1

I have been doing research on malware detection and my current setup is: one host OS (Ubuntu 18.04) and one guest OS (Ubuntu 18.04) inside VirtualBox. I have downloaded and executed some malware (including Linux, Windows and OS X platform malware) to the guest OS. But I can not visually see the effects of the malware, not even in case of the Linux targeted ones which would have proven that the malware are active/malicious. The VirtualBox log files (which are my point of interest) have not given me any insight on this issue.

Should I use any tool to activate malware and if so, would you please suggest me some tools?

N.B: I collected most of the malware from "The Zoo" repository on GitHub and the rest from other resources.

Maksudur Rahman
  • 13
  • 4
  • Please ask just one question at a time. The question about Windows viruses affecting Linux has been asked and answered a few times on various platforms. https://security.stackexchange.com/questions/106171/can-malware-infect-more-than-one-operating-system and https://security.stackexchange.com/questions/5119/can-windows-malware-harm-a-linux-computer-when-its-executed-with-wine and https://askubuntu.com/questions/441458/can-a-windows-virus-transfer-to-ubuntu – schroeder Jan 05 '22 at 10:52

2 Answers2

3

It really sounds like what you want to use is a malware analysis sandbox. These are pre-made and hardened virtual machines designed to detonate and observe the effects of malware. These sandboxes also come in different OS flavours.

A malware analysis sandbox extracts network activity, internal process hooking, disk activity, browser activity, etc. From the analysis tools, it becomes simple to create IoCs and signatures for use in other tools, like IPS/IDS or endpoint protection.

Cuckoo is a popular option and is open-source. There is a free online version to use if you want to use it without needing to set it up yourself.

There are many others like Joe Sandbox, Any.run, and FLARE.

The downside to some automated malware sandboxes is that you don't have a lot of power to change the environment or get your hands on the guts of the malware code, although some have debuggers built-in so that you can.

But from the type of questions you are asking, it looks like you should start with an automated sandbox and grow from there.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • I spent 3 months trying to setup Cuckoo Sandbox for both 32 bit and 64 bit Ubuntu (Version: 16.xx, 18.xx, 20.xx etc.). It worked for Windows 7 and 10 guest OS (produced results, log files etc.) but did not work in case of any version of Ubuntu. The online version does not really suffice my current goal. I am particularly interested in the log files in order to generate a dataset. – Maksudur Rahman Jan 05 '22 at 11:26
  • Did you try a pre-made VM for cuckoo for Ubuntu? Installing from scratch can be tricky. – schroeder Jan 05 '22 at 11:34
  • No, I did not. Is it possible to find an open-source pre-made VM? – Maksudur Rahman Jan 05 '22 at 11:44
0

You need to read Shitorski's Practical Malware Analysis. It'll answer all these questions, and it'll give you the tools needed to investigate. Get a NUC.

  1. You need a tools like RegistryChangesView, TCPLogView, Process Explorer. The Vbox logs are basically going to tell you about your Virtual Box platform, and won't give details about malware detonation.
  2. Windows exe files cannot affect Linux because it doesn't have the code to process malware commands. Like, there's no C:\Temp, managing the hardware is different. OSX malware potentially could affect Linux because they're related to Unix. They don't stay dormat, they're useless programs. Btw, malware can scan an virtual machine and become dormat to hide from analysis, or can even break out of the environment.
schroeder
  • 123,438
  • 55
  • 284
  • 319
user42080
  • 31
  • 3
  • It can become dormat if the operating system can run the commands to do that. Its just a file on an incompatible os. Check ForensicsWiki. – user42080 Jan 05 '22 at 06:50
  • The guest OS is Linux. Everything from your first point is for Windows. – schroeder Jan 05 '22 at 10:27
  • Why that book in particular? It's 10 years old and things have changed quite a bit since then. There are entire libraries of more recent books on malware analysis. And upon reading the synopsis, it, too, looks Windows-specific. So, why ***that*** book? – schroeder Jan 05 '22 at 10:28
  • And what's a NUC? – schroeder Jan 05 '22 at 10:45
  • And you are not quite correct on Windows viruses not affecting Linux machines. They certainly can. Sure, if written to only expect Windows and to hard code Windows-specific resources, then they can fail on other OSes. But they don't have to. – schroeder Jan 05 '22 at 10:54