Malware is dangerous, but you CAN handle it safely if you follow some simple rules.
At a high level, malware is only dangerous when it is executed by something or someone. For example, a dormant executable file isn’t going to magically jump into life. But accidents happen and even the most professional of malware analysts infect themselves occasionally, so a bit of paranoia can be healthy and isolation is king here. Keep malware away from things you care about, and you’ll be okay.
How to Stay Safe With Malware
Let’s state the obvious, the “mal” in malware is an abbreviation of “malicious”. We’ll spare you the dictionary definition, but the short version of the story is that it is out to hurt your machine. It therefore stands to reason that you should be extremely – emphasis: extremely – careful while handling malware. Here are some measures you can take
- Never download or host malware on a production system.
- Always try and keep malware solely on a virtual machine.
- Keep virtual machines segregated from the production network.
- Keep virtual machines isolated from the host such that no files can be shared between them.
- Always keep malware files zipped and protected with a password. (It doesn’t matter what the password is. We use the password “testmyav” here.) This helps to ensure that files are not accidentally executed.
- Never send malware samples via e-mail. E-mail provides opportunities for samples to be released to unintended parties. There is also the risk intention to share testing resources will be construed as an attempt to infect the recipient. Organisations do deploy anti-malware measures on mail servers, and this could get you flagged. It’s better to share via repositories or via carefully secured USB drives.
- Use dedicated USB drives of a different colour for moving malware around, e.g. a red one that only contains malware.
- Keep a working directory and a storage directory in your test environment, e.g. C:\malware_excluded for storage and C:\malware_included for working on. This ensures that you are being intentional about the malicious files you are testing. To maintain hygiene, be sure to follow the following rules:
- Move malware you intend to test to your working directory
- Only detonate malware from your working directory
- Always move malware you do not intend to test back to storage
- Consider removing or altering file extensions (see below)
- Work in an AV excluded directory if you operate malware on your host. We strongly recommend against operating malware unless you’re in a virtualized environment. Be sure to exclude the directory in which the malware resides if you’re going to do so. Be very, very careful if you do this.
- Remove executable rights from the directory you store malware. This provides an extra layer of protection in that you cannot accidentally detonate stored malware. This is especially helpful if you decide against changing the file extensions. Here is a great tutorial on how to do this
Renaming Malware File Extensions
Follow this procedure if you’d like to prevent malware from being accidentally executed by changing its file extension.
Remove file extensions or add an invalid file extension to malicious files. In Windows Explorer, be sure to have file extensions visible. You can simply delete file extensions by highlighting them. This, however, is pretty unwieldy as you might be dealing with hundreds or possibly thousands of files. To do so in the command window:
- On your keyboard, hold the Windows key and press the ‘R’ key
- In the run dialog, type “cmd.exe”, a command window should open
- Alternatively, you can type “cmd” in the Start menu search bar and the command prompt option should show in the results
- Change directories to the directory in which you’re storing malware. For this tutorial, we’ll use “C:\malware_excluded”
- Type: “cd C:\[desired path]”, in this case, “cd C:\malware_excluded”
- Enter the command “dir”, which will list all the files that are in that directory. Verify that these are the malware files you wish to rename.
- We are going to add words to the end of a file extension, which is going to cause Windows to consider this a type of file that can’t be executed. For this example, we’ll assume that we have a directory of .exe files.
- Type: “ren *.exe *DoNotRunMalware”
- The files would then have an extension of .DoNotRunMalware, e.g.: malwareSample_1.DoNotRunMalware
- If you were to double click on this file, Windows would not run it and show a prompt asking which application you’d like to open it with.
- Wait until the cursor reappears. If you are renaming many files, this may take a few minutes
- Enter the “dir” command again and verify that the file names have been changed
- Perform the reverse to rename all of the files to .exe
- Type: “ren *.DoNotRunMalware *.exe”
- To rename a single file, enter the following for the file malware1.DoNotRunMalware, “ren malware1.DoNotRunMalware malware1.exe”