Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
The way of malware downloading to machines during the test - your opinion
Message
<blockquote data-quote="Adrian Ścibor" data-source="post: 1002217" data-attributes="member: 71496"><p>I hope it is right subforum to this topic.</p><p></p><p>Activity [USER=32260]@Andy Ful[/USER] is resulted change of downloading malware to machines during our tests Advanced In The Wild Malware Test, so we are internally considering changes in this regard from future editions. This is only <u>a theory for now,</u> but I am curious about your opinion.</p><p></p><p><strong>How do we now select malware for the test?</strong></p><p></p><p>1. Download malware from honeypot, feeds.</p><ul> <li data-xf-list-type="ul">Scan with Yara rules.</li> <li data-xf-list-type="ul">Scan with matching patterns.</li> </ul><p>2. Run SANDBOX (no AV) and check if the malware is malicious.</p><ul> <li data-xf-list-type="ul">If NO, reject sample and return to ad1.</li> </ul><p>3. If YES, run TESTING (download malware to all machines with AV) -> we use our own DNS server and local domains generated pseudo-randomly because:</p><p></p><p>A. There is a problem of malware disappearing quickly - server status 404, 500, 503, etc. It's all about short life of URLs in the wild.</p><p>B. To solve this, we use hosting malware from our own server.</p><p></p><p><strong>On the other hand, how can we download malware differently?</strong></p><p></p><p>1. Prepare a list of URLs with malware in the wild.</p><ul> <li data-xf-list-type="ul">Download the malware from URL1 to the Linux host and perform Yara check and matching. Save the SHA256, original URL, server code to the database.</li> <li data-xf-list-type="ul">Reject the malware, if the code is 404, 500, 503 or other inconsistency.</li> </ul><p>2. Download to SANDBOX ULR1 and check. if the malware is maliciouse.</p><ul> <li data-xf-list-type="ul">Reject the malware if it is not harmful.</li> </ul><p>3. if it is harmful, run TESTING and download ULR1 for all machines.</p><ul> <li data-xf-list-type="ul">Save the test result.</li> </ul><p>4. Return to ad1.</p><p></p><p><strong>Pros:</strong></p><p>- Potential for even better replication of so-called real-test or in the wild tests.</p><p>- Additional information for each sample: original_source_URL, source_url_scraping</p><p><strong></strong></p><p><strong>Cons:</strong></p><p>- Fewer samples - I can't predict this in advance, because it depends on whether we can find good sources of malicious URLs. Let me remind you that our Dionaea honeypot is not suitable for this.</p><p>- Big changes in the backend, so costs for implementation and performance testing.</p><p></p><p><strong>Dear community</strong>, what do you think? Will this way of downloading malware be better? Does it matter to you? Please share additional ideas or what we can still perform better.</p><p>If implemented, the methodology will be completed and everything will be public. For now, this is just a theory.</p></blockquote><p></p>
[QUOTE="Adrian Ścibor, post: 1002217, member: 71496"] I hope it is right subforum to this topic. Activity [USER=32260]@Andy Ful[/USER] is resulted change of downloading malware to machines during our tests Advanced In The Wild Malware Test, so we are internally considering changes in this regard from future editions. This is only [U]a theory for now,[/U] but I am curious about your opinion. [B]How do we now select malware for the test?[/B] 1. Download malware from honeypot, feeds. [LIST] [*]Scan with Yara rules. [*]Scan with matching patterns. [/LIST] 2. Run SANDBOX (no AV) and check if the malware is malicious. [LIST] [*]If NO, reject sample and return to ad1. [/LIST] 3. If YES, run TESTING (download malware to all machines with AV) -> we use our own DNS server and local domains generated pseudo-randomly because: A. There is a problem of malware disappearing quickly - server status 404, 500, 503, etc. It's all about short life of URLs in the wild. B. To solve this, we use hosting malware from our own server. [B]On the other hand, how can we download malware differently?[/B] 1. Prepare a list of URLs with malware in the wild. [LIST] [*]Download the malware from URL1 to the Linux host and perform Yara check and matching. Save the SHA256, original URL, server code to the database. [*]Reject the malware, if the code is 404, 500, 503 or other inconsistency. [/LIST] 2. Download to SANDBOX ULR1 and check. if the malware is maliciouse. [LIST] [*]Reject the malware if it is not harmful. [/LIST] 3. if it is harmful, run TESTING and download ULR1 for all machines. [LIST] [*]Save the test result. [/LIST] 4. Return to ad1. [B]Pros:[/B] - Potential for even better replication of so-called real-test or in the wild tests. - Additional information for each sample: original_source_URL, source_url_scraping [B] Cons:[/B] - Fewer samples - I can't predict this in advance, because it depends on whether we can find good sources of malicious URLs. Let me remind you that our Dionaea honeypot is not suitable for this. - Big changes in the backend, so costs for implementation and performance testing. [B]Dear community[/B], what do you think? Will this way of downloading malware be better? Does it matter to you? Please share additional ideas or what we can still perform better. If implemented, the methodology will be completed and everything will be public. For now, this is just a theory. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
