Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Upcoming OSR Seminars:

Writing WDF Drivers I: Core Concepts, Nashua, NH 15-19 May, 2017
Writing WDF Drivers II: Advanced Implementation Tech., Nashua, NH 23-26 May, 2017
Kernel Debugging and Crash Analysis, Dulles, VA 26-30 June, 2017
Windows Internals & Software Driver Development, Nashua, NH 24-28 July, 2017


Go Back   OSR Online Lists > ntfsd
Welcome, Guest
You must login to post to this list
  Message 1 of 12  
03 May 17 20:09
Jimmy James
xxxxxx@gmail.com
Join Date: 15 Aug 2007
Posts To This List: 26
Verifying Malware Detection

All, We are developing some software components including an IFS for detecting ransom ware malware. As we plan this out, we're wondering how can we verify that it actually detects malicious activity. Does anyone have any thoughts on this? Would the WHQL Malware AQ test be helpful to verify that our filter will detect malicious behavior? Does anyone have some techniques that they would be will to share? TIA! --
  Message 2 of 12  
04 May 17 01:58
Ladislav Zezula
xxxxxx@volny.cz
Join Date: 15 Jul 2003
Posts To This List: 1372
Verifying Malware Detection

Just get few samples of a ransomware and try with your filter?
  Message 3 of 12  
04 May 17 20:09
amitr0
xxxxxx@gmail.com
Join Date: 03 Aug 2005
Posts To This List: 367
Verifying Malware Detection

The WHQL samples, sadly wont get you much. You have to write your own malware simulators, and as Zezula said, use real malware to test. Unfortunately, these malware evolve very very fast, so it will be difficult to keep up with them, and you will have to make your design data driven to keep up with their changes. ransomware can be extremely complex, and I have seen some which actually are targeted towards specific detection engines, so as to bypass them, which means that the malware writers are reverse engneeering the detection software as well. good luck On Wed, May 3, 2017 at 10:57 PM, <xxxxx@volny.cz> wrote: > Just get few samples of a ransomware and try with your filter? > > --- > NTFSD is sponsored by OSR > > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and > software drivers! > Details at <http://www.osr.com/seminars> > <...excess quoted lines suppressed...> -- - ab --
  Message 4 of 12  
05 May 17 12:11
Jimmy James
xxxxxx@gmail.com
Join Date: 15 Aug 2007
Posts To This List: 26
Verifying Malware Detection

Thanks for this guys - I appreciate it! Do you know of any sources for malware samples? Do you have any test techniques to share? One thing in particular that I'm concerned with is protecting the rest of the lab from becoming infected so I'm wondering how you guys do your testing. Are guys testing on VMs or on completely isolated machines? Thanks again. On Thu, May 4, 2017 at 6:08 PM, Amitrajit B <xxxxx@gmail.com> wrote: > The WHQL samples, sadly wont get you much. You have to write your own > malware simulators, and as Zezula said, use real malware to test. > Unfortunately, these malware evolve very very fast, so it will be difficult > to keep up with them, and you will have to make your design data driven to > keep up with their changes. > > ransomware can be extremely complex, and I have seen some which actually > are targeted towards specific detection engines, so as to bypass them, > which means that the malware writers are reverse engneeering the detection > software as well. <...excess quoted lines suppressed...> --
  Message 5 of 12  
05 May 17 15:52
Mike Boucher
xxxxxx@gmail.com
Join Date: 11 Oct 2015
Posts To This List: 6
Verifying Malware Detection

The newest stuff can break out of some VMs, so I'd give serious thought to protecting the rest of your lab by air-gapping your virus machine. It may be that you still use VMs on the air-gapped machine for lots of good reasons. You can still use VMs to test dozens of OS versions and configs on one physical machine. I would not use a VM to protect the rest of the lab, however. On Fri, May 5, 2017 at 9:09 AM, JIm james <xxxxx@gmail.com> wrote: > Thanks for this guys - I appreciate it! > Do you know of any sources for malware samples? > Do you have any test techniques to share? One thing in particular that I'm > concerned with is protecting the rest of the lab from becoming infected so > I'm wondering how you guys do your testing. Are guys testing on VMs or on > completely isolated machines? > Thanks again. > > On Thu, May 4, 2017 at 6:08 PM, Amitrajit B <xxxxx@gmail.com> wrote: > <...excess quoted lines suppressed...> --
  Message 6 of 12  
05 May 17 16:05
Jimmy James
xxxxxx@gmail.com
Join Date: 15 Aug 2007
Posts To This List: 26
Verifying Malware Detection

Thanks Mike. Is lot better to safe than it is to be sorry. On Fri, May 5, 2017 at 1:51 PM, Mike Boucher <xxxxx@gmail.com> wrote: > The newest stuff can break out of some VMs, so I'd give serious thought to > protecting the rest of your lab by air-gapping your virus machine. It may > be that you still use VMs on the air-gapped machine for lots of good > reasons. You can still use VMs to test dozens of OS versions and configs > on one physical machine. I would not use a VM to protect the rest of the > lab, however. > > On Fri, May 5, 2017 at 9:09 AM, JIm james <xxxxx@gmail.com> wrote: > >> Thanks for this guys - I appreciate it! <...excess quoted lines suppressed...> --
  Message 7 of 12  
05 May 17 19:43
John
xxxxxx@gmail.com
Join Date: 10 May 2014
Posts To This List: 24
Verifying Malware Detection

Mr. Boucher. Not denying that there are VM breakouts but curious what the "newest" stuff is that you know about that actually does. An 0-day that breaks out of a VM seems a little more valuable than for use in commodity ransomware. But yea +1 on air gapping test machines.
  Message 8 of 12  
05 May 17 20:24
Mike Boucher
xxxxxx@gmail.com
Join Date: 11 Oct 2015
Posts To This List: 6
Verifying Malware Detection

I was thinking about https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge- browser-fetches-105000-at-pwn2own/ when I wrote that, but in Googling around to find it, I came across others. Something called VENOM (pretty old, doubtless fixed everywhere by now) generated a lot of excitement at the time. As for whether there is any embedded in ransomware as opposed to other attacks, I plead ignorance. I just wanted to let our friend know that depending on a VM to contain malware was a risky strategy. - Mike On Fri, May 5, 2017 at 4:42 PM, <xxxxx@gmail.com> wrote: > Mr. Boucher. > > Not denying that there are VM breakouts but curious what the "newest" > stuff is that you know about that actually does. An 0-day that breaks out > of a VM seems a little more valuable than for use in commodity ransomware. > But yea +1 on air gapping test machines. > > --- > NTFSD is sponsored by OSR > <...excess quoted lines suppressed...> --
  Message 9 of 12  
07 May 17 02:49
Ladislav Zezula
xxxxxx@volny.cz
Join Date: 15 Jul 2003
Posts To This List: 1372
Verifying Malware Detection

> Do you know of any sources for malware samples? Unfortuntely, there are people who publish ransomware, with sources, for "educational purposes". They are even on GitHub. Just google for it. > Are guys testing on VMs or on completely isolated machines? You definitely don't want to test any such stuff on your working machine. Copy it into a VM, disable networking, disable shared folders and do not use stuff like "use your actual physical drive in the VM". Yes, the VM escapes do exist, but if you get some so called "educational" ransomware, it will not be the case.
  Message 10 of 12  
07 May 17 23:44
John
xxxxxx@gmail.com
Join Date: 10 May 2014
Posts To This List: 24
Verifying Malware Detection

Thanks Mike. Saw that too when it published. Scary stuff. To the OP though, it's a little disconcerting that you are writing an anti-ransomware solution but don't even know how to test it or find samples in the first place. By no means is this to discourage but maybe a few intro courses on RE, red-teaming, and the like would be helpful before you write a driver that may help but more likely give false hope to who ever uses it. There is not a lot of margin for error with ransomware so you either get it right or the criminal wins.
  Message 11 of 12  
08 May 17 13:40
amitr0
xxxxxx@gmail.com
Join Date: 03 Aug 2005
Posts To This List: 367
Verifying Malware Detection

>Do you know of any sources for malware samples? virustotal On Fri, May 5, 2017 at 9:09 AM, JIm james <xxxxx@gmail.com> wrote: > Thanks for this guys - I appreciate it! > Do you know of any sources for malware samples? > Do you have any test techniques to share? One thing in particular that I'm > concerned with is protecting the rest of the lab from becoming infected so > I'm wondering how you guys do your testing. Are guys testing on VMs or on > completely isolated machines? > Thanks again. > > On Thu, May 4, 2017 at 6:08 PM, Amitrajit B <xxxxx@gmail.com> wrote: > <...excess quoted lines suppressed...> -- - ab --
  Message 12 of 12  
13 May 17 19:35
Mike Boucher
xxxxxx@gmail.com
Join Date: 11 Oct 2015
Posts To This List: 6
Verifying Malware Detection

If OP does decide to follow up on the suggestion of taking some courses or doing more reading into security-related topics, https://www.reddit.com/r/security/comments/4u0pta/41_amazing_internet_security_bl ogs_you_should_be/ may be a place to start. Obviously, it leads with Krebs and Schneier, but it has some other gems also. Speaking of Schneier, he recommends Ross Anderson's book, now available at https://www.cl.cam.ac.uk/~rja14/book.html for free. It's not all ransomware, but it's all gold. On Sun, May 7, 2017 at 8:44 PM, <xxxxx@gmail.com> wrote: > Thanks Mike. Saw that too when it published. Scary stuff. > > To the OP though, it's a little disconcerting that you are writing an > anti-ransomware solution but don't even know how to test it or find samples > in the first place. By no means is this to discourage but maybe a few > intro courses on RE, red-teaming, and the like would be helpful before you > write a driver that may help but more likely give false hope to who ever > uses it. There is not a lot of margin for error with ransomware so you > either get it right or the criminal wins. > <...excess quoted lines suppressed...> --
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntfsd list to be able to post.

All times are GMT -5. The time now is 22:48.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license