Ways To Help Protect Your System When Downloading and Viewing Potentially Dangerous Files

 

Recently I wrote a blog post taking a quick look inside the files from some recent malware stealer logs. I got asked (by @Harisfromcyber on Twitter) about the safety precautions one should take when downloading files like this. I thought it was a great question, and I honestly didn’t think I could do it justice in a Twitter thread, so I promised to write a blog post.

In this post, I’m not going to focus on using VPNs to manage your attribution but on steps to harden your operating system when downloading and reviewing potentially malicious files.

1: Make sure your software is up to date.

This almost seems too obvious to state, but it isn’t. Modern operating systems and web browsers are really good at forcing themselves to update regularly, but what about other software installed on the system? The software you use to play media files, unzip files, etc. can sometimes be outdated.

If you have the file extraction software WinRAR on your computer when was the last time it was updated? Likely never. Most WinRAR users installed the software soon after setting up their computers and haven’t updated the software since. If you’re using a severely outdated version of software like this which contains known vulnerabilities, you run the risk of an attacker taking advantage of those vulnerabilities when you use it to extract a file.



2: Use some form of host-based antivirus software

Some people may not agree with this, and I get it. No anti-virus (AV) software is perfect. But it stops many things, and quality free options are available. This is especially easy on a modern Windows system as Windows Defender is built in and does a good job.

If you would like a second opinion every once in a while, you can use something like the free version of Malwarebytes. I’m specifying the free version because I like its ability to perform OnDemand scans, but I don’t want the premium feature of real-time monitoring. As a general rule of thumb, you don’t want two different anti-virus programs providing real-time protection on your computer, as this can lead to performance issues and conflicts where one program detects the other as a threat.

If you’re curious about other AV software options, including options for MacOS, there is an unbiased organization that tests and reviews different AV products at https://www.av-test.org/en/

 

3: Use a Virtual Machine (VM)

A Virtual Machine (VM) is a software-based simulation of a physical computer that operates within a host computer. You can use a virtual machine to isolate the activity from your primary operating system when downloading potentially malicious files. This way, if the logs contain malware or other malicious software, they will not infect your primary operating system.

Multiple free options exist, including VMware Workstation for Windows hosts and VMware Fusion MacOS hosts. You can use a Linux distro like Ubuntu as a virtual machine. Not only does this provide an extra layer of separation from your host opperting system, but if the malware is designed to take advantage of Windows software, it may be less likely to execute in Linux.

4: If possible, use a trusted source to download the file

This one sounds funny when we’re talking about downloading things like stolen breach data or malware stealer logs, but downloading such files from a site that’s been around for a while and has a large user base, like RaidForums.com before it went down, can be safer than going to a random sketchy site. If 50 other users have already downloaded the file you’re getting ready to download, and nobody has complained about anything dangerous, it is not a guarantee that the file is safe, but it can help you feel a little bit safer.

5: If reasonable, consider using a site like VirusTotal.com or Hybrid-Analysis.com

 VirusTotal is a popular site that lets you upload a file and have it quickly scanned by numerous different AV test engines. The good news is that it’s free; the bad news is that the file you uploaded gets distributed to the AV companies. If that isn’t an issue, it’s a handy resource.

Hybrid-Analysis is similar to VirusTotal, but it opens/executes the file inside a virtual environment powered by Crowdstrike’s Falcon Sandbox. Not only does this give you another opinion on if a file is malicious or non-malicious, It shows you screenshots of the file being opened/executed. This can provide the EXTREMELY useful capability to view the contents of a file without having to open the file yourself.


There is a lot more we could talk about on this topic but I think these are some of the key steps to take to help keep safe when downloading and viewing suspicious files. 

Comments

Post a Comment

Popular posts from this blog

SANS Index How To Guide with Pictures

Image
I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others. I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable. A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index. Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS...
Read more

Leveling Up Your OSINT Game: Creating a Professional Email on a Budget

Image
  Some sites do not allow new users to register with a “free” email such as gmail.com or outlook.com. This is especially true if a site offers some free capability, but with the hope of converting you into a paying customer. Most OSINT practitioners would prefer to avoid using their “real” work email to signup for services, so the easiest solution is to register a domain (if you don’t already have one) and setup an email account using that. In this blog post we’ll explore how to accomplish this task as easily, and inexpensively as possible. Step 1: Acquire The Domain Many of us have likely purchased a .com or other domain over the years. Maybe you still have some, or maybe they expired. For years the only domain registrar I used was Google Domains. It was easy, inexpensive and provided free private registration to help enhance privacy. Recently, Google decided to get out of the domain registration business and is in the process of transferring all registered domains to Square...
Read more

Introducing FaviconLocator: The Eazy Button to Searching by Favicon

Image
  Favicons (short for favorite icons) are the cute little pixelated images that appear next to the site name in web browser tabs, bookmarks, etc. In the image below we can see the iconic GitHub logo on their site and the KFC logo on a bucket of chicken on their site. Originally, favicons were designed to add a touch of professionalism and branding, but for anyone who is like me and has over a dozen tabs open at any time, favicons are the only thing displayed and how I navigate tabs. Most of us rely on favicons on a daily basis but many never think of them as a tool we can use in OSINT and CTI investigations. That’s what we’re doing to talk about here as well as introduce a new tool. In addition to branding and aiding in navigation between tabs, favicons can serve as unique identifiers for websites. These unique identifiers can help us: Trace the online presence of organizations and discover obscure digital assets Map the online infrastructure of potential threats Potentially de...
Read more