Ways To Help Protect Your System When Downloading and Viewing Potentially Dangerous Files

 

Recently I wrote a blog post taking a quick look inside the files from some recent malware stealer logs. I got asked (by @Harisfromcyber on Twitter) about the safety precautions one should take when downloading files like this. I thought it was a great question, and I honestly didn’t think I could do it justice in a Twitter thread, so I promised to write a blog post.

In this post, I’m not going to focus on using VPNs to manage your attribution but on steps to harden your operating system when downloading and reviewing potentially malicious files.

1: Make sure your software is up to date.

This almost seems too obvious to state, but it isn’t. Modern operating systems and web browsers are really good at forcing themselves to update regularly, but what about other software installed on the system? The software you use to play media files, unzip files, etc. can sometimes be outdated.

If you have the file extraction software WinRAR on your computer when was the last time it was updated? Likely never. Most WinRAR users installed the software soon after setting up their computers and haven’t updated the software since. If you’re using a severely outdated version of software like this which contains known vulnerabilities, you run the risk of an attacker taking advantage of those vulnerabilities when you use it to extract a file.



2: Use some form of host-based antivirus software

Some people may not agree with this, and I get it. No anti-virus (AV) software is perfect. But it stops many things, and quality free options are available. This is especially easy on a modern Windows system as Windows Defender is built in and does a good job.

If you would like a second opinion every once in a while, you can use something like the free version of Malwarebytes. I’m specifying the free version because I like its ability to perform OnDemand scans, but I don’t want the premium feature of real-time monitoring. As a general rule of thumb, you don’t want two different anti-virus programs providing real-time protection on your computer, as this can lead to performance issues and conflicts where one program detects the other as a threat.

If you’re curious about other AV software options, including options for MacOS, there is an unbiased organization that tests and reviews different AV products at https://www.av-test.org/en/

 

3: Use a Virtual Machine (VM)

A Virtual Machine (VM) is a software-based simulation of a physical computer that operates within a host computer. You can use a virtual machine to isolate the activity from your primary operating system when downloading potentially malicious files. This way, if the logs contain malware or other malicious software, they will not infect your primary operating system.

Multiple free options exist, including VMware Workstation for Windows hosts and VMware Fusion MacOS hosts. You can use a Linux distro like Ubuntu as a virtual machine. Not only does this provide an extra layer of separation from your host opperting system, but if the malware is designed to take advantage of Windows software, it may be less likely to execute in Linux.

4: If possible, use a trusted source to download the file

This one sounds funny when we’re talking about downloading things like stolen breach data or malware stealer logs, but downloading such files from a site that’s been around for a while and has a large user base, like RaidForums.com before it went down, can be safer than going to a random sketchy site. If 50 other users have already downloaded the file you’re getting ready to download, and nobody has complained about anything dangerous, it is not a guarantee that the file is safe, but it can help you feel a little bit safer.

5: If reasonable, consider using a site like VirusTotal.com or Hybrid-Analysis.com

 VirusTotal is a popular site that lets you upload a file and have it quickly scanned by numerous different AV test engines. The good news is that it’s free; the bad news is that the file you uploaded gets distributed to the AV companies. If that isn’t an issue, it’s a handy resource.

Hybrid-Analysis is similar to VirusTotal, but it opens/executes the file inside a virtual environment powered by Crowdstrike’s Falcon Sandbox. Not only does this give you another opinion on if a file is malicious or non-malicious, It shows you screenshots of the file being opened/executed. This can provide the EXTREMELY useful capability to view the contents of a file without having to open the file yourself.


There is a lot more we could talk about on this topic but I think these are some of the key steps to take to help keep safe when downloading and viewing suspicious files. 

Comments

Popular posts from this blog

SANS Index How To Guide with Pictures

Introducing FaviconLocator: The Eazy Button to Searching by Favicon

Automating Domain Squatting Detection with DNSTwist and Python