How to Identify unknown thread?

Discussion in 'Computers Help' started by daljeet, Dec 2, 2017.

  1. daljeet

    daljeet Senior Member Known Member

    I personally want to ask question I see guys doing malware testing here many talented peoples here. Back to the question "How to know file is infected with malware and how to identify it if its unknown?" I now we can use AV to find it but most new malware is pass through Av security so there is any way to identify it.
    grr, RGiskardR, silversurfer and 2 others like this.
  2. Google Adsense

  3. Der.Reisende

    Der.Reisende Malware Tester Silver Member

    If you're not sure whether a file is safe, I'd:

    -upload to VirusTotal (
    -upload to HybridAnalysis (
    -boot up my VM / ShadowDefender (last only when there's no personal data on the device you're running ShadowDefender on // the personal data is safely encrypted so nobody can deal with it when malware "shares" it over the net)
    -boot up a VPN
    -boot up SysInternals AutoRuns, TCPView and ProcessExplorer and try to put the 3 windows around the screen so you can spot new processes easily
    -set your AV software's firewall to always ask to be notified about outbound connection attempts
    -check system with Norton Power Eraser, Zemana AntiMalware / AntiLogger and HitmanPro (first and last one named will deepscan, they might lead to FP however).

    Make sure to have a backup of your data! Don't store passwords on the machine you run the possible malware on!

    As for Malware Analysis help, please refer to @Trim / @revC0de / @kram7750 :)

    ShadowDefender trial:

    SysInternals AutoRuns:
    SysInternals PE:
    SysInternals TCPView:

    ZAL Trial:
    HMP trial:
    grr, revC0de, Trim and 5 others like this.
  4. kram7750

    kram7750 Member Known Member

    If it is unknown malware and you aren't doing malware analysis then there's nothing you can do; if you're doing malware analysis then you can check for malicious activity and if you find any then you know it is malware - you can also identify suspicious behavior which is not confirmed to be malicious but provides strange flags and in that scenario then avoid the software once again.

    An easier route is just to submit the samples to vendors if you are unsure. Wait a few days for the verdict response and if they come back saying it is clean then it should be fine. This is the easier route if you aren't a malware analyst and have no intention of actually studying malware analysis.

    Bear in mind that if you do want to become a malware analyst, you have to do a lot. It isn't all that it seems, you don't just become a "malware analyst". If was in your shoes and wanted to get into it, I'd start by learning some programming languages which are high-level like the .NET Framework and then get into reversing .NET samples (MSIL) with decompilation. At this point you'll also go through deobfuscation techniques for obfuscated MSIL samples. Then I'd expand to lower-level languages such as C++, C and Assembly. After you've studied 32-bit and 64-bit Assembly you can do disassembly which is appropriate for native malicious software (because unlike with MSIL you cannot just reverse a native sample to view readable source code, the compiler strips out useful data so you are left assessing the instructions from the bytes and you can use plugins with software like IDA to generate pseudo-code in C but still you should know ASM properly to do it right). After doing all this though then I'd suggest studying the Win32 API so you can understand different routines and how they work to understand why a sample calls a routine it does and what the purpose may be.

    There's a lot to it. If you don't want to study malware analysis then it is easier to just let an analyst at a vendor handle it for you by waiting for the response of the submission, after all they do get paid to handle the submission requests. You can use online sandboxing like Hybrid-Analysis for sure but once again you need to have experience to know what you're doing to interpret the results properly because the verdict score can be maximum for clean samples too, it isn't reliable. The logs may say a sample accessed these files and registry keys but that doesn't mean the sample itself did this, internal Windows routines may do it for something unrelated triggered by the sample... so just because a sandbox result with Cuckoo or H-A says something doesn't mean the authors code within the sample actually did it itself for a reason related to the payload functionality. If that makes any sense.

    Not to mention anti-reversing techniques to prevent debugging, mask API calls, make disassembly a whole lot harder. Packing in general will mess you over to spend more time and there's new packers all the time doing different combinations. Typically what you can do is use a debugger (watch out for anti-debugging tricks to bypass them) and then dump the sample to disk from memory after stepping through the decryption routine in memory for the packer functionality. Although you'd have to fix the Import Address Table and maybe other things like the PE File Header if that stuff is erased in-memory prior to you dumping to disk. :)

    If you want to take on those things on a serious level you'll be forced to study winternals. Which is basically going deeper into understanding how the Windows Kernel operates and how the UM components from Windows will communicate with the kernel. Because some of the anti-reversing techniques take leverage of this intelligence so general analysts who lack XP in areas which are less documented or much more lower level get fooled and are unable to continue properly.

    You can look at the Strings, IAT/EAT, API calls from dynamic logs (e.g. affected registry keys, process operations, file system events, etc.). I advise you to just stop once you've found malicious activity unless you're doing a full analysis check and then move onto the next sample which most analysts tend to do because if you know a sample is already malicious and have 50 samples to analyse then it'd take too long to do 100% for each of those 50 samples in a professional realistic environment.

    Follow the advice from @Der.Reisende, make sure you have a safe environment and remember that malware can still steal data in such environments. Keep the VM free from personal data - for this reason please use a VM and not Shadow Defender (I see why some use SD but because malware can steal passwords stored by the browser on-disk, chat logs and personal files, I really recommend against it). Use a VPN on the Host and I actually suggest you spoof the network so you don't assist in botnet operations which can affect targeted services/individuals as much as possible. Even if you use VPN to hide your IP from an attacker when the malware connects to the C&C (Command and Control server), the attacker may cause the sample to perform a DDOS attack so while most testers don't acknowledge the severity of this, whilst testing samples be cautious so you limit your own network being abused by malware contained in analysis from affecting others due to the attackers requests.

    @Trim and @revC0de should definitely be able to help you out as well. I hope they'll provide their advice here as well because it will be very helpful to you. Those two both do a lot of MA work. You can read their threads here as well which should help you out.
    grr, revC0de, Trim and 5 others like this.
  5. daljeet

    daljeet Senior Member Known Member

    Thankyou @Der.Reisende @kram7750 for Awesome,wondrous,impressive information :read:
    I will implement your all advice
    I have little book knowledge and keep learing your info help me alot
    grr, revC0de, kram7750 and 3 others like this.
  6. Trim

    Trim MTAC Moderator Staff Member Member Of Month - Tweakbytes Defender

    Already given advices are good, surely it isn't easy to analyze a sample and say that it is 100% malicious. Of course you can search for suspicious behaviours with already mentioned tools, you can analyze source code of a sample (reverse engineering process), or analyze imports, methods, etc. Or you can also perform a dynamic malware analysis approach, by analyzing what happens when the malware is executed (you can use Ollydbg to view the details during analysis), or also check the modifies performed by the malware (for example a ransomware would encrypt perfonal files and data), or you could analyze what happens with the registry.
    Please keep in mind that all those operations must be done in a safe environment (VMWare or VirtualBox or Shadow Defender).
    If you want to share with us your work please follow our rules for "MTAC Analysis" subforum:
    grr, revC0de, kram7750 and 4 others like this.
  7. daljeet

    daljeet Senior Member Known Member

    Thanks @Trim I keep your advice and I prepared my Virtual box for testing. Dynamic testing is good for me instead of static for now. I join you guys in future :shake:
  8. revC0de

    revC0de MTAC Moderator Staff Member

    Another tool I would want to mention is SecureMyBit DeepHeuristic Scan: easy to use, fast and completely customizable.
    I will test it out soon, it uses only an heuristic scan to detect suspicious behaviour in EXE files, it also gives us strange indicators related to suspicious activities. As already mentioned malware analysis is a really interesting process to understand how a sample works and how a file infect a PC, but it requires a lot of knowledge (especially of some programming language: assembly, .NET languages, C++, Java, and others.)
    As @Trim said please look at our rules.
    grr, kram7750, Trim and 4 others like this.
  9. daljeet

    daljeet Senior Member Known Member

    It is true virus can bypass virtual machine containment and infect the host machine.
    I find this on microsoft website when surfing about malware

  10. revC0de

    revC0de MTAC Moderator Staff Member

    On the theoretical line we could imagine that the virtualization environment has a serious bug which doesn't guarantee a perfect isolation of the execution context of the virtual machines at microprocessor or memory map level. A malware specifically designed for a specific security flaw and for a specific virtualizer "could" exploit the situation to bypass the VM.
    It is a highly unlikely circumstance and among other things, it would be just for the specific virtualizer with that bug and only if the manufacturer does not discover and correct it; so a malware of that type, because of its extreme specificity and for its short spread time, wouldn't have the ability to spread itself in a significant way.

    The only way a malware infection could realistically propagate from a virtual machine to the host, is via the network. Even if the machines are virtual and connected through a virtual network, they are always network connected machines. The mechanisms of propagation and attack are the same as physical machines and physical networks: then a malware can propagate and act through HDD and autorun sharing, by infecting via hooking mechanisms, remote execution, or by conventional security flaws
    in the same way a malware would exploit them to propagate from physical PCs connected in physical network.

    But in my long experience working with live malware on VMs, none of them has ever infected the host system.

    Of course "never say never" :D
    daljeet, grr, kram7750 and 4 others like this.
  11. kram7750

    kram7750 Member Known Member

Share This Page