list below. If you aren't a software programmer (explicitly C/C++ and Assembly, then don't bother reading the below information):
You could setup a personal tool which uses a driver using Kernel Mode call backs and your tool can also inject into a specific process after executing it. Driver with Kernel-mode call backs (because on x64 there is no SSDT ("System Service Descriptor Table") hooking. Therefore, on x64 you use Call backs. You could do it with NtTerminateProcess for example, then compare the process name being called to it and if it is your tool process you can return ACCESS_DENIED (does what ou think it does - it returns Access Denied. For example, you see some Antivirus software having a alert displayed when you try and kill them on e.g. Task Manager. This is from the drivers returned value.
The call back could be used to make sure your utility is not killed from memory (of easily at least). Then the API hooking/IAT hooking can be used (in the targetted processes).
You could use API hooking to hook certain functions/IAT hooking (redirection). If you really want me to continue this I can, however it is pretty detailed and requires great expertise.
A better alternative for more accurate analysis would be using a secondary, spare PC specifically for Malware Analysis (if you analyse the samples for your tests/zero day). This is due to the fact that some samples are "Anti-VM" and "Anti-Sandbox" and will avoid and not show "malicious" activity as they know they are being virtualized in a virtual box or sandbox. Then... The user puts on the real system. BAM. Now it's doing harmful, malicious activities.
For more accurate tests, make sure to use a wide range of different malware types. For example: rootkits, key-loggers, worms, backdoors, ... and if you are testing adware/PUP detection too, add this in. Make sure they are 100% verified as real threats, to prevent inaccurate tests.
Tomorrow if I have time I'll come back and re-check my posts. I'm pretty tired right now, so I'll be back tomorrow to double check it say on-case I wrote anything invalid or need to improve something/add more information.
Until then... Thanks! (enjoy this massive reply I will be surprised if you manage to read it all ).
If you want zero-day samples you may have to manually search and analyse samples. This is because, let's say there is sample B which is zero-day, however it is also FUD since it is encrypted through a FUD crypters. Therefore, you would have to analyse sample B to find malicious components, and if so, include it in your test (if it is malicious after all).
Of course, there are zero-day samples posted all the time. You could grab those on the day of your test and use them. It really depends how you want this test to be.
Even whilst using a Virtual Machine, if you are connected to a network once the sample is executed it will be able to gain and file your IP address. This can then be forwarded to e.g. the malware writers. Then, this could be used to... Maybe, DDOS/Target you. Therefore, always make sure you are using a VPN ("Virtual Private Network").
MALWARE ANALYSIS:
If you find malware analysis tricky (keeping track on each process and what is doing, and manually checking the logs), you could try using a sandbox on the Virtual Machine to make logging the information easier. For example: what files it creates, reads, deletes; the registry keys is reads and creates and if so, removes; if it executes a process and injects code into it/unpacks itself. List can go on forever.
Maybe the Malc0de Analysts pack may come in handy for you. Same for Qunpack, IDA Pro.
A good idea you could attempt if you have programming knowledge, I shall list below. If you aren't a software programmer (explicitly C/C++ and Assembly, then don't bother reading the below information):
You could setup a personal tool which uses a driver using Kernel Mode call backs and your tool can also inject into a specific process after executing it. Driver with Kernel-mode call backs (because on x64 there is no SSDT ("System Service Descriptor Table") hooking. Therefore, on x64 you use Call backs. You could do it with NtTerminateProcess for example, then compare the process name being called to it and if it is your tool process you can return ACCESS_DENIED (does what ou think it does - it returns Access Denied. For example, you see some Antivirus software having a alert displayed when you try and kill them on e.g. Task Manager. This is from the drivers returned value.
The call back could be used to make sure your utility is not killed from memory (of easily at least). Then the API hooking/IAT hooking can be used (in the targetted processes).
You could use API hooking to hook certain functions/IAT hooking (redirection). If you really want me to continue this I can, however it is pretty detailed and requires great expertise.
A better alternative for more accurate analysis would be using a secondary, spare PC specifically for Malware Analysis (if you analyse the samples for your tests/zero day). This is due to the fact that some samples are "Anti-VM" and "Anti-Sandbox" and will avoid and not show "malicious" activity as they know they are being virtualized in a virtual box or sandbox. Then... The user puts on the real system. BAM. Now it's doing harmful, malicious activities.
For more accurate tests, make sure to use a wide range of different malware types. For example: rootkits, key-loggers, worms, backdoors, ... and if you are testing adware/PUP detection too, add this in. Make sure they are 100% verified as real threats, to prevent inaccurate tests.
Tomorrow if I have time I'll come back and re-check my posts. I'm pretty tired right now, so I'll be back tomorrow to double check it say on-case I wrote anything invalid or need to improve something/add more information.
Until then... Thanks! (enjoy this massive reply I will be surprised if you manage to read it all ).
Indeed. I read it all don't be surprised as these tips gonna help me alot right now i collected over 1500+ different samples from everywhere.I'm setting up my old pc as a "Malware fighter" today I'll complete my reviews on Xvirus @Dani Santos and Kaspersky Total security.Previously these reviews were based on @Malware Test reviews but he removed his videos. Now I've to do it myself
Take rest have fun
Thank you for your contribution
1). Kram's post was excellent and I hope you read it all!
2). When first starting, don't overwhelm yourself with the raw number of samples; just try to get a few samples of different malware types, run them and see how they operate. It will make future forensics a great deal simpler.
3). Get to know well the baseline Users\whatever\App Data\Local and \Roaming directories. The vast majority of the time a daughter either piggybacked on to the parent malware or directly downloaded by the parent shows up here.
4). Don't forget to make hidden files and folders visible. The best stuff is always a bit shy.
5). Make sure to use a good Outbound connection monitor.
6). Don't blow off things that you may find in Temp (or God forbid the Recycle Bin) assuming that junk cleaners will take care of them. Often they can't (and don't).
7). Just because HMP and MB gives your system a clean bill of health, don't believe them. They are prone to miss a number of things (vbs scripts a case in point).
8). NEVER continue past the point that you are no loner having fun! Unless you are getting paid (very well).
9). Re-read Kram's post.
