Need to test a SUPER-MALWARE. Please suggest a setup.

I need to test a malware which infects bootkits, etc, whereby even a harddrive wipe cant remove it from the system.

I have no other option than to use my own pc (so live cd, etc is out of the question).

Its also anti-vm, anti-sandboxie, etc but it cant be anti-everything!
So I am thinking of testing it in a combination of:
multi-vmware, sandboxie, deep-freeze, etc.

(PS - I admittedly dont know more than vmware and sandboxie so please enlighten me).

 

Ask SteveTX, I'm sure he'll provide something .

 

hmmm??


BTW - someone also pls state the best order to use these combinations. Like Sandboxie ---> VM or VM ----> Sandboxie then vm again.

 

maybe Shadow Defender set to shadow mode, then start VM and run in there?

Best option would be to take an old hdd, put your current image on it, then run VM. If this super malware escapes, then you have lost nothing. That is what I would do if it is as bad as you say.

Sul.

 

by anti-vm do you mean that it does not execute in a vm?

There have been no confirmed cases of live VM breakout that I know of.. Also, I haven't seen too many Sandboxie breakouts either..

A lot of malware will simply not run in a VM or sandbox though.. to prevent reverse engineering.

 

Here's the start of all the gory (and BS) details: https://www.wilderssecurity.com/showpost.php?p=1842666&postcount=10

 

I agree with Sully. I would put the malware on a seperate pc as well and isolate any networking to only access to the "test pc". If you want to reuse the sacrificial hard drive, make sure you wipe it and use low level tools to zero out ring zero. Wearing a necklace of garlic cloves wouldn't hurt either.

SourMilk out

 

Hi, I don,t think there is a malware that can,t be wiped away.

As you said it is VM aware, so I will suggest a dedicated test machine with a spare hard drive for it.

 

some brilliant suggestions but even if say i use another hdd and/or truecrypt my sensitive drive, i think the malware, since it resides in bootkit, might infect the sensitive drive, once that drive is used after testing with the second hand drive.

srry, i used it in the wrong context. i meant it can bypass vm.


btw - pm'ed steve. hope he posts here.

brb later

 

i better load up on the pretzels for this.

 

Why would you have your sensitive drive connected? Why not just test with a spare drive only and remove any network connections, as others have suggested.

 

This doesn't make sense at all. Unless you mean by 'bootkit' your BIOS.
Is your malware sample able to infect your BIOS?
If not, then pulling the data cable on drive 1 and using drive 2 for testing cannot infect drive 1. Ever.
(Unless it's some kind of 'Beam me over, Scotty'-sample but I don't think mankind has arrived there yet).
And if you think you've got malware that can infect your BIOS, set a BIOS password, pull a jumper or use an EFI mobo.

 

Just zero it out. Nothing survives that.

 

Its highly unlikely such a thing exists. You are probably mistaken. You probably have a TDL4 infection, which is incredibly difficult to clean (even reinstalling won't work).

If you share the infected file you are talking about (through private channels), maybe we can assist you in cleaning it or getting your system running.

 

Hi SecureSystem, I have sent you a PM.

 

Hi there,
If even reinstalling won't work what else can one do?

 

Reset MBR, and if needed, wipe the entire disk. Flash the BIOS if it's even worse.

 

You are right. I m testing TDL4. Its not that hard to kill once u know about it - http://forums.malwarebytes.org/index.php?showtopic=88453&view=findpost&p=447501

I was just wondering if this or any such malware can bypass the traditional security setups. It is also vmaware but that doesnt mean it can bypass vm. It just doesnt install.

PS - I dont have a spare drive atm, hence the thread. But i ordered one. But I think vm would suffice.


Just to add, TDL4 HAD infected a pc of mine before the ms patch and i was fascinated by its workings and actually how difficult it was to remove. Even after several hdd wipes and whatnot, it seemed to always come back and slowed everything down.
I just wanted to test it in a controlled environment to learn more about such malwares. Cos once u know how they work, only then can u setup a secure system.


If a KNOWN malware can cause such a damage, surely there are unknown malwares that need securer and more advanced security systems than just sandboxie, AV, etc. I mean, even if one knows about the infection and it still is just so hard to get rid of it even after hdd wipes and os reinstalls, how do we protect ourselves against unknown threats. It takes security firms sometimes years to even know about a good malwares existence - once its infected a lot of machines. Thats my whole point.

 

ESET have written a very good paper if you just want to understand more about how TDL4 works:

www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf

It doesn't cover the recent bypassing of KB2506014 by newer versions of TDL4 though.

 

Thanks for that. ATM I am just researching this beast thoroughly. will check it out.

And pls dont just restrict the discussion to TDL4 only. Does anyone know of other such malwares.

 

When you say "such malwares" do you mean bootkits that bypass KPP? Or just VM aware malware?

 

No, not vmaware. Any malware can be vmaware. I guess my op is a bit hard to understand.

No i just mean any such highly-threatening malwares. They can have others ways of infecting/persisting.

I have to admit that i have only recently become security conscious and trying to further my knowledge.


Maybe, Steve can give us a list of such malware that he has come across.

 

I wonder if any users at Wilders can come across this kind of super-malware referring to our common sense.

 

- What did you use to zero the drive?
- Did you check if the first sector were all zero's, f.i. with 'Active@KillDisk'?