6

Yesterday I started some hacking tutorials on http://xeushack.com/tutorials/ by curiosity. I used the Android app to read the different articles about different ways of "hacking". The author clearly stated that some of them shouldn't be reproduce because they would basically harm the computer, such as the famous Zip bomb and Fork bomb or even Folder blaster.

So, I'm wondering what would be the best way for me to reproduces these "malwares" without doing harm to my own computer. But I'm also interested of finding a way that I could use for many different kind of malware/virus testing/development.

The first solution that comes to my mind is to use a Virtual Machine, so I could take a snapshot of the VM once installed and do whatever on it without harming the real OS. But I don't know for sure if this is the best solution and even if it's gonna work or not. I guess it would, but that's a guess.

Vadorequest
  • 161
  • 1
  • 4
  • 2
    I'm not convinced a fork bomb would harm the computer - it will use up all your memory and CPU cycles, but rebooting should sort that. If you're experimenting, using a VM should be safe, but don't run anything you don't understand, just in case. You could also grab a disposable computer, such as a Raspberry Pi, and try things on that. I'd suggest keeping it disconnected from your network though. – Matthew Nov 20 '15 at 13:40
  • @Matthew Indeed, the fork bomb wouldn't harm the computer, just make it crash. On the contrary the Zip bomn and folder blaster could really harm the OS and it may be required to reinstall it afterwards because of OS corruption. The Raspberry may be a good idea also. Thanks. – Vadorequest Nov 20 '15 at 13:43
  • 1
    Here's an answer [related to malware analysis](http://security.stackexchange.com/questions/84681/what-are-ways-i-can-analyze-malware-in-an-infected-machine-not-just-clean-it) which is essentially testing malware. – RoraΖ Nov 20 '15 at 13:53
  • Of course, many hackers actually *don't* test their malware. http://www.bleepingcomputer.com/news/security/shoddy-programming-causes-new-ransomware-to-destroy-your-data/ – Scott C Wilson Nov 22 '15 at 16:19

3 Answers3

5

How do professional hackers to test their own malwares/viruses without harming their own computer?

Almost all malware, if not all, works by obscurity. Once you understand how it works, and you have the appropriate skill-set, you can defeat it quite easily. If it's your own malware and viruses, then it's really quite simple: you know exactly what your malware does, and how to defeat it, correct? After all, you programmed it.

While yes, I agree in general with the use of a Virtual Machine, it isn't 100%. Nothing is 100%. You can infect your own machines, whether they're online or offline, and do interesting things with them.

You can observe how the malware interacts with your environment through many different methods. Here are some notable examples:

  1. Observing all changes to the file system, and/or hard drives.
  2. Observing memory
  3. Debuggers such as OllyDbg, or IDA Pro.
  4. Network packet-capturing tools such as Wireshark.

Disable the Virtual Machine's internet connection for best results

While others talk about malware "possibly escaping" the Virtual Machine, it isn't very likely, though it is possible. Even if the malware could detect that it's running inside a virtual machine, that doesn't help much unless the malware self-destructs upon detecting a virtual environment.

Even if a VM isn't detected, a piece of malware could simply try to escape it by assuming it may be there. So methods to prevent the malware from detecting it's inside a VM may not work, unless it's the type that self-destructs when detecting it.

Regarding the "attacks" you've mentioned, let's take a look at the results of them, assuming you can remove the infections:

  1. Zip bomb
    • A zip bomb, also known as a zip of death or decompression bomb, is a malicious archive file designed to crash or render useless the program or system reading it. It is often employed to disable antivirus software, in order to create an opening for more traditional viruses.
    • After removing the infection, the left-behind zip-bomb can be nullified by deleting the files. If you made this yourself, simply make a cleanup routine. If you didn't make it yourself, simply make a cleanup routine. If the program is still forcibly running, you can reboot.
    • Won't cause physical problems with your hardware.
  2. Fork bomb
    • In computing, a fork bomb (also called rabbit virus or wabbit) is a denial-of-service attack wherein a process continually replicates itself to deplete available system resources, causing resource starvation and slowing or crashing the system.
    • Won't cause physical problems with your hardware.
  3. Folder blaster.
    • Same concept as the zip bomb, but with folder spam. Just write a routine to delete them.
    • Won't cause physical problems with your hardware.

Better yet, if you have a virtual testing environment, you can delete these automatically by saving the state of a virtual machine before the infection, and restoring it after you're done studying the output. This is the easiest, most efficient method by far.

Mark Buffalo
  • 22,508
  • 8
  • 74
  • 91
  • How would you disable the guest OS network? Through the VM config? I disabled the network driver, but it could be activated programmatically I bet. Not that I'm gonna run into this kind of issue right now, just wondering, again :) Thanks for the detailled answer. – Vadorequest Nov 20 '15 at 17:52
  • 1
    Yeah, it could be edited, *if* they escaped the Virtual Machine. If they're able to do it, then at that point, you've got bigger problems. Most malware authors aren't smart enough to do something like that, though. For most infections, this method should work. As for how I'd disable it, just go to the network connections in windows or something, and disable the internet for the VirtualBox "device." – Mark Buffalo Nov 20 '15 at 17:55
  • Alternatively, you can shut it off in the configuration menus. – Mark Buffalo Nov 20 '15 at 17:57
2

Depending on how the malware works, virtualization might be a sufficient way to contain it. By running the malware in a virtual machine, it can only cause damage inside the virtual machine and only use up those resources which are assigned to it.

However, there is also malware which either does not work inside a VM or is dangerous even when used in one. In that case the only way to test it is by using spare hardware.

Philipp
  • 49,017
  • 8
  • 127
  • 158
  • I'm curious about how could a malware "get out" of the VM container. It's not supposed to be able to interact with the very host system. – Vadorequest Nov 20 '15 at 14:07
  • 2
    @Vadorequest It's not supposed to, but virtualization environments are sometimes not as secure as they appear. Here is an interesting presentation from the 30c3: [Virtually Impossible: The Reality Of Virtualization Security](https://www.youtube.com/watch?v=GoipioWrzAg) – Philipp Nov 20 '15 at 14:13
2

Some malware has the ability to recognize when its virtualized and attempt to "think outside the box" using the most interesting of tactics I've seen...sometimes even trying to control the keyboard. The only way to truly test them is to set up an airgapped laptop or desktop and run it on that, then reinstall all the OS when you're done...time consuming but the only "safest" bet.

Chad Baxter
  • 632
  • 4
  • 8
  • 3
    Most malware that detects virtual machines can be defeated by using one that's open source, and compiling the source yourself. But before you do that, you need to remove all references to "Virtual" outside of function modifiers, plus the the default MAC address range, among a few other things. – Mark Buffalo Nov 20 '15 at 15:59
  • 1
    @MarkHulkalo Interesting. Wouldn't be possible to test a Windows virus that way tough, never heard of the words Windows and open source in the same sentence! – Vadorequest Nov 20 '15 at 17:43
  • @Vadorequest I think you misunderstood me. My bad! :) It would be very possible to test a windows virus using that method. Go get [Oracle VM VirtualBox](https://www.virtualbox.org/wiki/Downloads). It's open source. Install VirtualBox, install windows on a VM, and "test" the virus to your hearts content. – Mark Buffalo Nov 20 '15 at 17:46