Malware Toolkit Test Suite

Command Line Access

All tools tested within the custom malware test are custom-made and utilize Windows functionalities (not exploits) to access data within the protected network, making them harder to detect. However, they are not designed to conceal their malicious functionality (e.g., they post data back to a server using long base64 strings in a fixed rhythm). This tool allows the execution of hardcoded commands. The toolkit will verify whether an external program can initiate the shell and execute commands.

Recent Documents Access

If malware can access the recent document path, it can learn a lot about which files were recently used and where they are stored. The tool can use cached user credentials to access the last documents (either locally or on a shared drive). This tool will read the absolute paths from the recent documents directory and attempt to access them.

Outlook Access

An external tool can overwrite the security warning in Outlook, gaining access to all emails or even sending emails via Exchange on behalf of the compromised user. This tool will use Outlook MAPI to overwrite the security message and attempt to access the last message in the inbox.

Screenshots

Malware capable of taking screenshots may record on-screen activity, such as passwords entered using an on-screen keyboard. This tool will attempt to take screenshots of the current desktop.

Webcam Access

Malware that can take pictures with the webcam may be used to spy on users or blackmail them. This tool will try to take a picture with the webcam.

Microphone Access

Malware can embed itself into computer systems without detection by traditional antivirus applications and can execute total surveillance, including turning on the camera and microphone, copying data, and recording emails and chat conversations. The toolkit will test whether a third-party application can access and record from an attached or built-in microphone.

Access to the Internet via HTTP

Malware could embed its own custom web browser. The toolkit will verify if malware can connect back to the Internet using its own HTTP class, simulating a portable tool with a built-in custom browser.

Access to the Internet via Internet Explorer

Inside-out attacks attempt to initiate network connections from a trusted (corporate) network to an untrusted (Internet) network. The inside-out attack consists of three steps: delivery (getting the backdoor into the network), execution (executing the backdoor by the user), and output delivery (sending the data out). The toolkit will verify if malware can connect back to the Internet using Internet Explorer via HTTP.

HTTP Access with IE Proxy

Malware could integrate a custom web browser and read proxy details from the registry. The toolkit will verify if malware can connect back to the Internet using its own HTTP class with the current proxy settings.

HTTP Access with IE Proxy with Credentials

Malware could embed its own custom web browser, read proxy details from the registry, and access stored credentials. The toolkit will attempt to access the Internet using the default credentials stored on the system, simulating malware that can bypass security controls like integrated Windows authentication on a corporate proxy.

HTTP Access with Proxy from Firefox Settings

If the company disables Internet Explorer, malware could attempt to access the Internet using Firefox. The toolkit will verify if malware can connect back to the Internet using its own HTTP class with the current proxy settings accessed through a different browser (Firefox).

Access to the Internet via HTTPS

Malware might conceal its activity by using an encrypted connection. The toolkit will verify if malware can connect back to the Internet via HTTPS using its own HTTP class, simulating malware that has a built-in custom web browser.

DNS Tunneling

Using DNS tunneling, malware can access a remote server via HTTP, even if the proxy blocks the website. In a DNS tunnel, data are encapsulated within DNS queries and replies, utilizing the DNS domain name lookup system for bi-directional data transfer. The toolkit will test if it can resolve an external third-party domain directly on the client.

Protocol Tests

ICMP

ICMP tunneling injects arbitrary data into an echo packet sent to a remote computer, which replies by injecting an answer into another ICMP packet and sending it back. The toolkit will send various ICMP packets with random data and sizes to an external host.

SMTP

SMTP is a common protocol for malware distribution. The toolkit will verify if malware can connect to the Internet directly using a protocol like SMTP.

FTP

FTP is a common protocol used by malware to export collected data. The toolkit will verify if malware can connect to the Internet directly using a protocol like FTP.

SSH

Malware could establish an outbound connection that cannot be logged using SSH. The toolkit will verify if malware can connect to the Internet directly using a protocol like SSH.

IRC

Internet Relay Chat (IRC) is an application layer protocol that facilitates communication through text. The toolkit will test the ability to connect to an external IRC server and channel, send a couple of messages, and then disconnect after a short wait.

OS Version

This check is purely informational. In this step, the tool attempts to identify the host operating system.

Local Administrators

If a user has local administrative rights, they can disable the security enhancements that protect them (e.g., Firewall, BitLocker, Antimalware). This check verifies if any users have local admin rights on the PC.

Firewall

If an infected laptop is connected to the network, it may attempt to infect all other devices on the LAN, potentially bypassing the corporate firewall. Local firewalls can also prevent the successful transmission of the virus. The toolkit will verify if the firewall is running and then test whether it can be disabled.

Antivirus

The toolkit will verify if an antivirus product is running and whether it can be disabled.

Virus Download

Simda is a multi-component malware family that includes Trojan, backdoor, password-stealing, downloader, and file-infector variants.

Backdoor:Win32/Simda.A: This variant allows a remote user to connect to an infected machine and perform malicious actions, such as stealing user credentials and capturing screen images. The backdoor component drops a malicious DLL that is injected into Windows processes to gather user information, detected as PWS/Simda.A. The backdoor can exploit vulnerabilities to gain elevated privileges, allowing it to perform more restrictive actions, such as Windows process injection. It may also gain admin privileges by brute-forcing the administrator password using a dictionary attack. Once access is gained, it collects user information, logs keystrokes, and takes screenshots. The backdoor connects to its command and control server to report infection and download a configuration file.

Once connected, a remote attacker can collect the stolen information and execute additional commands. In this check, the toolkit will test if a known dangerous virus called Simda can be downloaded. If the download is successful, the toolkit will check if the downloaded file can be placed in the "Documents" folder.

Hosts File

The toolkit will verify if write access to the hosts file is granted.

Add New User

A local account is specific to your computer and not integrated with any of Microsoft's online services, similar to accounts used in previous Windows versions. If malware can create users, it might "backdoor" the system and bypass other security mechanisms in place. The toolkit will attempt to add local users.

Patch Level

If a patch is missing and an exploit exists, the system can be easily compromised. The toolkit will examine the patch level, comparing it with current exploits. The toolkit will specifically look for privilege escalation exploits and their respective KB patch numbers, such as KiTrap0D (KB979682), MS11-011 (KB2393802), MS10-059 (KB982799), MS10-021 (KB979683), and MS11-080 (KB2592799).

Passwords in Configuration Files

In environments requiring the installation of many machines, technicians typically do not visit each machine individually. Various solutions enable automatic installations, and these methods often leave behind configuration files used in the installation process. These files can contain sensitive information, such as the operating system product key and administrator password.

Passwords in Policies

GPO preference files can create local users on domain machines. When a compromised box is connected to a domain, it’s worthwhile to search for the Groups.xml file stored in SYSVOL, which any authenticated user can read. The password in this XML file is "obscured" from casual users by encryption with AES. However, it is only obscured because the static key is published on the MSDN website, allowing for easy decryption.

AlwaysInstallElevated

The toolkit will check for the registry setting AlwaysInstallElevated. If enabled, this setting allows users of any privilege level to install .msi files as NT AUTHORITY\SYSTEM. It is a Group Policy setting for Windows Installer that runs any Windows Installer Package (.msi file) launched by a user under the Local System account. This allows users to install applications they need without granting them administrative rights.

Write Access

The toolkit will verify if malware has write access to important system files.

Autostart

The toolkit will verify our ability to place an executable in the autostart folder.

Autorun

AutoRun is a Windows feature that automatically executes files when a USB drive is plugged into a Windows machine. AutoRun is often used by malware to enable its own execution as soon as a USB drive is inserted. Microsoft has significantly disabled AutoRun for many file types, yet some applications (like a disk image mounted in Windows Explorer) may still execute AutoRun files. The toolkit will verify if autorun can execute files from a USB stick.

Mounted Shares

When computers connect via a network, malware writers gain a transport mechanism that can surpass the capabilities of removable media to spread malicious code. The toolkit will attempt to access known shares to test their access security and, in a second step, scan the same network range as the host to check for anonymous user access to shares.

Domain Shares

Similar to mounted shares, attacks can replicate across computer systems using various methods. The toolkit will attempt to access known shares to test their access security and then scan the same network range as the host to check for anonymous user access to shares.

Port Scan

After infecting a host, malware will scan neighboring IP addresses to find new targets. Malware writers do not rely on standard commands, as monitoring and restricting these might lead to containment. Instead, they evaluate the next host by scanning all IP addresses in the host's address space. The toolkit will scan a small selection of hosts in the same network for common ports.

Firewall Block

Malware may try to connect on random unknown ports back to the attacker. The tookit will test if an outbound TCP connection on a very high port is possible. Such connections are usually suspicious and should be dropped.

Direct DNS Access

The toolkit will verify whether malware can perform a DNS tunneling attack by resolving a third-party domain from the client. If the server resolves to an IP address, it indicates that the client can make DNS queries to external domains using internal DNS forwarders. For a real-world test of DNS tunneling traffic, please use the "DNS Tunneling Test."

Suspicious Communication

The toolkit will check if your SIEM detects suspicious GET requests to malware-related sites. It will parse a current list of malware-related websites, such as https://www.malwaredomainlist.com, and then attempt to make simple GET requests to selected sites to see if connections to these malicious sites are allowed or blocked.

File Operations on Share

The toolkit will test on a mounted share (if detected) to see if multiple hundreds of read/write operations can occur within a short time window from the same source.