Jump to content
Existing user? Sign In

Sign In

Sign Up
  1. What's new in this club
  2. In this guide we will setup a malware testing environment with VirtualBox and windows 7. Use this environment to test any files you do NOT trust to ensure your main device is not infected should it be malware you're opening. Part 1 will be covered in the video below, Part 2 can be found at the bottom of this thread. Part 1: Setting up the VM with Windows 7. Requirements - VirtualBox Virtual Machine software. https://www.virtualbox.org/wiki/Downloads - Windows 7 ISO I expect you to be able to find your own source for that. Setup & installation process. https://www.youtube.com/watch?v=0_JdKyYGJbs Part 2: Putting together a malware analysis toolkit. Useful tools -Comodo firewall Firewall that monitors your incoming and outgoing traffic. https://personalfirewall.comodo.com/ -MalwareBytes anti-malware Anti virus software. https://www.malwarebytes.org/antimalware/ -Unlocker Useful when removing malware, can unlock, destroy, etc.. files. http://filehippo.com/download_unlocker/ -Regshot Shows system and registery chances before and after your machine has been infected. https://sourceforge.net/projects/regshot/ -IDA Freeware / Ollydbg Disassembler & debugger that can help you reverse engineer compiled executeables and help you analyze their code, etc.. https://www.hex-rays.com/products/ida/support/download_freeware.shtml http://www.ollydbg.de/ -OllyDumpEx Memory dumper that dumps the system's memory in a file to help you disassemble a packed executable where the instructions are encoded or encrypted. http://low-priority.appspot.com/ollydumpex/ -Process explorer / Process hacker Replacement for task manager, helps you manage malicious processes. https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx http://processhacker.sourceforge.net/ -Wireshark Popular network sniffer, useful to detect malicious network communication requests. https://www.wireshark.org/#download -ProcDOT / Process monitor A file and registry monitor useful to show you how malware plants itself on your machine. http://www.procdot.com/downloadprocdotbinaries.htm https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Useful online tools http://app.webinspector.com/ http://www.threatexpert.com/submit.aspx https://malwr.com/ http://anubis.iseclab.org/ http://virustotal.com The above websites are useful for reverse engineering malware. Final steps When you have downloaded your desired tools, install Microsoft .NET Framework 4.5.2. When that is done, take a snapshot on your VM so you have a clean VM to restore back to. 1. Go to "Machine" -> "Take Snapshot..." . 2. Name it and hit "Ok". 3. The VM will now save it's current state. When you want to restore your VM after testing malware, hit the "X" in the top right corner and select "Power off the machine" & "Restore to current snapshot (snapshot name)". As you can see it will be rolled back to your clean VM. If you're going to transfer files via a shared folder, make sure it's on READ ONLY, when you're doing testing make sure you DISCONNECT the folder. I personally use a USB drive to transfer, to prevent the malware I'm testing to escape the VM. That's the end of this guide, I hope everyone was able to setup their VM, if something went wrong or you have any questions, don't hesitate to post them below. I will do my best to answer all your questions. I welcome all critics, good or bad on my threads so feel free to leave a reply.
  3. Hey everyone, Here's a small guide on how to avoid getting infected and having your account, etc.. compromised, I'm sure some of you have been infected before and know it can be a pain in the ass. It's important to be cautious now a days on the internet where malware has become an epidemic, the last thing we want is for our privacy to be invaded and to have our property stolen. Without further ado, let's dive straight into it with our first part, "Use your common sense!". Use your common sense! Now this is our first layer of protection, you may have the required AV and FW software but if you're going to be careless about accepting files from people and downloading software (account checkers, crackers, rsps sources and whatnot) from google, you're eventually setting yourself up to be infected. I can't stress enough that you should be careful accepting files from anyone, it could be someone you fully trust, DON'T FORGET, we're on the internet.. Him/her could turn on you in a heartbeat if for instance they have been banned on the certain platform you're using and have "nothing to lose", not just that.. They could be compromised themselves and without you realizing you could be speaking with the "hacker". To give you a view on how quick it happens, let's take a look at the following situation.. Bob wants to infect Alice because she has a shit ton of virtual currency but Alice isn't stupid and doesn't trust strangers.. So Bob decides to infect one of Alice's close friends, "Jack" and impersonate him. Bob has now befriended Jack, infected him and gained access to his Skype, now Posing as "Jack" he tricks Alice into accepting a file on skype and infects her. Of course Alice would have her guard down in a situation like that and would be less careful since in her mind she's talking to one of her close friends "Jack" as usual. I have tried this myself with the same outcome and it just goes to show how careless people can be when dealing with someone they know, while that person could easily be compromised himself. Regardless of who and why it is you're dealing with, use your brain and don't accept any executeables. If you really have to, how hard is testing it on a VM? If it were to be malware you just saved yourself a bunch of trouble. Now downloading files via google searching.. We all know a lot of people are cheap and want free stuff, so instead of buying the product (account checker, cracker, whatever..) they begin their search on google to download it for free. Why is this a bad idea? Well first of, you don't know the person who published the thread, someone with malicious intend can easily use it as a niche to infect people. I have seen it happen countless of times and would say that a good 50% if not more of people getting infected is due to carelessly downloading ware from random forums and websites. Malware is like an epidemic, it's everywhere and if you're not careful and aware of what you download and accept from people, you're going to get infected someday. Link to my tutorial on how to setup a VM with windows 7 for malware testing purposes. (Will be posted soon) Having the correct security software. This is also crucial.. It's highly recommended to have Antivirus AND firewall software on your computer. Now we all know why we need an Antivirus, buy why a firewall? Let's look at the following two situations.. Situation 1: I have an antivirus (ESET), no firewall and have just downloaded FUD malware, my AV did not pick up on it and I just opened it and got infected. Situation 2: I have both an antivrus (ESET) and a firewall (Comodo), I download FUD malware, it goes unnoticed by my ESET AV, I open the file and Comodo pops up, alerting me about my incoming and outgoing connections, example; "xxx.xx.xx.xx (IP) is trying to establish a connection", I hit terminate. In situation 2 I just saved myself from being infected by having that firewall. So if you want to stay safe, just an AV won't do, get a firewall like Comodo, they're extremely effective. Also remember to keep your Security software UP-TO-DATE. I personally use ESET AV and Comodo firewall. https://www.comodo.com http://www.eset.com/ Locally storing sensitive data. A really bad thing people do is save sensitive information on their computer in .txt files or emails. For example, let's say you have some important account and had previously forgotten your password and requested a password resset, now some websites will email you the resset password, if you do not change this temporary password or remove the email a person with malicious intend could easily use that to their advantage. Same thing goes for txt files with ftp, cp, etc.. information, it would only take a few minutes to search for those files and use it to access your accounts. If you have to send login details to a project partner use something like privnote and make it clear that he has to write the details down on paper or phone and not in a .txt file, same goes for you, if you want to save your passwords somewhere, write it down on a paper or on your phone. Better safe than sorry, it's extremely easy to use a file-manager on the RAT and search for "password" or whatever. Also don't send details via Skype, etc.. those logs can also be accessed. If you have done this in the past, you can remove these logs by doing the following.. Download SQLite browser http://sqlitebrowser.org/ Open SQLite browser, hit "New database", select the "main.db" file and click on the "Browse data" tab, then under "Table:" select "Messages" and hit the blank square next to "id", this will select all your messages. Now hit "Delete record". Now hit "File" -> "Write changes", close SQLite. (If the folder "appdata" does not show, search for "folder options" in start and open it, you should see what is shown on the picture below, edit your settings so it matches the picture.) To exchange sensitive data with someone (partner, etc..).. http://privnote.com https://onetimesecret.com Use the authenticators! This is an important feature and the last line of defense, protecting your account from unauthorized access. I know many may find that filling in the code every time is a pain in the ass but I guarantee you that once you're in a situation where you have been infected , you would wish to go back and have that authenticator on your account. Better safe than sorry so use every security features to their fullest extent, regardless of the extra work that is involved. Saving passwords. This is something you really must not do, all passwords such as on Chrome are stored in a file that can be accessed, we have all seen the password stealers on RAT's , etc.. they will pull any password you ever saved on your computer. To avoid this NEVER save passwords or have it on "remember me now" you can also clear all saved passwords with something like ccleaner but if i were you i just would not even save them. When you're infected and they try to steal your account the password stealer will return blank, their only option would be using the keylogger. Now when they try to use the keylogger instead, chances are that your firewall (if you have one) will notify you that a program is trying to send out data since a keylogger requires your computer to send out the keystrokes to their ftp, smtp, etc.. A keylogger's biggest weakness is that it cannot log what is not typed via the keyboard. Use a secure password manager that encrypts the passwords unlike the traditional browser password saving system. I recommend LastPass 3.0 They use 256-bit AES encryption and one-way salted hash which can not be reversed. As mentioned above, use the phone authenticators on your accounts, this is a strong layer of protection, if your password were to be found out they would still have no access to the account. ccleaner link.. https://www.piriform.com/ccleaner/download Bleachbit link.. http://bleachbit.sourceforge.net/ LastPass link.. https://lastpass.com/simpledownload.php Keep yourself up-do-date. What I mean by this is that if you yourself are aware of the methods people use to infect others, what you should and shouldn't do, you can easily prevent being a victim of malware yourself. Let's take as an example.. the screensaver steam spreading method. If you would not be aware of the fact that people use that method to infect steam users and someone were to use it on you, you would have no idea what's happening and click the message, thinking it will be a picture. Prevention is better than cure. What to do when infected? Tools used. Regedit Netstat msconfig CCleaner Comodo AV software How can i easily check if i'm infected? 1. Run a scan on your system. 2. Check out a few well known spreading methods and determine whether or not you fell for it. 3. Look if any files, accounts, .. are missing. 4. If you noticed suspicious things happening such as webcam light, mouse moving, random typing, weird piano sounds or voices, ect.. 5. Check your system manually for a suspicious file or connection (explained below) I actually think my computer is infected! Don't worry, we are going to get rid of the intruder. First go to Windows start and type in "cmd", command prompt should show up in the list, right click it and select "run as administrator". Command prompt should now open. Now that cmd prompt is open there's one last thing we should do as preparation to make our life easier. Close all programs that are connected with the internet (browsers, skype, steam, ect..) You may even go as far as closing all programs that are connected to the internet for updating purposes. Once you think most is closed you want to open cmd prompt and type in the following.. netstat -b As you can see a list of connections will appear, this will probably not be much since you closed most programs connected to the internet, now it'll be easier to spot the bin. Go through the list and look for a filename that looks odd or that you think you have downloaded recently and shouldn't be having an active connection. Once you found the program in the list you want remember the name, write down the ip connected to it and immediately pull out your internet cable (closing your internet connection). Open your AV and run a scan on your system, if a virus comes up, get it removed. When all is removed put in your internet cable and download Comodo, if you already have comodo, restart your computer. Now when you restart your computer comodo should tell you every incoming and outgoing connection upon starting your computer, if you see any connection that could be from a RAT it means that it was not successfully removed and that the bin is probably either run-time or scan-time crypted. If you don't see anything suspicious and the rat is removed, congrats! For those who didn't succeed by trying the previous, don't worry you have a few options left, lets go through them. Remember we wrote down the name of the bin when using netstat earlier? Look for that file on your system and upload it to virustotal, this will result in the bin being detected and the file being removed once you run a new scan, note that it's smart to keep your internet use minimal during the time AV's update and the bin gets detected. (You can find the file by partially following the steps below) If you're more of a hands on person and don't want to sit around waiting and rather do everything yourself, you can do the following. Open msconfig and go to the "Startup" tab, you should see the following.. Look for a program that looks suspicious by keeping an eye on "startup item" and "manufacturer" if the startup item is a weird name and the manufacturer is unknown it may be a RAT. To be sure keep looking and if nothing else looks out of the ordinary, uncheck all files (if they're checked) and select the suspicious file you spotted earlier and click on "disable all". Make sure you write down the name and location of the suspected bin! Now go to the "boot" tab and select safe mode. What you do next is run msconfig in safemode, if the rat is persistent it'll still be in the list but it WON'T be running since we are in safemode atm. Now it's just a matter of finding the source. Make sure you're still in safemode and open "Regedit" (make sure you have "show hidden files and folders" enabled or you won't find it) If you successfully opened regedit you should be looking at something like this.. Remember we also were able to see the file location back in msconfig? Look at the file location again (in msconfig) and navigate to it (in regedit). The location should somewhat look like this.. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\... If you navigated to the location correctly you should be seeing this.. You should now have spotted the file (you saw in msconfig) in this list. If not look at the location again and make sure it's the correct one. Now right click on the bin and click modify and you should see this.. Now if you're not completely sure if it is indeed the bin, put a ":" or something infront of it to disable it but still have it on your system (in case it's something else). If you are sure it's the bin, you can completely delete it instead of modifying. To make sure it's gone go back to msconfig and see if it's in the startup list, it should be completely gone now, if not you did something wrong in previous steps and you should go over it again or just following the previous method. Now for the last step we are going to download CCleaner and scan for issues in our registry. Hit the "registery" tab and click on "scan for issues", you should see something like this.. When all is done, hit "Fix selected issues" and you should be done. Sum up.. So basically it comes down to.. - Using your common sense, don't accept and open files carelessly, think about the risks and takes the correct measures to ensure you're safe from being infected (using a vm to test the file). - Have the correct security software on your device, just an antivirus won't suffice as it doesn't monitor your in and outbound traffic. Get a firewall as well and keep them updated. - Don't store sensitive information in the form of a text file on your computer itself, if someone gets access to your computer he can take advantage of the information you locally stored. - Use the authenticators, I can't stress this enough, it may be a bit of a hassle having to fill in the auth code every time but it's a bulletproof defense to secure your account against unauthorized access. - Don't save your passwords, they can be accessed easily and it would result in them having all the passwords you saved on your browser, defend yourself against keyloggers as well if you want to ensure your passwords are safe. - Keep yourself up to date with spreading methods, etc.. Know how it works so you can prevent it from happening to you. This sums up the guide, I know that to many people this may seem common sense but surprisingly enough tons of people everywhere get infected. I myself have never been infected before since I have always been cautious accepting files and had good security software and when it comes down to it it's really easy to not fall victim to viruses, if you ask me. I hope this guide was helpful to some, I will probably update this in the near future or when questions are asked in the replies. If you ever need help regarding malware, contact me without hesitation.



RSPS Partners


What is a RSPS?

A RSPS, also known as RuneScape private server, is an online game based on RuneScape, and controlled by independent individuals.

Popular RSPS Servers

oldschoolrsps Runewild RedemptionRSPS


Runesuite is not affiliated with runescape, jagex, rune-server and runelocus in any way & exists solely for educational purposes.

  • Create New...