How to properly test malware

Discussion in 'other security issues & news' started by Mrkvonic, Jul 5, 2007.

Thread Status:
Not open for further replies.
  1. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hello,

    Here's an idea I have stated already in one of my other posts, now elaborated in detail. If anyone wishes to follow this through, they are more than welcome.

    How can one really ascertain the effectiveness of an anti-X program?

    Three setup machines, identical hardware + software, three different users. The machines should include relatively simple and standard setups, like Windows with updates from the last month, but not the latest ones, a two-way firewall, but nothing too complicated etc.

    User 1 - total noob, user 2 - somewhat experienced, in the know, user 3 - very experienced

    For a period of two weeks, three hours daily, the three guinea piglets will enjoy the Internet in the following manner:

    - They will follow about a 100 links in a variety of browsers and email clients, some of which will link to real malware sites, but also benign and test sites.
    - They will be required to download at least 10 programs on their own and install them, using their own skill to find the downloads and properly configure them, including tricky ones like codecs, java, flash, screensavers.
    - They will have to use email, send and receive emails and interact with attachments and links.
    - They will have to P2P.
    - They will need to IM and chat and follow links.
    - They will have to download a crack for some program.
    - They will do some of their regular stuff.

    All machines will be hooked up with registry, file, disk, and network analyzers.
    Image snapshots before and after the experiment will be compared.
    System errors and failures during the usage and such will be logged.
    The user will be interviewed regarding their experience with the program daily.

    I know this takes a huge amount of resources, but I don't see any other way of testing a gun that does not include real combat.

    Any takers?

    Mrk
     
  2. eniqmah

    eniqmah Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    391
    What do you hope to achieve with this? Why not replicate some Virtual machines and pretend you're 3 different people.
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hello,
    I do not hope to achieve this. I hope someone with resources will try. Pretend to be three people? It's hard being borderline demented as I am, pretending to be three will really push me over to the happy side.
    Mrk
     
  4. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    It's really, really, really hard to pretend that you're three different people.

    Dave.
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hello,
    Mike? Dave? I'm confused.
    Mrk
     
  6. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    No need to be confused Mrk - that's just how Kevin sometimes is :D
     
  7. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Super Response!
     
  8. eniqmah

    eniqmah Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    391
    Hehe

    It's not hard to be 3 people. All you players out there know what I'm talking about.

    So about the topic at hand, I'd like to get a sample of a new trojan and test it out. The link to the story is here:
    http://www.pcworld.com/article/id,134206-pg,1/article.html
    But I've not been able to locate a sample. After getting the critter, I will be 3 different people and submitt the results.
     
  9. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    1
    2
    3
    4. Compromised Baseline Honeypot

    ;)

    (assuming 4 doesn't equal 1)
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Long time no see, Czar.
    Welcome back!
    Mrk
     
Loading...
Thread Status:
Not open for further replies.