Virus safety

[Mutt]

This article is for informational purposes only!

The basis of security can be called work through virtual machines. Since we work with viruses, there is a chance, inadvertently, to launch it. The worst thing here is not that the data will get to the server after the virus has been processed, but that the real data will remain in the provider's log.

Most of all hackers come across the fact that from the very beginning they did not build security up to the end, but improved it as the virus developed. As long as you have a small network, there are no high-profile cases for you, etc., no one is looking for you. That is, you can manage a botnet of 1000 machines almost from your computer and no one will come for you. Therefore, in the beginning, hackers sit through simple single VPNs. As the network grows, they begin to attract more and more interest, and when several reports of grand theft are collected in the police, the search begins. It doesn't matter that at the time of the kidnapping, the security scheme could have improved dramatically. A chain is as strong as its weakest link. Quite often the searches end with the special services gaining access to the virus servers, searching through all the logs there, pulling out early information about the owner,

Even if the servers changed many times and the logs got confused, it is often possible to restore the whole picture. In large searches, the hacker's handwriting is analyzed.
This can be the time of attacks, viruses used, cryptor data, server hosters, etc. Having raised everything, you can often find all the logs for the entire time. And once you go in the wrong place, accidentally open a virus in the wrong place, throw a working virus on a neighbor in the entrance and this will become a gigantic security threat. Therefore, the minimum recommended security scheme: Internet via a modem, VPN (preferably Double VPN) on the host machine, virtual machine via a secure whonix network.

Server
For the first time, a low-power VPS will do.

In general, there are three categories of servers:

1. Regular servers
2. Abuse servers
3. Servers for botnets

Regular servers
Regular servers can be found, for example, at rockhoster.com. There is payment via bitcoin. When registering regular servers, almost everywhere you will be asked for your full name, phone number, address, mail. Mail must be specified specially made for a specific case. Reliable mailer - protonmail.com, for quick registration - cock.li (it is also reliable, but there is no password recovery and additional login protection). All other data can be taken from the data generator. It is important that they really exist. Recently, in many places, data is made through geo bases, so if a name with a surname and an address looks implausible, then vps registration may be refused.

Abuse servers
The second type is abuse servers. These are servers on which some abusive services are allowed. Botnets are banned almost everywhere, but this is not a problem, if a small network, then such a network will not be banned quickly. The advantage of using an abuse server is that they will store usage data better. It is much more difficult to get logs from them, so they are a little safer, but more expensive. An example of such a service is abusehosting.net.
They have a description of those abuses that are allowed on it. Therefore, some projects related to virology can be hosted there without fear of being banned.

Servers for botnets
The third type is servers for botnets. There are guarantees that the server from its IP will work even if it receives complaints from the botnet. To effectively build a network, staging servers, fast fux techniques, toro relay and much more can be used. This is a solution in case there is medium-sized black traffic. The only drawback is the price, which starts from several hundred dollars per month. You should look for such offers on the darknet forums.

To summarize, for the first time you need to use regular servers or abusive servers. As the network grows, we turn to the abusive server botnet.
But with the hobby of the network, especially at an extremely large scale, another type of bot management is used - p2p. This allows you not to use the servers at all, but instead distribute control to the infected machines. In terms of security, this is one of the most promising areas, and they are the most scalable.

Virtual machines
It is best to prepare a separate virtual machine for testing viruses. This is done so that important information that a virus can collect from the logs does not leak to the server. It should be borne in mind that access to the server can be intercepted, so it is better not to expose your data there once again.

For the most part, work is done from a virtual
machine on windows 7. But it is also good to have a machine with windows 10 at hand. Almost all windows-based machines run under these systems. When installing windows 7 for the first time, it will not have net framework4. It is needed to run most programs, so the first step is to install it.
.net framework 4 can be downloaded without any problems from the official microsoft website.

Virtualka for tests must be connected only through the gateway.
Working directly from a single VPN when running viruses is discouraged.

After installation and configuration, you need to take a snapshot of the state of the machine.
After each test of the virus, it is advisable to roll back the changes to the saved state.

Control
For management, you can also use a separate virtual machine, the main thing is that the virus testing is carried out on a clean machine. Often you will need to connect to the server via ssh. To do this, putty ssh client can be installed in virtual windows. It supports proxies (I wrote how to get a proxy in previous articles). This ensures that even when using your own node, there will be no traces of it. ssh does end-to-end encryption, so any proxies will work, eavesdropping on them will not give any results.

 

[Mutt]

Virus testing safety 2021
When working in virology, there is a frequent need to run viruses on your machine. Before using a payload, you need to check it so that there is no situation when bots are lost due to incorrect initial settings. When scanning a virus, there are two iron rules to keep in mind:

1. Do not run a virus on the main system or virtual machine with valuable data.
2. Prevent the virus from accessing the Internet directly.

These rules also apply to situations when you need to test your virus. Despite the fact that it is associated with your panel, the presence of a virus in the system opens up new attack vectors.

Direct Internet access is removed in order not to leave unnecessary logs. In virology, it is very important not to get caught in the logs. It is with them that most errors are associated and this is the most frequent source of deanonymization. As you already know, a lot of logs are written, they contain the maximum of available data, and they are stored almost forever. Here are some examples of what traces can be left by mistake, and what this can lead to:

• A virus was accidentally launched on the main system without a VPN or on a virtual machine with a direct connection
  • IP settles in logs. This does not mean that everything is over, if the virus has not yet been seen in attacks, then this information will never be revealed. But as soon as a virus with an exposed command center takes part in a large attack, the intelligence services will start looking at the logs. The connection to the command center during the setup phase is easy to detect. If you leave your IP or even the IP of your personal VPN at the stage of configuring the virus, it is better to change the server of the command center.
  • When using private viruses, you should also pay attention to the fact that not only in the command center they can find, but also the virus itself can leave traces. Antivirus companies analyze the traffic of various viruses and can use it to determine where the attack started from. If the antivirus noticed a file before the attack started when migrating to the main system, then using this log it will be possible to identify the hacker. It's better not to use antivirus at all: Recently, cloud functions have been introduced that send any suspicious or just new files to the lab. Of course, in which case they will have all the logs, and the fact that a virus was found on your machine, which in a few weeks spread to thousands of machines, will surface. And how an antivirus from a host can detect a virus inside a virtual machine - shared folders. Often, you cannot do without using them, and get the file there, as the antivirus can immediately post it.
• A virus was accidentally launched on the main system or virtual, but with a VPN
  • The situation does not change much. For large cases, you cannot use only VPN . It works to protect against logging by the provider and provides additional protection and insurance, but if there is a good reason to find you, then the VPN will not become an insurmountable obstacle.
• A virus was accidentally launched in a configured virtual machine, but not intended for this.
  • It is necessary to manually kill the task with it and remove payload from the system (at the place of its installation). You need to delete it manually without using an antivirus

All created and cloned virtual machines must be checked before the first start. It is necessary to look at the connection settings in the properties of the machine in VirtualBox. All virology machines must be connected with a single virtual adapter over the whonix intranet.

This is the foundation of security. Now let's talk about how to simplify the management of virtual machines, and not inherit.

Cloning virtual machines
It is advisable to use separate virtual machines for each test so that the data from the tests does not intersect. This does not mean that you have to install windows 20 times a day. It is enough to make a base, a pre-configured virtual machine, and then copy it. So it will be possible to quickly churn out virtual machines ready for testing. But we must remember a few things: since virtual machines are taken from one machine, they have many identical system identifiers. In fact, if you run one virus on two clones of one machine, then from the control server you can determine the similarity of the machines and say exactly what one person launches them. For us, this is not important, we use clones so that viruses do not influence each other, and so that there is nothing in the system that can be of value.

The use of new clones for tests is important for another reason: most viruses check to see if they are already in the system to prevent restarting. Therefore, when reusing a clone, there may be problems with tapping .

Virtual machines should be divided into several types. For settings and for tests. Oddly enough, guest additions can be placed anywhere . Its very presence does not compromise security. Extension pack, which increases the integration of the virtual machine with the host hardware, does not need to be installed. And there is no need for it. On virtual machines, you can use both a shared buffer and shared folders for configuration. But you need to understand that you should avoid all the possibilities of getting a virus there (also take into account that if the host has a supervisor of programs that can view the contents of the host's folders (the same antivirus), then it is better not to use shared folders).

Checking detectors before use
Detect - the antivirus detects payload as a malicious file. They look something like this 5/32. This means that out of 32 tested antiviruses, 5 have identified a virus.

There are only 2 ways to keep detectors around 0

1. Crypt
   This is the process of changing the internal structure of an executable file and masking its functions in order to bypass anti-virus detections. It can be performed by both cryptors and automated services. For example, cryptor.biz is a good option for automatic crypt .
2. Updating the code
   In this case, the developer himself or the person with the source code of the virus changes it in such a way as to reduce detections. Such suggestions are found in some private viruses. Basically, this is a separate service, because manual adaptation is required for each client. There are also viruses that come with regular code updates, but with an increase in the number of users, the effect of this decreases.

Neither crypt nor a new stub guarantee 0 detection for a long time. In some cases, even getting 0 detections is impossible, so even after the crypt, 1-2 detections may remain. Since the crypt is executed in bulk, it will crash over time, regardless of whether the file was used. Basically, it is from 12 hours to one and a half days. When using a personal version of a private virus, the number of detections and the time after which they will appear depends on the use of the file. Any virus becomes overgrown with detectors as it is widely used.

There are several types of detectors. Static and runtime.
Static - the antivirus detects the virus even before it starts.
Runtime - an alarm is raised while the program is running.

Evaluation of runtime detections gives a more complete picture of virus detectability by antiviruses. Very often cryptors rely only on static detections and give statistics only on them. But if a low-quality crypt was made, then runtime checks can simply kill it. It can easily be such a situation that there are 0 static detections, and at startup the virus does not find anything.

Detection verification methods

1. Online services.
   The most popular is virustotal.com (free static check). Have you already gone to check your viruses there? - stop. This service leaks all the information to antivirus companies. Each file uploaded there is checked by antivirus companies, regardless of how many detections were found automatically. Uploaded the newly encrypted virus to virustotal.com - get 10 detections as a gift.
2. nodistribute.com (paid statics check). From the statements and the name, one might think that they do not cooperate with antivirus companies, but in fact they also spoil detections and leak information.
3. dyncheck.com (paid static and runtime check). This service is a good checkout solution. You can select antiviruses that require scanning, which reduces the cost of a scan. There are subscriptions for large volumes. The only drawback is that runtime checks with full functionality are available only in subscriptions, which are not the cheapest.
4. Installing an antivirus to your system and checking for positives on it.
   Lol. Good luck.
5. Setting up a special virtual machine for tests.
   This is a good method to fully scan a virus with zero chance of leaking information about it. The easiest method is to install the antivirus (trial version) of interest on a separate windows virtual machine, and after installation, turn off the Internet. You can bring the virus itself through a shared folder (but you can think of a more complex method). After the virus is launched, it will be clear what the antivirus thinks about it while it is running. Since the Internet on the virtual machine is cut off, the antivirus will not be able to merge data about the file. After the end of the test, when it is clear that there are detections or antivirus in parallel on a running virus, the virtual copy with the antivirus is deleted or rolled back to the moment before the start of the test.

The latter method has a significant drawback: without access to the Internet, the virus may not work. In this case, it is necessary to configure access to the Internet through the firewall, when only access to the command server of the virus is allowed.