I'm not an infosec professional, but I'm curious to poke around some of these samples. Any recommendations for good hygiene when manipulating this stuff?
If you're just playing with script kiddie stuff and not ridiculous zero days, an up to date virtual machine should be just fine, make sure to keep your VM up to date. VM breaking malware is actually quite rare and usually patched quickly - this is the same stuff that keeps cloud providers safe where anyone can execute arbitrary code in a VM on their systems, if it's good enough for them, it's probably good enough for you, just make sure it has no access to your network.
VM detecting malware however is exceedingly common: plan to have to bypass basic VM detection, minimal knowledge of reverse engineering should make that pretty easy.
If you want/need to allow it access to the internet for dynamic analysis or botnet monitoring, I'd suggest looking into setting up a separate VM to route all the traffic over Tor or a commercial VPN provider and allowing it access only via that VM. This way if you manage to piss off any script kiddies you won't be the one who gets DDoS'd.
Nothing is perfect and if you're serious about this consider separate hardware, but if you're not quite that paranoid this setup is highly workable.
That last bit is no joke. I got tired of getting ssh probed so I engineered an ssh server that could kill the client with its response (takes a bit of fuzzing and a lot of requests but they all use the same code so once it works it works well). For about a week it was hilarious to watch what used to be 5 to 15 hits on the server with various account and password combinations turn into exactly one request from an IP and then nothing. What's more, when IPs would come back again and again for another shot, with my ssh client killer that stopped to. I hoped it was because the error was alerting the owner of the machine that something was amiss and they were taking steps to correct it.
Needless to say, the script kiddies were not happy. Not happy at all. I think my poor old DSL line was dead for a week, got AT&T to give me a different address block and they said they were black holing "hundreds of gigabites" (which at the time was a lot) of spurious packets. Now I just use fail2ban and ignore them, doesn't help their other victims but it keeps me off their radar.
Running the server on AWS hosts might be an interesting alternative.
As a side note, and I’ll create a separate thread: say my host is comprised by super sophisticated malware, aside from a reformat what other sanitisation practices can I do? Can I ever trust the hardware again? I don’t think we’re at a point where a firmware compromised graphics card can’t reinfect the processor?
I never heard of malware soldering hardware implants onto the device ^^
For firmware you need to dump it and then compare afterwards.
>I don’t think we’re at a point where a firmware compromised graphics card can’t reinfect the processor?
Nation state based firmware attacks exists since at least a decade. Some professional hacking teams are also already making use of those. You can find POCs, publications, talks, blogposts for probably everything which has flashable firmware. These attacks are very real.
Only reasons you don't find that stuff in the wild is
because no one is looking for it, your average antivirus won't detect it and it's used mostly for targeted attacks where you need advanced persistence/stealth and early compromise of the OS.
Firmware security is a mess. USB, HDD, GPU in particular. Even for all the UEFI verified/secure/whatever boot where at least some more mitigations are in place, holes get found once in a while. Just a while ago had an attacker pwn through a standard qemu/kvm setup trying to flash the BIOS. Wasn't that successful with flashing though ... because muh mitigations.
You either need to check or keep the firmware read only.
If you wanna go a little bit more paranoid, use a dedicated host to virtualise those machines and connect to the host via RDP/whatever, that should create another layer of safety.
You may want to connect via a VM, there is a CVE for remote execution in FreeRDP from compromised server. In general anything doing video, image, or audio decompression should be an assumed vector.
I have done a fair bit of reverse engineering to date including malware analysis. Havent read all the comments but of course a safe environment is important. Virtual environments can even be broken out of if you dont know how to debug simple samples that check for disassemblers or debugger presence. I recommend if you want to get some hands on experience checkout https://nostarch.com/malware (Practical Malware analysis) it will prepare you for messing with real life samples. Techniques are still relevant but technology might be different. Eg: IDA is great but Ghirda is the new hotness on the street.
Anyways have fun, good luck and be safe. Most of all happy hacking :)
I agree. I am still a IDA user myself but dabble with other tools in the field to see what competitive edge they may have to offer. What ever gets the job done :)
Depending on your level or paranoia I wouldn't touch those only in a separate computer. I don't think a VM is sufficient, there have been reports about malware that can break out of a sandboxed environment.
This is quite dangerous unless you know what you’re doing, if you execute the malware then plan to throw away all equipment you’re using to analyze it. For a next-best experience, if you’re curious, you should upload one to an online malware sandbox e.g. app.any.run which allows you interact with it, look at network traffic, inspect file mods etc. - all the fun, much much less risk and hassle!
Be careful if you're trusting any of those sandbox services for accurate results though - some malware is able to detect the VM they're running in and refuse to run the malicious payload. Often times legitimate cracks will be distributed on sources like Usenet using a "binder" to attach the malicious payload the an otherwise perfectly fine crack.
As a side note, for some reason, there's way more malware on usenet than bittorrent, I've even found it on games on major NZB sites, possibly just due to the seed counts weeding out the malicious ones via simple popularity in the public bittorrent world.
Cuckoo Sandbox is a decent self hosted tool for analysing malware. Though a complete pain to setup. Even with some of the scripts making parts of it easier.
This would be fine for basic malware but the most exciting stuff (what is most likely to be of interest to an analyst) is more likely to contain VM-escape exploits and strategies.
MalwareBazaar allows users to share live samples of indicators and not just hashes/metadata associated with them which threat Intel platforms like AlienVault do. There are several differences between the two but the biggest advantage (along with providing the actual malware to you) for MalwareBazaar is that it’s higher fidelity - you will get far fewer false positives as the barrier to entry is much higher. Nobody is going to label 8.8.8.8 as malicious which happens occasionally in AlienVault. As such this isn’t really a service, it’s more a way for the more advanced threat Intel analysts and reverse engineers to share data.
