An ideal source of samples is this which offers the most widespread, fresh, and diverse samples that are independent of antivirus software provider. In this case, “the freshness“ of downloaded samples is very important because it affects actual protection against threats which can be found on a daily basis on the Internet.

Samples used in „Advanced In-The-Wild Malware Test” come from attacks on our honeypots network. Honeypots are traps which task is to simulate a target that is vulnerable to attacks and to capture malicious software. We use low (Dionaea, SHIVA, HoneyDB) and high interactive honeypots. All of them emulate services such as: SSH, HTTP, HTTPS, SMB, FTP, TFTP, real Windows systems, and email servers. A lot of interesting information about honeypots can be found on CERT Poland website.

Honeypoty zebrane próbki wirusów
Malicious software collected from one of the honeypots.

Before every sample goes to machines with security products installed, it should be thoroughly analyzed. We have to make sure that only 100% harmful samples are included in tests. We provide examples of malicious indicators being introduced by malware into a system:

An attempt to disable UAC:

HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify

Adding to autostart:

Software\Microsoft\Windows\CurrentVersion\Run

Swapping wallpaper:

Control Panel\Desktop\Wallpaper

Checking bios version:

Hardware\description\system\bios

Bypassing UAC:

Classes\exefile\shell\runas\command\isolatedCommand

Launching from recycle bin:

C:\$Recycle.Bin

Removing logs:

C:\$GetCurrent\Logs

A situation when a virus won’t operate in a system, because it was programmed for other geographical area, will never happen in our tests. Readers and developers are ensured that malware which was qualified for tests will be able to seriously infect operating systems, regardless of which part of the world it comes from.

Before a potentially harmful sample is qualified for tests, one of the components of a testing system checks if malicious software certainly introduces unwanted modifications. For this purpose, every virus is analyzed for 15 minutes. The human factor excluded from tests makes it impossible to ascertain whether, for example, malware will finish its activity after 60 seconds. We must establish some time threshold after which we stop an analysis. We are aware that there’s malicious software that can delay its launch up to several hours before it’s activated. It can also listen to connections with C&C server on an ephemeral port. There were also situations when malware was programmed to infect a specific application, or it was waiting for a website to be opened. For this reason, we took every effort to ensure that our tests are as close to reality as possible, and samples which are “unreliable” won’t be included in a test virus database.

After analyzing every potentially malicious sample, logs from the activity of malware are exported to the outer part of the testing system. On the basis of the data gathered, developed algorithms decide whether a particular sample is certainly harmful. We publish part of the information from an analysis on the CheckLab’s website in an accessible form for users and developers. Detailed data are shared with developers.