Need to test a SUPER-MALWARE. Please suggest a setup.

Discussion in 'sandboxing & virtualization' started by SecureSystem, Jul 3, 2011.

Thread Status:
Not open for further replies.
  1. SecureSystem

    SecureSystem Registered Member

    Joined:
    Jun 28, 2011
    Posts:
    24
    I need to test a malware which infects bootkits, etc, whereby even a harddrive wipe cant remove it from the system.

    I have no other option than to use my own pc (so live cd, etc is out of the question).

    Its also anti-vm, anti-sandboxie, etc but it cant be anti-everything!
    So I am thinking of testing it in a combination of:
    multi-vmware, sandboxie, deep-freeze, etc.

    (PS - I admittedly dont know more than vmware and sandboxie so please enlighten me).
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Ask SteveTX, I'm sure he'll provide something :rolleyes:.
     
  3. SecureSystem

    SecureSystem Registered Member

    Joined:
    Jun 28, 2011
    Posts:
    24
    hmmm??


    BTW - someone also pls state the best order to use these combinations. Like Sandboxie ---> VM or VM ----> Sandboxie then vm again.
     
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    maybe Shadow Defender set to shadow mode, then start VM and run in there?

    Best option would be to take an old hdd, put your current image on it, then run VM. If this super malware escapes, then you have lost nothing. That is what I would do if it is as bad as you say.

    Sul.
     
  5. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    by anti-vm do you mean that it does not execute in a vm?

    There have been no confirmed cases of live VM breakout that I know of.. Also, I haven't seen too many Sandboxie breakouts either..

    A lot of malware will simply not run in a VM or sandbox though.. to prevent reverse engineering.
     
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
  7. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    I agree with Sully. I would put the malware on a seperate pc as well and isolate any networking to only access to the "test pc". If you want to reuse the sacrificial hard drive, make sure you wipe it and use low level tools to zero out ring zero. Wearing a necklace of garlic cloves wouldn't hurt either.

    SourMilk out
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, I don,t think there is a malware that can,t be wiped away.

    As you said it is VM aware, so I will suggest a dedicated test machine with a spare hard drive for it.
     
  9. SecureSystem

    SecureSystem Registered Member

    Joined:
    Jun 28, 2011
    Posts:
    24
    some brilliant suggestions but even if say i use another hdd and/or truecrypt my sensitive drive, i think the malware, since it resides in bootkit, might infect the sensitive drive, once that drive is used after testing with the second hand drive.

    srry, i used it in the wrong context. i meant it can bypass vm.


    btw - pm'ed steve. hope he posts here.

    brb later
     
  10. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i better load up on the pretzels for this. ;)
     
  11. wat0114

    wat0114 Guest

    Why would you have your sensitive drive connected? Why not just test with a spare drive only and remove any network connections, as others have suggested.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    I am afraid you might not like my advice. BUT.....

    my feeling is if you have to post the question you did here, you probably aren't qualified to do the type of testing you are asking about. I'd leave it alone.


    Pete
     
  13. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    This doesn't make sense at all. Unless you mean by 'bootkit' your BIOS.
    Is your malware sample able to infect your BIOS?
    If not, then pulling the data cable on drive 1 and using drive 2 for testing cannot infect drive 1. Ever.
    (Unless it's some kind of 'Beam me over, Scotty'-sample but I don't think mankind has arrived there yet).
    And if you think you've got malware that can infect your BIOS, set a BIOS password, pull a jumper or use an EFI mobo.
     
  14. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Just zero it out. Nothing survives that.
     
  15. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    Its highly unlikely such a thing exists. You are probably mistaken. You probably have a TDL4 infection, which is incredibly difficult to clean (even reinstalling won't work).

    If you share the infected file you are talking about (through private channels), maybe we can assist you in cleaning it or getting your system running.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi SecureSystem, I have sent you a PM.
     
  17. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Hi there,
    If even reinstalling won't work what else can one do?
     
  18. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Reset MBR, and if needed, wipe the entire disk. Flash the BIOS if it's even worse.
     
  19. SecureSystem

    SecureSystem Registered Member

    Joined:
    Jun 28, 2011
    Posts:
    24
    You are right. I m testing TDL4. Its not that hard to kill once u know about it - http://forums.malwarebytes.org/index.php?showtopic=88453&view=findpost&p=447501

    I was just wondering if this or any such malware can bypass the traditional security setups. It is also vmaware but that doesnt mean it can bypass vm. It just doesnt install.

    PS - I dont have a spare drive atm, hence the thread. But i ordered one. But I think vm would suffice.


    Just to add, TDL4 HAD infected a pc of mine before the ms patch and i was fascinated by its workings and actually how difficult it was to remove. Even after several hdd wipes and whatnot, it seemed to always come back and slowed everything down.
    I just wanted to test it in a controlled environment to learn more about such malwares. Cos once u know how they work, only then can u setup a secure system.


    If a KNOWN malware can cause such a damage, surely there are unknown malwares that need securer and more advanced security systems than just sandboxie, AV, etc. I mean, even if one knows about the infection and it still is just so hard to get rid of it even after hdd wipes and os reinstalls, how do we protect ourselves against unknown threats. It takes security firms sometimes years to even know about a good malwares existence - once its infected a lot of machines. Thats my whole point.
     
    Last edited: Jul 4, 2011
  20. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    ESET have written a very good paper if you just want to understand more about how TDL4 works:

    www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf

    It doesn't cover the recent bypassing of KB2506014 by newer versions of TDL4 though.
     
  21. SecureSystem

    SecureSystem Registered Member

    Joined:
    Jun 28, 2011
    Posts:
    24
    Thanks for that. ATM I am just researching this beast thoroughly. will check it out.

    And pls dont just restrict the discussion to TDL4 only. Does anyone know of other such malwares.
     
  22. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    When you say "such malwares" do you mean bootkits that bypass KPP? Or just VM aware malware?
     
  23. SecureSystem

    SecureSystem Registered Member

    Joined:
    Jun 28, 2011
    Posts:
    24
    No, not vmaware. Any malware can be vmaware. I guess my op is a bit hard to understand.

    No i just mean any such highly-threatening malwares. They can have others ways of infecting/persisting.

    I have to admit that i have only recently become security conscious and trying to further my knowledge.


    Maybe, Steve can give us a list of such malware that he has come across.
     
  24. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    I wonder if any users at Wilders can come across this kind of super-malware referring to our common sense. :doubt:
     
  25. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    - What did you use to zero the drive?
    - Did you check if the first sector were all zero's, f.i. with 'Active@KillDisk'?
     
Loading...
Thread Status:
Not open for further replies.