All,
We are developing some software components including an IFS for detecting
ransom ware malware. As we plan this out, we’re wondering how can we verify
that it actually detects malicious activity. Does anyone have any thoughts
on this? Would the WHQL Malware AQ test be helpful to verify that our
filter will detect malicious behavior? Does anyone have some techniques
that they would be will to share?
TIA!
Just get few samples of a ransomware and try with your filter?
The WHQL samples, sadly wont get you much. You have to write your own
malware simulators, and as Zezula said, use real malware to test.
Unfortunately, these malware evolve very very fast, so it will be difficult
to keep up with them, and you will have to make your design data driven to
keep up with their changes.
ransomware can be extremely complex, and I have seen some which actually
are targeted towards specific detection engines, so as to bypass them,
which means that the malware writers are reverse engneeering the detection
software as well.
good luck
On Wed, May 3, 2017 at 10:57 PM, wrote:
> Just get few samples of a ransomware and try with your filter?
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>
–
- ab</http:>
Thanks for this guys - I appreciate it!
Do you know of any sources for malware samples?
Do you have any test techniques to share? One thing in particular that I’m
concerned with is protecting the rest of the lab from becoming infected so
I’m wondering how you guys do your testing. Are guys testing on VMs or on
completely isolated machines?
Thanks again.
On Thu, May 4, 2017 at 6:08 PM, Amitrajit B wrote:
> The WHQL samples, sadly wont get you much. You have to write your own
> malware simulators, and as Zezula said, use real malware to test.
> Unfortunately, these malware evolve very very fast, so it will be difficult
> to keep up with them, and you will have to make your design data driven to
> keep up with their changes.
>
> ransomware can be extremely complex, and I have seen some which actually
> are targeted towards specific detection engines, so as to bypass them,
> which means that the malware writers are reverse engneeering the detection
> software as well.
>
> good luck
>
> On Wed, May 3, 2017 at 10:57 PM, wrote:
>
>> Just get few samples of a ransomware and try with your filter?
>>
>> —
>> NTFSD is sponsored by OSR
>>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer>
>>
>
>
>
> –
>
> - ab
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at</http:>
The newest stuff can break out of some VMs, so I’d give serious thought to
protecting the rest of your lab by air-gapping your virus machine. It may
be that you still use VMs on the air-gapped machine for lots of good
reasons. You can still use VMs to test dozens of OS versions and configs
on one physical machine. I would not use a VM to protect the rest of the
lab, however.
On Fri, May 5, 2017 at 9:09 AM, JIm james wrote:
> Thanks for this guys - I appreciate it!
> Do you know of any sources for malware samples?
> Do you have any test techniques to share? One thing in particular that I’m
> concerned with is protecting the rest of the lab from becoming infected so
> I’m wondering how you guys do your testing. Are guys testing on VMs or on
> completely isolated machines?
> Thanks again.
>
> On Thu, May 4, 2017 at 6:08 PM, Amitrajit B wrote:
>
>> The WHQL samples, sadly wont get you much. You have to write your own
>> malware simulators, and as Zezula said, use real malware to test.
>> Unfortunately, these malware evolve very very fast, so it will be difficult
>> to keep up with them, and you will have to make your design data driven to
>> keep up with their changes.
>>
>> ransomware can be extremely complex, and I have seen some which actually
>> are targeted towards specific detection engines, so as to bypass them,
>> which means that the malware writers are reverse engneeering the detection
>> software as well.
>>
>> good luck
>>
>> On Wed, May 3, 2017 at 10:57 PM, wrote:
>>
>>> Just get few samples of a ransomware and try with your filter?
>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>>
>>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>> software drivers!
>>> Details at http:
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at <
>>> http://www.osronline.com/page.cfm?name=ListServer>
>>>
>>
>>
>>
>> –
>>
>> - ab
>> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>> WDF, Windows internals and software drivers! Details at To unsubscribe,
>> visit the List Server section of OSR Online at
>
>
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at</http:>
Thanks Mike. Is lot better to safe than it is to be sorry.
On Fri, May 5, 2017 at 1:51 PM, Mike Boucher wrote:
> The newest stuff can break out of some VMs, so I’d give serious thought to
> protecting the rest of your lab by air-gapping your virus machine. It may
> be that you still use VMs on the air-gapped machine for lots of good
> reasons. You can still use VMs to test dozens of OS versions and configs
> on one physical machine. I would not use a VM to protect the rest of the
> lab, however.
>
> On Fri, May 5, 2017 at 9:09 AM, JIm james wrote:
>
>> Thanks for this guys - I appreciate it!
>> Do you know of any sources for malware samples?
>> Do you have any test techniques to share? One thing in particular that
>> I’m concerned with is protecting the rest of the lab from becoming infected
>> so I’m wondering how you guys do your testing. Are guys testing on VMs or
>> on completely isolated machines?
>> Thanks again.
>>
>> On Thu, May 4, 2017 at 6:08 PM, Amitrajit B wrote:
>>
>>> The WHQL samples, sadly wont get you much. You have to write your own
>>> malware simulators, and as Zezula said, use real malware to test.
>>> Unfortunately, these malware evolve very very fast, so it will be difficult
>>> to keep up with them, and you will have to make your design data driven to
>>> keep up with their changes.
>>>
>>> ransomware can be extremely complex, and I have seen some which actually
>>> are targeted towards specific detection engines, so as to bypass them,
>>> which means that the malware writers are reverse engneeering the detection
>>> software as well.
>>>
>>> good luck
>>>
>>> On Wed, May 3, 2017 at 10:57 PM, wrote:
>>>
>>>> Just get few samples of a ransomware and try with your filter?
>>>>
>>>> —
>>>> NTFSD is sponsored by OSR
>>>>
>>>>
>>>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>>> software drivers!
>>>> Details at http:
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at <
>>>> http://www.osronline.com/page.cfm?name=ListServer>
>>>>
>>>
>>>
>>>
>>> –
>>>
>>> - ab
>>> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>>> WDF, Windows internals and software drivers! Details at To unsubscribe,
>>> visit the List Server section of OSR Online at
>>
>>
>> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>> WDF, Windows internals and software drivers! Details at To unsubscribe,
>> visit the List Server section of OSR Online at
>
>
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at
></http:>
Mr. Boucher.
Not denying that there are VM breakouts but curious what the “newest” stuff is that you know about that actually does. An 0-day that breaks out of a VM seems a little more valuable than for use in commodity ransomware. But yea +1 on air gapping test machines.
I was thinking about
https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/
when I wrote that, but in Googling around to find it, I came across
others. Something called VENOM (pretty old, doubtless fixed everywhere by
now) generated a lot of excitement at the time. As for whether there is
any embedded in ransomware as opposed to other attacks, I plead ignorance.
I just wanted to let our friend know that depending on a VM to contain
malware was a risky strategy.
- Mike
On Fri, May 5, 2017 at 4:42 PM, wrote:
> Mr. Boucher.
>
> Not denying that there are VM breakouts but curious what the “newest”
> stuff is that you know about that actually does. An 0-day that breaks out
> of a VM seems a little more valuable than for use in commodity ransomware.
> But yea +1 on air gapping test machines.
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>
> Do you know of any sources for malware samples?
Unfortuntely, there are people who publish ransomware, with sources, for “educational purposes”. They are even on GitHub. Just google for it.
Are guys testing on VMs or on completely isolated machines?
You definitely don’t want to test any such stuff on your working machine. Copy it into a VM, disable networking, disable shared folders and do not use stuff like “use your actual physical drive in the VM”. Yes, the VM escapes do exist, but if you get some so called “educational” ransomware, it will not be the case.
Thanks Mike. Saw that too when it published. Scary stuff.
To the OP though, it’s a little disconcerting that you are writing an anti-ransomware solution but don’t even know how to test it or find samples in the first place. By no means is this to discourage but maybe a few intro courses on RE, red-teaming, and the like would be helpful before you write a driver that may help but more likely give false hope to who ever uses it. There is not a lot of margin for error with ransomware so you either get it right or the criminal wins.
>Do you know of any sources for malware samples?
virustotal
On Fri, May 5, 2017 at 9:09 AM, JIm james wrote:
> Thanks for this guys - I appreciate it!
> Do you know of any sources for malware samples?
> Do you have any test techniques to share? One thing in particular that I’m
> concerned with is protecting the rest of the lab from becoming infected so
> I’m wondering how you guys do your testing. Are guys testing on VMs or on
> completely isolated machines?
> Thanks again.
>
> On Thu, May 4, 2017 at 6:08 PM, Amitrajit B wrote:
>
>> The WHQL samples, sadly wont get you much. You have to write your own
>> malware simulators, and as Zezula said, use real malware to test.
>> Unfortunately, these malware evolve very very fast, so it will be difficult
>> to keep up with them, and you will have to make your design data driven to
>> keep up with their changes.
>>
>> ransomware can be extremely complex, and I have seen some which actually
>> are targeted towards specific detection engines, so as to bypass them,
>> which means that the malware writers are reverse engneeering the detection
>> software as well.
>>
>> good luck
>>
>> On Wed, May 3, 2017 at 10:57 PM, wrote:
>>
>>> Just get few samples of a ransomware and try with your filter?
>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>>
>>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>> software drivers!
>>> Details at http:
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at <
>>> http://www.osronline.com/page.cfm?name=ListServer>
>>>
>>
>>
>>
>> –
>>
>> - ab
>> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
>> WDF, Windows internals and software drivers! Details at To unsubscribe,
>> visit the List Server section of OSR Online at
>
>
> — NTFSD is sponsored by OSR MONTHLY seminars on crash dump analysis,
> WDF, Windows internals and software drivers! Details at To unsubscribe,
> visit the List Server section of OSR Online at
–
- ab</http:>
If OP does decide to follow up on the suggestion of taking some courses or
doing more reading into security-related topics,
https://www.reddit.com/r/security/comments/4u0pta/41_amazing_internet_security_blogs_you_should_be/
may be a place to start. Obviously, it leads with Krebs and Schneier, but
it has some other gems also. Speaking of Schneier, he recommends Ross
Anderson’s book, now available at https://www.cl.cam.ac.uk/~rja14/book.html
for free. It’s not all ransomware, but it’s all gold.
On Sun, May 7, 2017 at 8:44 PM, wrote:
> Thanks Mike. Saw that too when it published. Scary stuff.
>
> To the OP though, it’s a little disconcerting that you are writing an
> anti-ransomware solution but don’t even know how to test it or find samples
> in the first place. By no means is this to discourage but maybe a few
> intro courses on RE, red-teaming, and the like would be helpful before you
> write a driver that may help but more likely give false hope to who ever
> uses it. There is not a lot of margin for error with ransomware so you
> either get it right or the criminal wins.
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>