How to get infected

That's is right, i'm looking for a way to get my virtual machine (and thus compartimentalized from the rest of my computers) infected.

My aim is to get something that is 2 things:
1 - it should be hard te remove.
2 - if it would be possible i would like to get Virtuemonde, since i've got that before in the past and I know this is very hard, if not the hardest, to remove.

This is for my test-setup to see which anti-malwareprogram's are any good.
For example:
Even with ESET's NOD32 anti-virus up-to-date i got infected several months ago, which lead eventually to fully re-installing Windows XP.

Now i'm trying to test this in a controlled enviroment to see which other AV-software WILL protect me from it.
On my list to try out are:
- CounterSpy
- MBAM
- ProcessGuard
- SuperAntiSpyware
- Faronic's Anti-Executable

Hopefully someone could help me with this, somewhat awkward request.

 

Maybe this thread from late 2008 will interest you: What is the easiest/best way to get infected?

 

2 of the programs on your list do not remove malware. The 2 (AE and PG) however would protect your machine much better than any blacklist program which you found out the hard way. Focus your attention on prevention and not the removal of malwares. Rather than removing malware, it's much easier, quicker and safer to restore a recent image or backup. Think about it, would you trust your machine after cleaning up an infection?

 

I agree with you, that prevention is the better strategy.

Prevention and the ability to roll-back.
Which program would yo suggest for prevention, as mentioned in my first post.
For the Roll-back I would be thinking about Faronic's DeepFreeze.

 

Your setup should be custom made to how you or others use your machine. A roll back program would essentially lock down your computer from changes. See the following posts for more info about light virtualization apps. One is from a year ago and the other is a follow up wrote a couple of weeks ago.

https://www.wilderssecurity.com/showthread.php?t=196103

https://www.wilderssecurity.com/showthread.php?t=230459

Anti-executable is a proven security app. It won't allow any type of executable to run that is not on it's whitelist. Member Rmus has started and posted in many threads with examples as to it's effectiveness.

A blacklist type of app isn't totally useless. It is just best to add some other type of protection to complement it. HIPS, whitelisting apps, sandbox apps, and behavior blockers are great companions. A HIPS with a lot of pop-ups can be confusing for a beginner but there are some that are easier to use.

It might be best to start a new topic since it's off topic from your thread title. If you ask for help with finding a security setup, be sure to state how your machine's are used. How many user and their skill levels? Will children be using the machine? Do you buy things or bank online? Do you use P2P apps or game online? Do you have a hardware firewall (router with NAT)? Any and all info will help others help you with suggestions.

PS: I am sorry for going off topic. It's just that if you have to ask how to get infected, then it's probably not best to play with malware. Besides, a small test such as what you were suggesting would not be an accurate assessment of a programs ability. In real life, one blacklist type program might be the hero and on another day a malware might walk right on in. Whatever you decide, just don't rely solely on blacklisting.

 

Have you baselined or fingerprinted your VM image so you can determine all of the changes that take place?
If you can't determine all of the changes then you can't determine the effectiveness of the cleaning.
It would be nice if Rollback RX or Eazfix could difference highlight between snapshots.
Here are some resources for what is involved in malware researching.
http://www.securityfocus.com/infocus/1780
http://malwareinfo.org/ At malwareinfo they state they have live malware samples for learning purposes. Because they are for learning purposes they may not be the latest threats around.

 

Go to Offensive Computing and register an account; then look for all of MWRCM's recent posts ... the past day ... and download whatever he mentions and execute them. That's what I did, supposedly with virtualization, and I got infected. Had to replace userinit, along with a array of other problems.

He has some quality samples; some of them disabled Windows Firewall and other security settings.

 

Thank you all for your thoughtfull reply's.
The direction that the discussion is going is, I think, a very perceptive one.

The discussion should no longer be about 1 situation, but 2 situations.

The first: - processes of which I'm aware of.
the second: - processes of which I'm unaware of.

For processes I'm aware of, an Anti-Executable/Processguard-application would be the solution.
New processes that want to copy/manifest themselfs on the background would stand out easily.
They can thereby be blocked, dismissing access to the disk/memory or CPU.

For processes I'm unaware of, an antivirus/antimalware-application would be the solution.
When doing stuff where you are a in the unknown and to outcome is not exactly overseen, for example:
- opening a binder with new (so-called legitimate) software, that could also contain malicious software
- going to unknown websites
- installing "legitimate" plugins/addons

Getting back to the issue:
My search is therefor no longer about the best antimalware-application, but which anti-executionapplication performs the blacklist/whitelist-function to the broadest extention.
In search of it, to complement my current AV-solution, ESET Anti-Virus.

I think there is a bigger tactical part on a more abstract level of this quest, then there is one on a mere simple operational level.

 

Still haven't found a way

 

In addition to my latest posting here:

I think i need to find the right balance between an AV and HIPS.
Perhaps Prevx Edge of Faronics Anti-Executable?

 

Are you running XP Home or XP Pro. If you using XP Pro you might want to have a look at the built in Software Restriction Policy feature. With either version your running you can also trying running a Limited User Account instead of Administrator. There are plenty of threads here a Wilders mentioned LUA with SuRun (a helper program) and SRP.

Have a look at the sandbox type of apps. Sandboxie can isolate a program like your browser from your system. Policy sandboxes like DefenseWall and GeSWall offer system wide protection.
http://www.sandboxie.com/
http://www.softsphere.com/ DefenseWall likes to be called a HIPS and is known to be easy to use.
http://www.gentlesecurity.com/

I use Sandboxie to isolate my internet facing applications and Online Armor HIPS with an AV. OA is fairly easy to use and I mainly use it as a "radar detector" because HIPS prompts still confuse me because I'm not knowledgeable of Windows inner workings. Anything removed from Sandboxie like downloads get scanned with 3 scanners (my AV and 2 on demand) and/or uploaded to Virustotal or Jotti. I also keep updated with the help of the Secunia Software Inspector (see siggy for link). It's a setup that works for me and my knowledge level and may not work for others. Oh, and I forgot, I use Returnil when I purposely surf dangerous sites. Recent images and data backups help too in case of an infection or hardware failure.

 

You could also try a HIPS, and be warned not only on executions...
BTW, AE (at least v2) has a default deny policy, where nothing -known or unknown- that was not in your computer in the first place can run. Very simple and effective. You install it, it whitelists all the executables it finds in your computer and after that you forget about it, all other executables in the world are blacklisted. (you can manually install new executables after that, just be sure they are clean). It's sad what they have done with v3...

 

Dear "HURST",

So do I understand it correctly that Anti-Executable is not a HIPS?
If not, what is the difference.

And what is wrong with the latter version of Anti-Executable?

 

Anti-Executable just denies EVERY application from running, except from the ones you want to allow.