Tips to stay safe while working with malware samples.

1. Use different OS on the host machine than your analysis VM
--> most malware will not be able to run there

2. Use a different machine for malware analysis (even if analysis happens in VM) than for your other work or private stuff.

3. Make sure the analysis machine is not connected to the company network or your personal network.

4. If you transfer files via USB flash drives, mark malware USB flash drives. E.g. red ones mean they are used to carry samples.

Be aware that those flash drives will become infected by worms.

6. If you transfer malware files via shared folder, make the folder readable only for the analysis VM.

Be aware that writeable folders will become infected by worms, viruses or encrypted by ransomware.

7. On Windows, use ACL to prevent execution.

This will not prevent ALL execution, .MSI will still unpack to TEMP and execute just fine

But it prevents a common mistake: Not realizing that the focus is in a different window and pressing Enter on a sample

8. Apply non-executable extensions on Windows like .vir, .bin. Preferably not via Explorer context menu.
ReNamer should work, I personally use a script.

It prevents execution by accidental double-click and prevents exploit execution on PE icon loading.

9. Never execute analysis tools on the host that are not explicitly static.
E.g. De4Dot is not entirely static, depending on the obfuscation.

If you are unsure, use the dynamic analysis environment.

10. When sharing samples with others, do not share them directly. Use encrypted archives with password "infected"

11. Never post clickable links to potential malware URLs or C2 even if you think they don't do nothing. Don't think when it can be okay, make it a habit to not do it

12. Do not use features like clipboard sharing between VM and host. Especially if you did not apply rule 2.
Malware will read your clipboard and send it somewhere.

13. Use fake network in the analysis VM instead of a real one, unless the real one is absolutely necessary.

This is especially true if you have internal tools, sources or signatures on your dynamic analysis VM. In that case you never want an actual internet connection in the VM because malware might leak such data.

Do not think you disable it before execution. You will forget it.

Here we go again.

This time its an implant to help people manage cluster headaches. The company that made the devices has collapsed leaving 700 people with implants and no way to manage them.

There has to be a better way to deal with this.

#disability #righttorepair #dutyofcare

Hat tip to @DrCuriosity for the link

https://www.nature.com/immersive/d41586-022-03810-5/index.html