Safe way to download malware samples

Discussion in 'malware problems & news' started by Ibrad, Aug 25, 2010.

Thread Status:
Not open for further replies.
  1. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,972
    Hi everyone,

    I would like to get into malware download and submission to AV vendors but I have a question before I do. What is the best way to stay safe while downloading the samples? I figure downloading them via Sandboxie submitting them, then clearing the sandbox would keep me safe but I would like to know how y'all do it. I will not be launching the malware samples to I can most likely do it without any changes but I know the one time I do not try to be safe while doing it I may mistakenly click on it.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    If you have some type of anti-execution protection, then the malware sample cannot run if you click on it.

    Once downloaded, Zip it for further protection.

    ----
    rich
     
  3. Malcontent

    Malcontent Registered Member

    Joined:
    Dec 30, 2005
    Posts:
    606
    Location:
    Cleveland, Ohio USA
    Also, use a secure wipe utility to erase the samples after you done submitting them.
     
  4. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    And why do you feel the need to tinker,:doubt: with computer equipment that cost hundreds of dollars, just to supply AV vendors with is what their job is. You play with fire, you may get scorched.
     
  5. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Here I use a sandboxed FF to download samples and recover to desktop.

    I test for detections with a right click scan with MBAM and if it isn't hit then upload to VT for a report then upload the sample and report to MBAM's forum.

    Then I run the sample either a default sandbox or VM and try to grab any droppers for further testing.

    After I've finished I rar the samples away with the main system always virtualized with Returnil.

    It really is quite safe and easy once you get the gist of things but I still employ images as backups and do have several hard drives that I can plug/unplug on this machine.

    To me malware hunting/testing is a great pastime and is my main use of my pc.

    My favourite exploits are the Microjoin exploits which can have some new droppers every time you run them.

    Below is a pic of the droppers from running one of those exploits harvested from a default sandbox.

    Test.JPG
     
  6. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    Ditto...I leave it to the the experts to handle.... I like to be aware, but a hunting I will go?...a no, no! :D
     
  7. wat0114

    wat0114 Guest

    Follow Franklin's procedure, or similar, and there's no need to fear.
     
  8. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    Franklin's procedure is pretty good. Enable Returnil's Session Lock, Start a sandboxed browser, download into a folder that is a forced folder which will force anything in that download folder to start sandboxed should anything unexpected happen (double-click).

    You can also restrict your browsing sandbox to only run your browser and only allow it internet access. While your tweaking enable Drop Rights within Sbie. And finally you can restrict file access to prevent anything from grabbing "sensitive areas" on your computer like My Documents.

    Forced programs/folders. http://www.sandboxie.com/index.php?ProgramStartSettings

    Internet, start/run access and drop rights. http://www.sandboxie.com/index.php?RestrictionsSettings

    File access (blocked). http://www.sandboxie.com/index.php?ResourceAccessSettings#file
     
  9. wat0114

    wat0114 Guest

    I test (only on rare occasion for fun) in a vm running in an AppLocker protected standard Win7 account. I've always got verified recent images on hand in case but never needed them. If the malware is vm-aware, so be it; it matters not to me anyway.
     
  10. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    Hey ! It seems you are scared not to get infected .
    I "play with fire" and don't use any protection - I just download the sample using my IE8 in protected mode and that is it . Don't worry - Windows itself have enough protections and unless you manually execute the samples you're secure.My Windows on all computers are up-to-date to prevent cases where a malicious page can be opened. And don't worry so much , you can't loose anything . In case something goes wrong (it really can't happen if you know what you are doing) , just revert back to a recent image.
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    I often DL malware every day without ANY problems.

    Many times i have to disable my AV from running as it detects quite a number. If i didn't i just keep getting intercepts and block alerts, which becomes annoying :p

    Just DL'ing them does NOT cause them to run, and as long as you don't DC them you will be fine ;) Even if i did, i have ProcessGuard and PEG to prevent them from running without my permisson :)

    It won't hurt to have Sandboxie and/or ShadowDefender or Returnil as well. I have SD but don't always enable it just to DL.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.