Advice Request The way of malware downloading to machines during the test - your opinion

[Adrian Ścibor]

I hope it is right subforum to this topic.

Activity @Andy Ful is resulted change of downloading malware to machines during our tests Advanced In The Wild Malware Test, so we are internally considering changes in this regard from future editions. This is only a theory for now, but I am curious about your opinion.

How do we now select malware for the test?

1. Download malware from honeypot, feeds.

• Scan with Yara rules.
• Scan with matching patterns.

2. Run SANDBOX (no AV) and check if the malware is malicious.

• If NO, reject sample and return to ad1.

3. If YES, run TESTING (download malware to all machines with AV) -> we use our own DNS server and local domains generated pseudo-randomly because:

A. There is a problem of malware disappearing quickly - server status 404, 500, 503, etc. It's all about short life of URLs in the wild.
B. To solve this, we use hosting malware from our own server.

On the other hand, how can we download malware differently?

1. Prepare a list of URLs with malware in the wild.

• Download the malware from URL1 to the Linux host and perform Yara check and matching. Save the SHA256, original URL, server code to the database.
• Reject the malware, if the code is 404, 500, 503 or other inconsistency.

2. Download to SANDBOX ULR1 and check. if the malware is maliciouse.

• Reject the malware if it is not harmful.

3. if it is harmful, run TESTING and download ULR1 for all machines.

• Save the test result.

4. Return to ad1.

Pros:
- Potential for even better replication of so-called real-test or in the wild tests.
- Additional information for each sample: original_source_URL, source_url_scraping

Cons:
- Fewer samples - I can't predict this in advance, because it depends on whether we can find good sources of malicious URLs. Let me remind you that our Dionaea honeypot is not suitable for this.
- Big changes in the backend, so costs for implementation and performance testing.

Dear community, what do you think? Will this way of downloading malware be better? Does it matter to you? Please share additional ideas or what we can still perform better.
If implemented, the methodology will be completed and everything will be public. For now, this is just a theory.

 

[upnorth]

I hope it is right subforum to this topic.

At the moment no direct problem with the subforum, and we can always move it later to the statistics and reports forum if it would fit better there.

Dear community, what do you think? Will this way of downloading malware be better? Does it matter to you? Please share additional ideas or what we can still perform better.
If implemented, the methodology will be completed and everything will be public. For now, this is just a theory.

Personal I like that you @Adrian Ścibor reach out and try to get a better answer, as it after all in the end would create changes and impact AVLab.pl. But here's also hopefully a hint/tip on how to get a more complete and overall much more fair answer from a genuine majority of this forums users. Please create a poll.

Without a poll only those that actually will post their answers/opinions in this thread will be heard and considered. This change of malware downloads would still only effect AVLab.pl and no one else. Let me or anyone else in the staff know if you need a help with creating a poll.

Thanks for a interesting topic.

 

[Adrian Ścibor]

At the moment no direct problem with the subforum, and we can always move it later to the statistics and reports forum if it would fit better there.


Personal I like that you @Adrian Ścibor reach out and try to get a better answer, as it after all in the end would create changes and impact AVLab.pl. But here's also hopefully a hint/tip on how to get a more complete and overall much more fair answer from a genuine majority of this forums users. Please create a poll.

Without a poll only those that actually will post their answers/opinions in this thread will be heard and considered. This change of malware downloads would still only effect AVLab.pl and no one else. Let me or anyone else in the staff know if you need a help with creating a poll.

Thanks for a interesting topic.

The poll was created. The technical aspects are not important, because we will do it ourselves. What is important is to take the right direction for change.

 

[Andy Ful]

When using potentially malicious URLs, it is worth considering the real-time approach. These URLs are already considered malicious for some reason, so there are fair chances that the downloaded file will be malicious, too. The file can be run against AVs at the same time when it is analyzed. This can increase the number of malicious samples because the process of analyzing and testing one malware is significantly shorter. But, there will not be many advantages if the URL sources will contain many false positives or dead links.

 

[Adrian Ścibor]

When using potentially malicious URLs, it is worth considering the real-time approach. These URLs are already considered malicious for some reason, so there are fair chances that the downloaded file will be malicious, too. The file can be run against AVs at the same time when it is analyzed. This can increase the number of malicious samples because the process of analyzing and testing one malware is significantly shorter. But, there will not be many advantages if the URL sources will contain many false positives or dead links.

Quite good idea. However I can extend your proposition to near better for example: sample into the sandbox and testing can be analyzing the same time, BUT if the sandbox have no malicious indicators, we can reject such of result for that sample. And return to start to sample2... sample-N.

 

[Scirious]

Instead of simply rejecting a sample with no malicious indicators wouldn't it be useful to analyse possible false positives?

 

[Andy Ful]

Instead of simply rejecting a sample with no malicious indicators wouldn't it be useful to analyse possible false positives?

It can be done, but it is not so easy. The lack of malicious indicators does not necessarily mean that the file is benign. For example, it can be a script that one hour ago could download the payload from the URL, but failed now because that URL is already dead.

 

[Adrian Ścibor]

Instead of simply rejecting a sample with no malicious indicators wouldn't it be useful to analyse possible false positives?

It can be done, but it is not so easy. The lack of malicious indicators does not necessarily mean that the file is benign. For example, it can be a script that one hour ago could download the payload from the URL, but failed now because that URL is already dead.

Indeed @Scirious . Futhermore, please consider differences between vendor database and black-box analyse in real-time. As Andy said, sometimes would be very difficiult to proof that sample should be FP and not malicious. When it comes to false positive test it would seem a better idea to collect legal application. And even then it is difficult for Comodo, for example - no signature = auto-sandbox.

 

[struppigel]

Hello @Adrian Ścibor
I know this thread is somewhat old, but for some reason I missed it. Does testing here refer to AV testing?
The way malware arrives on a system is definitely relevant for AV reponse and testing. Some kind of detection signatures/technologies include context information on how the file got there. So AV can react differently depending on how the file arrived onto the system.

 

[Adrian Ścibor]

Hello @Adrian Ścibor
I know this thread is somewhat old, but for some reason I missed it. Does testing here refer to AV testing?
The way malware arrives on a system is definitely relevant for AV reponse and testing. Some kind of detection signatures/technologies include context information on how the file got there. So AV can react differently depending on how the file arrived onto the system.

Hi. The way of delivering malware to VM systems is described in methodology (step 3): Methodology » AVLab Cybersecurity Foundation
In short description: we use real Chrome Browser (every day at midnight is checking for update) to download sample from our local domain. Each of malware has own customized domain (random generated).

For Your information and Users, right now we are working on changing delivery malware method. We resign from own DNS server to host malware and customizing domains. Instead, starting from next edition of this test (November 2022), we will use a real URL malware source as link in browser Chrome bar. Of course the methodology will be updated too and other documents and describes on website with published result as well.

This is our response to recommendations from MalwareTips Users.