i have came across a malware that i think is quiet unique, according to the representative of this software manufacture, this software is first developed for military use, second, it's will show no Send/Receive packets from the status screen and it can browse your system without notice and the last is, it's anti virus detection free, according to their menu it can pass most of the anti virus detection software.
this software package contain a software to create this malware (dongle require) and a control centre software (also dongle require) to control the machine.
i want to test about this software, at least to found out what symptoms this malware has.
all i can think of is to install wireshark on both the subject machine and the control centre, to capture the packet.
may i ask what else i can do? i do think of using snort but i am not sure that i can handle snort as it's quiet difficult for me at this moment.
i have prepare a old machine with xp in it and without any anti virus program installed.
does anyone know is it safe enough to use a vm on my own laptop as the control center?
i want to seek some advise and direction, if anyone could help.
million thanks.
In addition to monitoring the traffic between the machines I would imagine you would also want to monitor what is happening on the target machine. I would look into DiskMon & Process Monitor and Process Explorer.
all i can think of is to install wireshark on both the subject machine and the control centre, to capture the packet.
It would be a bit cleaner to listen on the network, using a hub or a monitor port on a switch (or the virtual equivalents, if you decide virtual systems works).
does anyone know is it safe enough to use a vm on my own laptop as the control center?
You decide what is safe or not. What damage could be caused – and are you willing to take the risk? If your laptop should become infected by an so far unknown virus … how would you clean it up? Can you do that? Do you have the necessary backups? What would be the cost?
I'd set up two throw-away physical machines on a physical network, and listen on the network, at least to start with. I might try virtual machines, but as some malware don't run as expected in virtual environments, I can't be certain it would work, and I might end up analyzing the wrong thing.
First, I'd pass the suspected malware to something like the Comodo Malware analyzer, to get a rough idea of what it does.
thanks for bithead, i think your suggestion is pretty much all i should do at this moment.
do let me know if you are interested, i can share my result to you. like a pcap file?
and thanks for athulin, i will took ur advise to use another machine to test it in a close network first.
…second, it's will show no Send/Receive packets from the status screen
Not sure what you mean, here. What is the "status screen" or, more appropriately, on what machine is it running?
all i can think of is to install wireshark on both the subject machine and the control centre, to capture the packet.
Why not do one better and install Wireshark on an uninvolved third machine? That way you can be fairly certain that the installation of the malware on the target system did not adversely affect Wireshark.
does anyone know is it safe enough to use a vm on my own laptop as the control center?
As others have pointed out, many malware products are capable of detecting that they are being run from a VM and use this to hide their activities. Better to get a couple of cheap PCs, OEM versions of Windows, and a HUB (not a switch) and install the C&C and Wireshark on these.
You may have trouble finding a hub these days unless you have some old ones lying around.
Ignore, for a moment, the developer's claims that it is undetectable. In addition to procmon, download a copy of RegShot and take registry snapshots before and after infection and compare these.
Get a copy of memdd or another Windows memory imaging program and take a snapshot of memory before infection and after. If you do this on a laptop, you can also capture hiberfil.sys before and after. Then examine the memory images using Volatility. I actually have a script that uses Volatility to run through memory looking for malware artifacts but this is relatively easy to do, manually.
Buy a copy of "The Malware Analysts Cookbook and DVD" which will give you other suggestions.
But be skeptical. If there really existed malware that couldn't be detected, there would cease to be people developing malware that can.